On 29/04/2014 9:51 a.m., Lee Kemp wrote:
> Hello Squid Mailing List (my 1st post :) )
>
> Looking to setup a small squid proxy for around 12 mobile devices
> without the need to add a proxy to the devices, because the network i am
> doing this for already has a firewall (which we have no direct control)
> and an "upstream" proxy does there need to be any configuration changes
> on the firewall or can squid just be told there is an upstream proxy and
> requests are forwarded to it.
Lets see if I am understanding your requirements...
You have devices that you cannot change, sending traffic through a
firewall/routing system you cant change, to an upstream you cant change.
Some difficulties but solvable ones. The existence of a parent proxy
could be a good thing. Intercepting the existing client traffic to
parent proxy is actually safer and easier than intercepting port 80 traffic.
You will need a device you can control configuration of on the wire/path
these clients traffic is using. That could be A) a small router just
pointing the packets at a separate squid machine, or B) the Squid
machine itself with bridge or router setup in its OS settings.
If the clients are explicitly configured to use the parent proxy. Those
connections *can* be NATed to a separate Squid machines http_port. *do
not* use the "intercept" option in squid.conf for this traffic - setup
Squid as a regular forward proxy (it is standing in for the parent proxy).
If the parent proxy is intercepting too (no proxy configured on the
clients). Then the port 80 (and/or 443) NAT (or TPROXY) *must* occur on
the same machine Squid is running on and the "intercept" (or "tproxy")
flag is required.
To deliver traffic to the parent proxy use a "cache_peer" directive of
type parent pointing Squid at it. That is all.
>
> the reason i ask is because i have tried to use some other router
> distro's Smoothwall Express for example and they have not been able to
> forward any of the https traffic. I don't have an essential need for the
> local proxy to cache internet pages, simply to provide a connection is
> enough.
I'm not clear on what you mean by "forward any of the https traffic".
FWIW Smoothwall is a Squid based product. Albeit using an old version
last time I checked. So you will likely find Squid (or any HTTP proxy)
has the same limitations. HTTPS is designed not to allow middleware
operations on the traffic, doing so is tricky and far from "transparent".
Amos
Received on Tue Apr 29 2014 - 14:43:09 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 29 2014 - 12:00:07 MDT