Re: [squid-users] squid as general tcp proxy

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sun, 20 Jul 2014 00:05:24 +0300

Hey James,

Squid is a very bad choice for your scenario.(if I understood it right)
Handling lots of connections in the TCP level only should be done using
a proxy software that knows how to handle these efficiently.

Squid indeed has a very nice acl language that allows one to use it
pretty easily and a proxy that can do that and also handle more
protocols is not known to me yet in the form of an open source software.
I know many will like it.

There was a software called pCache which was suppose to give p2p caching
and used to use tproxy to intercept all connections and then identify
them by p2p structure etc.
You can try to use the basic structure of this software if you want to
write your own proxy.

In any way when you are using an intercept or transparent proxy setup
you can only use couple ways to authenticate the clients:
- radius server(via wifi login,ppp etc..)
- strict login internal page against a DB or raidus+mysql
- others creative ways.

It depends on your needs to think about the right solution for you.

As I understand you want to do a small thing like driving from one side
of the street to the other but you want to use the SWAT(squid) for that.

There are many creative ways to allow authentication and authorization
while still using iptables\fw.
For some it's easy to implement and others not..

Eliezer

On 07/18/2014 11:11 AM, James Harper wrote:
> True, but squid has the advantage of a very nice acl and permission infrastructure, rather than defining one set of rules for squid and another for iptables (which can't authenticate by identd afaik)
>
> Using a https_port with transparent and ssl_bump none works - all connections are just plumbed straight through. The only issue is when the destination port is unreachable - then squid returns an error page which is going to be completely unexpected by the client unless it is expecting http. I assume that's an issue when just using https_port for actual ssl too though.
>
> James
>
Received on Sat Jul 19 2014 - 21:08:22 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 23 2014 - 12:00:04 MDT