Re: [squid-users] Non-standard proxy setup
On 7/16/19 1:51 PM, Arunabha Saha wrote: > i did get it working with the latest 5.0.0 (unreleased) code > in github.The configuration has to be "ssl-bump client-first .." > for this to work. Does that sound right? No, it does not, both because the deprecated "client-first" action should not be used in moderns Squids, and because supported SslBump actions should work through peers IIRC (which action is the right one for you depends on your exact needs -- not every action will work for any given use case, of course). Alex. >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of squid-users digest..." >> On 7/10/19 7:44 PM, Arunabha Saha wrote: The client will attempt to open a TLS/TCP connection to the origin server. Your router (or some such) will redirect client TLS/TCP bytes to your Squid's https_port. If configured correctly, Squid will accept that TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel through the corporate proxy. >> >>> i don't see squid >>> wrap the connection to parent proxy in a HTTP CONNECT tunnel. >>>User ->Squid(Transparent Proxy)->Parent Proxy-->Internet. >>>I need to see a CONNECT tunnel between Squid(Transparent Proxy) >>> and Parent Proxy but I don't. Based on another thread, Is this >>> something that works only starting squid 4.X. >> >> I do not remember for sure, but you may need a development version of >> Squid (future v5) or an unofficial patch to forward intercepted tunnels >> to a cache peer. If SslBump-related peering support is indeed required >> to support such forwarding, then please see this seemingly unrelated bug >> report for more details and options: >> >> https://bugs.squid-cache.org/show_bug.cgi?id=4968 >> >> Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Non-standard proxy setup
On 7/10/19 7:44 PM, Arunabha Saha wrote: >> The client will attempt to open a TLS/TCP connection to the origin >> server. Your router (or some such) will redirect client TLS/TCP bytes to >> your Squid's https_port. If configured correctly, Squid will accept that >> TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel >> through the corporate proxy. > i don't see squid > wrap the connection to parent proxy in a HTTP CONNECT tunnel. >User ->Squid(Transparent Proxy)->Parent Proxy-->Internet. >I need to see a CONNECT tunnel between Squid(Transparent Proxy) > and Parent Proxy but I don't. Based on another thread, Is this > something that works only starting squid 4.X. I do not remember for sure, but you may need a development version of Squid (future v5) or an unofficial patch to forward intercepted tunnels to a cache peer. If SslBump-related peering support is indeed required to support such forwarding, then please see this seemingly unrelated bug report for more details and options: https://bugs.squid-cache.org/show_bug.cgi?id=4968 Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Non-standard proxy setup
On 7/9/19 9:10 AM, Tardif, Christian wrote: > I have a node on which there’s an application which isn’t proxy aware so > basically, the only remaining option would be to use a transparent > proxy. But my corporate proxy isn’t a transparent proxy. So I have to > build this in two layers. My solution would be to: > > > > 1) Have a squid proxy on the node’s router host configured as a > transparent proxy for both HTTP and HTTPS > > 2) Have this squid proxy configured to talk to the parent host, > which would be my corporate proxy > > 3) Have this squid proxy able to decide if a particular flow should > go to the corporate proxy or connect “directly” with the destination host > > > > I’ve been successful at tasks #2 and #3 (well, in fact, I did it with > tinyproxy but stopped because of task #1 > > > > I’ve partly succedded at task #1. In fact, it worked for HTTP. I haven’t > figured out how to do it for HTTPS. My questions are: > > > > 1) I do not understand how the client would be able to perform a > CONNECT to reach squid in HTTPS. So I’m assuming that there’s some other > magic. The client will attempt to open a TLS/TCP connection to the origin server. Your router (or some such) will redirect client TLS/TCP bytes to your Squid's https_port. If configured correctly, Squid will accept that TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel through the corporate proxy. > 2) The second thing I don’t understand is the certificates > management. Let’s say my node tries to reach https://www.google.com but > does not know anything about the proxy. I assume that the client will > get the certificate from squid in some way, but would probably expect to > receive a certificate from Google. How would that work? * If you do not want your Squid to look inside the connection to google.com, then your Squid will work at TCP level. Same for the corporate proxy. Both proxies will forward Google certificate to the unsuspecting client and everything will work fine most[XXX] of the time. * Otherwise, you will need to use SslBump functionality and impersonate the origin server, including faking its certificate. If you add your proxy CA certificate to the client, this bumping will work for some sites and will break others. [XXX] The only HTTPS-related problem you may have in a tunneling-only Squid is with TCP-level error reporting to the client (e.g., when Squid cannot connect to the corporate proxy). By default, Squid may want to bump the client connection (to report those errors to the client), causing bumping problems mentioned in the second bullet above. For Squid configurations that are not supposed to bump traffic at all, this implicit bumping on errors is a bug/misfeature. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Non-standard proxy setup
Hi, I'm trying to figure out how to make the following setup work: I have a node on which there's an application which isn't proxy aware so basically, the only remaining option would be to use a transparent proxy. But my corporate proxy isn't a transparent proxy. So I have to build this in two layers. My solution would be to: 1) Have a squid proxy on the node's router host configured as a transparent proxy for both HTTP and HTTPS 2) Have this squid proxy configured to talk to the parent host, which would be my corporate proxy 3) Have this squid proxy able to decide if a particular flow should go to the corporate proxy or connect "directly" with the destination host I've been successful at tasks #2 and #3 (well, in fact, I did it with tinyproxy but stopped because of task #1 I've partly succedded at task #1. In fact, it worked for HTTP. I haven't figured out how to do it for HTTPS. My questions are: 1) I do not understand how the client would be able to perform a CONNECT to reach squid in HTTPS. So I'm assuming that there's some other magic. 2) The second thing I don't understand is the certificates management. Let's say my node tries to reach https://www.google.com but does not know anything about the proxy. I assume that the client will get the certificate from squid in some way, but would probably expect to receive a certificate from Google. How would that work? Can someone help me? I'm running out of options... Thanks, Christian Tardif ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
