Hi, Amos
> Ah, you need the follow_x_forwarded_for feature on Proxy(1).
That's right, I know about that, but I'd like to use "source address
spoofing"...
Just only following enables my anxiety.
replacing In tunnelStart()#tunnel.cc
> sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> COMM_NONBLOCKING,
> getOutgoingTOS(request),
> url);
with
> if (request->flags.spoof_client_ip) {
> sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> (COMM_NONBLOCKING|COMM_TRANSPARENT),
> getOutgoingTOS(request),
> url);
> } else {
> sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> COMM_NONBLOCKING,
> getOutgoingTOS(request),
> url);
> }
I think it has no harmful effects. I long for that.
Would you modify that ?
Sincerely,
--
Mikio Kishi
On Sun, Apr 12, 2009 at 1:25 PM, Amos Jeffries <[email protected]> wrote:
> Mikio Kishi wrote:
>>
>> Hi, Amos
>>
>>> What exactly are you trying to achieve with this?
>>
>> I'm really sorry... It's a little bit difficult to explain...
>> The following is the more detail.
>>
>> -----------------------
>> The Internet
>> ---+------------
>> |
>> --------+-+-------------
>> |
>> +-----+-------+
>> | squid | (1)
>> | (tcp/8080) |
>> +-----+-------+
>> |.2
>> --------+-+---------------- 10.0.0.0/24
>> |.1
>> +--+--+
>> | R |
>> +--+--+
>> |.1
>> -------+--+---------------- 192.168.0.0/24
>> |.2
>> +----+--------+
>> | squid + |
>> | tproxy | (2)
>> | (tcp/8080) |
>> +----+--------+
>> |.2
>> -------+--+---------------- 192.168.1.0/24
>> |.3
>> +--+-----+
>> | client |
>> +--------+
>>
>> - The demand
>> - The client must use proxy(2) using tcp/8080
>> - by browser settings
>> HTTP -> proxy(2) (192.168.1.2:8080)
>> HTTPS -> proxy(2) (192.168.1.2:8080)
>> - proxy(2) don't have to be "transparent"
>> - The proxy(2)'s parent proxy must be proxy(1)
>> using cache_peer
>> - Both proxy(1) and proxy(2) must record
>> "client original source address" in access log for security action
>> !!! It's most important !!!
>>
>> I think that I have to use tproxy(not transparent)
>> to achieve above demands... what do you think ?
>
> Ah, you need the follow_x_forwarded_for feature on Proxy(1).
>
> proxy(2) will always be trying to set X-Forwarded-For header indicating the
> client IP. Which gets passed to proxy(1).
>
> By enabling follow_x_forwarded_for and log_uses_indirect_ip. proxy(1) should
> log the original client IP.
>
> http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
> http://www.squid-cache.org/Doc/config/log_uses_indirect_client/
>
>
> Amos
>
>>
>> Sincerely,
>> --
>> Mikio Kishi
>>
>> On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries <[email protected]>
>> wrote:
>>>
>>> Mikio Kishi wrote:
>>>>
>>>> Hi, Amos
>>>>
>>>>> HTTPS encrypted traffic cannot be intercepted.
>>>>
>>>> Yes, I know that. but, in this case, not "transparent".
>>>>
>>>>> (1) (2)
>>>>>
>>>>> | |
>>>>> +------+ | +------------+ | +---------+
>>>>> |WWW +---+ | | +----+ WWW |
>>>>> |Client|.2 | .1| squid |.1 | .2| Server |
>>>>> +------+ +-----+ + tproxy +----+ |(tcp/443)|
>>>>> | | (tcp/8080) | | |(tcp/80) |
>>>>> | +------------+ | +---------+
>>>>> 192.168.0.0/24 10.0.0.0/24
>>>>>
>>>>> (1) 192.168.0.2 ------> 192.168.0.1:8080
>>>>> ^^^^^
>>>>> (2) 192.168.0.2 ------> 10.0.0.2:443
>>>>> ^^^
>>>>
>>>> Just only thing I'd like to do is "source address spoofing"
>>>> using tproxy.
>>>>
>>>> Does that make sense ?
>>>
>>> No. Squid is perfectly capable of making HTTPS links outbound without
>>> tproxy. The far end only knows that some client connected.
>>>
>>> HTTPS cannot be spoofed, its part of the security involved with the SSL
>>> layer.
>>>
>>> What exactly are you trying to achieve with this?
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>>> Current Beta Squid 3.1.0.6
>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> Current Beta Squid 3.1.0.6
>
