[squid-users] squid intercept mode fo http & https

[Amos Jeffries]

On 22/11/2015 5:56 a.m., Ahmad Alzaeem wrote:
> Thanks fot your reply .
> 
> I know that my DNS is weird .
> 
> But all I need is
> I have access to DNS server , but I don’t have access to pcs to give them ip:port in their browsers .
> 
> So yes , im forced to work on that way .

You should not be. Have a read through
<http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers>. Notice that
DNS weirdness is not mentioned anywhere, not even as a last-resort method.



> 
> And I want to filter my websites and the only way to go internet is using the proxy .
> 
> So what do you suggest ?

Try the methods listed in that wiki page for WPAD/PAC auto-configuration
(aka "transparent proxy configuration", notice that is a 3-word phrase).
That will catch a lot of the main-stream browsers.

When that is done set up your routers for *routing* the port 80/443
traffic through the Squid machine. With NAT (aka "transparent
interception proxy", notice that is a different 3-word phrase)

No DNS required in any of that.

> 
> So again , the packet go to squid , but inside this packet the name of websites and ds tip is the proxy ip.

Exactly. That is all Squid is given to work with.

> 
> What settings needed on squid to operate such as get the info from name and skip dst ip ?
> 
>  If u look @ the log files u will understand my idea
> 

We already understand your idea. Others have had it before. The reason
it is not popular is the extremely complicated nature of the multiple
pieces of high performance high-uptime hardware required just to keep it
from falling over and/or hitting the side effects you have seen so far,
and many others you have not even got close to reaching yet. When things
go wrong the clients also need an individual reset to clear their
internal DNS caches.

Route packets to Squid (no DNS) just like normally routed packets if
Squid were a border gateway, then NAT or TPROXY intercept into the proxy
itself on the same machine. FAR more robust.

Amos