[squid-users] squid intercept mode fo http & https

Ahmad Alzaeem ahmed.zaeem at netstream.ps
Mon Nov 23 20:54:39 UTC 2015 

Amos , 
Is it possible to let squid blind to the ds tip and lookup  only  to the domain name in the packet ???

Awaiting ur reply 

Thank you 

-----Original Message-----
From: Ahmad Alzaeem [mailto:ahmed.zaeem at netstream.ps] 
Sent: Sunday, November 22, 2015 9:45 AM
To: 'Amos Jeffries'
Cc: 'squid-users at lists.squid-cache.org'
Subject: RE: [squid-users] squid intercept mode fo http & https

Amos , thank you so much for your kind reply  .

The topology is complex and I cant do it like setting up the gateway to be the squid and im forced to work on DNS .

Im just asking is it possible to work on that way with squid ?
Or
Its impossible to have it working ???

I have its werid and not popular , but im forced to do it on that  way .

So  again , can we use like redsocks or any redirector to help me in this issue ?


If squid can work on that way , do I need to add more directives to let it work ?

As I mentioned from logs it stuck and lookup for destination ip  ip :
1448121518.847      0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html
1448121526.056      0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html


so if I was understanding well , I guess squid will work on the domain name not on the ip and I suppose it to work , but so far I don’t know why !

Thank you amos  again , I appreciate all ur help and the team support help , all of you were and still a nice helpers


cheers

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Sunday, November 22, 2015 3:51 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] squid intercept mode fo http & https

On 22/11/2015 5:56 a.m., Ahmad Alzaeem wrote:
> Thanks fot your reply .
> 
> I know that my DNS is weird .
> 
> But all I need is
> I have access to DNS server , but I don’t have access to pcs to give them ip:port in their browsers .
> 
> So yes , im forced to work on that way .

You should not be. Have a read through
<http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers>. Notice that DNS weirdness is not mentioned anywhere, not even as a last-resort method.



> 
> And I want to filter my websites and the only way to go internet is using the proxy .
> 
> So what do you suggest ?

Try the methods listed in that wiki page for WPAD/PAC auto-configuration (aka "transparent proxy configuration", notice that is a 3-word phrase).
That will catch a lot of the main-stream browsers.

When that is done set up your routers for *routing* the port 80/443 traffic through the Squid machine. With NAT (aka "transparent interception proxy", notice that is a different 3-word phrase)

No DNS required in any of that.

> 
> So again , the packet go to squid , but inside this packet the name of websites and ds tip is the proxy ip.

Exactly. That is all Squid is given to work with.

> 
> What settings needed on squid to operate such as get the info from name and skip dst ip ?
> 
>  If u look @ the log files u will understand my idea
> 

We already understand your idea. Others have had it before. The reason it is not popular is the extremely complicated nature of the multiple pieces of high performance high-uptime hardware required just to keep it from falling over and/or hitting the side effects you have seen so far, and many others you have not even got close to reaching yet. When things go wrong the clients also need an individual reset to clear their internal DNS caches.

Route packets to Squid (no DNS) just like normally routed packets if Squid were a border gateway, then NAT or TPROXY intercept into the proxy itself on the same machine. FAR more robust.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list