[squid-users] Identifying intercepted clients

Amos Jeffries squid3 at treenet.co.nz
Mon Apr 4 00:06:34 UTC 2016

On 4/04/2016 4:22 a.m., Brendan Kearney wrote:
> with fedora 24 being released in a couple months, haproxy v1.6.x will be
> available, and the ability to easily intercept HTTP traffic will be in
> the version (see the set-uri directive).  with v1.6 i will be able to
> rewrite the URL, so that squid can process the request properly.

That does not make sense. Intercepting and URL-rewriting are completely
different actions.

The Squid-3.5 and later versions are able to receive PROXY protocol
headers from HAProxy. You may find that much better than fiddling around
with URLs and available in your current HAProxy.

>  my
> problem is that i run authenticated access on the proxy, and will need
> to exempt the traffic from that restriction.

What restriction?

> what mechanisms can i use to identify the fact that the client traffic
> has been intercepted, so that i can create ACLs to match the traffic?  i
> don't want to use things like IPs or User-Agent strings, as they may
> change or be unknown.

Only the interceptor can do that traffic distinction. Once traffic gets
multiplexed the information is lost.

> i was thinking about sending the intercepted traffic to a different
> port, say 3129, and then using localport to identify the traffic. with
> an ACL, i would exempt the traffic from auth, etc.  are there better
> options?  how are other folks dealing with intercepted and explicit
> traffic on the same box?

That would be one fairly good way to distinguish the traffic types. So
why is the URL fiddling happening?


More information about the squid-users mailing list