[squid-users] Identifying intercepted clients
squid3 at treenet.co.nz
Mon Apr 4 00:06:34 UTC 2016
On 4/04/2016 4:22 a.m., Brendan Kearney wrote:
> with fedora 24 being released in a couple months, haproxy v1.6.x will be
> available, and the ability to easily intercept HTTP traffic will be in
> the version (see the set-uri directive). with v1.6 i will be able to
> rewrite the URL, so that squid can process the request properly.
That does not make sense. Intercepting and URL-rewriting are completely
The Squid-3.5 and later versions are able to receive PROXY protocol
headers from HAProxy. You may find that much better than fiddling around
with URLs and available in your current HAProxy.
> problem is that i run authenticated access on the proxy, and will need
> to exempt the traffic from that restriction.
> what mechanisms can i use to identify the fact that the client traffic
> has been intercepted, so that i can create ACLs to match the traffic? i
> don't want to use things like IPs or User-Agent strings, as they may
> change or be unknown.
Only the interceptor can do that traffic distinction. Once traffic gets
multiplexed the information is lost.
> i was thinking about sending the intercepted traffic to a different
> port, say 3129, and then using localport to identify the traffic. with
> an ACL, i would exempt the traffic from auth, etc. are there better
> options? how are other folks dealing with intercepted and explicit
> traffic on the same box?
That would be one fairly good way to distinguish the traffic types. So
why is the URL fiddling happening?
More information about the squid-users