[squid-users] Identifying intercepted clients

Brendan Kearney bpk678 at gmail.com
Mon Apr 4 22:25:46 UTC 2016

On 04/03/2016 08:06 PM, Amos Jeffries wrote:
> On 4/04/2016 4:22 a.m., Brendan Kearney wrote:
>> with fedora 24 being released in a couple months, haproxy v1.6.x will be
>> available, and the ability to easily intercept HTTP traffic will be in
>> the version (see the set-uri directive).  with v1.6 i will be able to
>> rewrite the URL, so that squid can process the request properly.
> That does not make sense. Intercepting and URL-rewriting are completely
> different actions.
> The Squid-3.5 and later versions are able to receive PROXY protocol
> headers from HAProxy. You may find that much better than fiddling around
> with URLs and available in your current HAProxy.
i use iptables to intercept the request, and need the set-uri option in 
haproxy 1.6.x to concatenate the Host header with the GET, in order to 
have the request in the form that squid expects the request.  yes, they 
are separate actions and i should have been clearer.

i will look into the PROXY protocol additions, but that may not be an 
option until i can get all my boxes upgraded.
>>   my
>> problem is that i run authenticated access on the proxy, and will need
>> to exempt the traffic from that restriction.
> What restriction?
the authenticated access restriction.  not much of my policy allows for 
unauthenticated access.
>> what mechanisms can i use to identify the fact that the client traffic
>> has been intercepted, so that i can create ACLs to match the traffic?  i
>> don't want to use things like IPs or User-Agent strings, as they may
>> change or be unknown.
> Only the interceptor can do that traffic distinction. Once traffic gets
> multiplexed the information is lost.
i tried to create / insert a header at the router/firewall/load 
balancer, and test for the existence of the header in squid, but that 
did not seem to go as well as i thought it might.
>> i was thinking about sending the intercepted traffic to a different
>> port, say 3129, and then using localport to identify the traffic. with
>> an ACL, i would exempt the traffic from auth, etc.  are there better
>> options?  how are other folks dealing with intercepted and explicit
>> traffic on the same box?
> That would be one fairly good way to distinguish the traffic types. So
> why is the URL fiddling happening?
because i need to concatenate the Host header with the GET line (URI), 
in order for squid to be able to process the request.  i dont have squid 
3.5 yet, nor do i have haproxy 1.6 yet, so i have to use the old 
interception methods to accomplish this, at this point.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
thanks for the feedback.  seems i might be able to do things, just have 
to find my way through until newer versions give me better means of 
doing it.



More information about the squid-users mailing list