[squid-users] Transparent HTTPs proxy with Squid 3.5

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 13 22:50:48 UTC 2016 

On 13/12/2016 10:15 p.m., Per Jessen wrote:
> Amos Jeffries wrote:
> 
>> On 13/12/2016 5:11 a.m., Fomo Dong wrote:
>>> Hi all,
>>>
>>> For couple of days I'm trying to figure out how to get a transparent
>>> HTTPs proxy to work with Squid. What I'm trying to achieve is a proxy
>>> that accepts internet traffic from ports 80 & 443, routes them
>>> through Squid to Privoxy and finally through Tor and returns back the
>>> data. So essentially I want to "automatically" revert some traffic
>>> through Tor without the user needing to add a proxy to their
>>> connection.
>>>
>>> I know how to setup the Privoxy and Tor part, but I'm struggling with
>>> the Squid & IP tables configuration.
>>
>> The first thing to be aware of is that Squid obeys the HTTPS
>> requirement that traffic received on TLS connection also goes out one.
>> So your Privoxy must be capable of receiving TLS connections from
>> Squid.
>>
>> If Privoxy cannot do TLS like that you could have Squid do the privacy
>> filtering. But then Tor would face the same requirement.
>>
>>
>> Second thing I want to make clear is that a *transparent* proxy is the
>> opposite of anonyizing proxy. A transparent proxy hides *itself* while
>> _revealing_ the client.  An anonymous proxy reveals itself, while
>> hiding the client(s). They are almost direct opposites in behaviour.
>>
>> Anyhow, what you meant by the word "transparent" turns out to actually
>> be "intercepting". 
> 
> We also run a "transparent" proxy, but it is transparent for the
> _client_.  The main office router simply sends an ICMP redirect to
> point clients to the proxy. 
> 

Uh, ICMP redirect informs the client that its not contacting the
original server. It also implies there are no NAT records for the proxy
to lookup to resolve the ORIGINAL_DST address.

How does that work with the 'transparent' mode flag on your http_port
line(s)? Not well I suspect.


It is people calling non-transparent things like that "transparent"
which has led to Fomo's problem of the configuration being half *actual*
Transparent Proxy (TPROXY, 'tproxy' mode) and half NAT interception
(REDIRECT, 'intercept' mode).

Amos

More information about the squid-users mailing list