[squid-users] Hint for howto wanted ...

Mon Nov 28 05:56:33 UTC 2016

OK so the next step is:
Routing over tunnel to the other proxy and on it(which has ssl-bump)
intercept.
If you have a public on the remote proxies which can use ssl-bump then route
the traffic to there using Policy Based routing.
You can selectively route by source or destination IP addresses.

Now my main question is: Can't you just install 3.5 on the 3.1.23 machine
and bump there?
Some of the content will not be blocked since 3.1.X cannot intercept SSL.
Depends on the situation you would be able to block all traffic expect ports
53, 443 and 80 and see what happens.

How are you intercepting the connections? What are the iptables rules you
are using?
What OS are you running on top of the Squid boxes?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

-----Original Message-----
From: Walter H. [mailto:Walter.H at mathemainzel.info] 
Sent: Monday, November 28, 2016 06:42
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Hint for howto wanted ...

Hello,

yes I have full control of all three proxies,  both local proxies and 
remote proxy; and in my LAN I use static IP addresses;

cache_peer_access remote-proxy allow remote-domains <-- this is 
neccessary because a few domains

have geo location restrictions which are bypassed with this
cache_peer_access remote-proxy allow tv-device <-- but this sends 
anything from the TV there,

even requests that should be blocked ...

(selective doesn't work)

the proxy that is used by the clients is a squid 3.1.23, the one that is 
remote is a 3.4.14 and the local parent proxy is a 3.5.20

Thanks,
Walter

On 28.11.2016 04:40, Eliezer Croitoru wrote:
> A question that will simplify things:
> Are you full in control of the remote and the local proxy?
> If so you can create a tunnel from the local gateway to the remote squid
and
> pass the web traffic in the routing level.
> This way you would be able to intercept port 80 on the remote proxy and if
> required also BUMP the ip addresses you want.
>
> If you have static IP addresses you would probably be able to decide which
> of the clients you will bump or not.
> I think that TV in general in the form I know of needs filtering since not
> everything there you will want anyone to see.
> But again maybe in your area TV is something else then in mine.
>
> If you need more help let me know.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Walter H.
> Sent: Sunday, November 27, 2016 19:17
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Hint for howto wanted ...
>
> Hello,
>
> I've got a special problem ...
>
> I have several devices in my LAN:
> - PCs, Notebooks
> - a Tablet-PC
> - a Smartphone
> - a Television
>
> on my LAN I've two squids as VMs on my PC (both are CentOS 6)
>
> I also have a virtual server (a CentOS 6, too)  at a webhoster in a
> different country, which I have configured as a proxy (squid) only for me
> besides the web service;
>
> /etc/squid/squid.conf of the main proxy, which is used as proxy by the
> clients has this ...
>
> acl tv-device src ip-of-tv
>
> cache_peer parentproxy.local                  parent 3128 0
> name=local-proxy proxy-only no-digest default cache_peer
> virtualserver-at-webhoster  parent 3128 0 name=remote-proxy proxy-only
> no-digest
>
> acl remote-domains dstdomain "/etc/squid/remote-domains-acl.squid"
>
> cache_peer_access remote-proxy allow remote-domains cache_peer_access
> remote-proxy allow tv-device cache_peer_access remote-proxy deny all
>
> cache_peer_access local-proxy allow !tv-device
>
> this proxy and the one at the webhoster don't do SSL-bump, only the parent
> proxy does ...
> at the moment only the parentproxy.local does filtering and blocks
unwandted
> IPs, hosts, ...
>
> what is the easiest way to do smart filtering for the tv-device, as this
> doesn't use parentproxy.local at all ...
> do  I really have to do smart filtering on both, the one at the hoster
(plus
> SSL bump) and the parentproxy that already does?
>
> Thanks,
> Walter
>
>