[squid-users] Hint for howto wanted ...

Eliezer Croitoru eliezer at ngtech.co.il
Mon Nov 28 10:18:53 UTC 2016

Hey Walter,

I am not sure you understand the direction of things or what I am aiming for.
First if the client has CentOS 6.8 There are RPM's for newer versions which I am building manually for the public use.
Second: You can simplify the picture from Intercepting traffic using the local squid into "route" the traffic in the IP level towards the remote proxy.
You can open a gre tunnel or to use some kind of simple VPN service to tunnel between the client box to the 3.5.20 box.
If you will route the clients traffic towards the proxy in the IP level you would be free from handling the 3.1.X proxy.

You should prioritize your goals between:
- Caching
-  ACL
- Others

Once you will open your mind from resolving and issue and convert it into a second form which is functionality I think I would be able to assist you.

What is missing from the 3.1.X proxy?
Is the SSL BUMP missing?
What iptables rules are you using on the client machine(3.1.X)?

All the above matters to understand how to offer the right solution.


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

-----Original Message-----
From: Walter H. [mailto:walter.h at mathemainzel.info] 
Sent: Monday, November 28, 2016 10:59
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: RE: [squid-users] Hint for howto wanted ...

On Mon, November 28, 2016 06:56, Eliezer Croitoru wrote:
> OK so the next step is:

> Routing over tunnel to the other proxy and on it(which has ssl-bump) 
> intercept.
by now only the 3.5.20 squid on the local VM does SSL-bump

> If you have a public on the remote proxies which can use ssl-bump then 
> route the traffic to there using Policy Based routing.
how do I configure this?

> You can selectively route by source or destination IP addresses.
by now the remote has in its iptables to only accept port 3128 from my home IP (IPv6 and IPv4), but the IPv4 at home changes several times a year; means it is not fix;

> Now my main question is: Can't you just install 3.5 on the 3.1.23 
> machine and bump there?
SSL bump and parent proxy together doesn't work, if this worked I wouldn't need the 3.1.23 machine at all ...
the 3.1.23 machine has the other 2 proxies (3.4.14-remote and
3.5.20-local) as parent ...

I should mention that the 3.5.20 box also has ClamAV (SquidClam) which does malware checking ...
(the remote proxy can't run ClamAV)

> How are you intercepting the connections? What are the iptables rules 
> you are using?

the client have configured the 3.1.23 squid box as proxy

> What OS are you running on top of the Squid boxes?

all squid boxes run CentOS 6.8


More information about the squid-users mailing list