[squid-users] Hint for howto wanted ...
Walter H.
Walter.H at mathemainzel.info
Mon Nov 28 18:49:10 UTC 2016
Hey,
On 28.11.2016 14:51, Eliezer Croitoru wrote:
> Now to me the picture is much clear technically.
> As Amos suggested fix the first proxy(and I am adding choose how to approach) and then move on to the next ones.
why fix the first proxy, I wouldn't need it, if ssl-bump plus parent
proxy (the remote one) worked ...
> There are couple subjects in your one single question which are conflicting your desire(or at least how they are written).
> If you want to Intercept ssl traffic of clients at the network 172.16.0.0/24(or what ever you have there..) specific clients such as that cannot use a proxy, you will need to either bump them(and splice if no bump required) on the router level of the network or route their traffic towards the right next-hop.
both proxies, the first and the local parent are VMs on my PC ...
> Since you are already blocking clients with iptables you should get familiar if not yet,
this is just a few iptables rules ...
> with connection marking or Policy Based Routing.
I don't know what you mean by that?
> What router are you using a CentOS also?
this is a NAT router, nothing more ...
> If so it would be pretty simple to configure a routing policy which will be based on the source IP address of the connections.
> Choose if you want to bump on the first proxy ie the 3.1.23 by upgrading to 3.5.X or route the traffic over a tunnel instead of just blocking the traffic.
a tunnel between 2 VMs which share the same LAN interface?
> Depend on your router OS you will have different instructions on how to route the "blocked" clients into a proxy that will intercept the connections which needs to be inspected.
this is neither needed nor wanted ..., the clients configure their proxy
manually ... this is my home LAN not a company environment ...
> Where are you stuck in the implementation?
how to have a parent proxy even when SSL-bump is done ...
> Can't you upgrade the 3.1.23(First proxy)?
this is just another VM like the 3.5.20 (parent proxy)
> What is blocking you from routing the traffic toward to the second parent proxy from the first one or from the router?
these two share the same LAN interface, these are VMware guests of my
VMware host running Windows ...
Walter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3827 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161128/740764dd/attachment.bin>
More information about the squid-users
mailing list