[squid-users] Hint for howto wanted ...

Walter H. Walter.H at mathemainzel.info
Mon Nov 28 18:49:10 UTC 2016


On 28.11.2016 14:51, Eliezer Croitoru wrote:
> Now to me the picture is much clear technically.
> As Amos suggested fix the first proxy(and I am adding choose how to approach) and then move on to the next ones.
why fix the first proxy, I wouldn't need it, if ssl-bump plus parent 
proxy (the remote one) worked ...
> There are couple subjects in your one single question which are conflicting your desire(or at least how they are written).
> If you want to Intercept ssl traffic of clients at the network what ever you have there..) specific clients such as that cannot use a proxy, you will need to either bump them(and splice if no bump required) on the router level of the network or route their traffic towards the right next-hop.
both proxies, the first and the local parent are VMs on my PC ...
> Since you are already blocking clients with iptables you should get familiar if not yet,
this is just a few iptables rules ...
>   with connection marking or Policy Based Routing.
I don't know what you mean by that?
> What router are you using a CentOS also?
this is a NAT router, nothing more ...
> If so it would be pretty simple to configure a routing policy which will be based on the source IP address of the connections.
> Choose if you want to bump on the first proxy ie the 3.1.23 by upgrading to 3.5.X or route the traffic over a tunnel instead of just blocking the traffic.
a tunnel between 2 VMs which share the same LAN interface?
> Depend on your router OS you will have different instructions on how to route the "blocked" clients into a proxy that will intercept the connections which needs to be inspected.
this is neither needed nor wanted ..., the clients configure their proxy 
manually ... this is my home LAN not a company environment ...
> Where are you stuck in the implementation?
how to have a parent proxy even when SSL-bump is done ...
> Can't you upgrade the 3.1.23(First proxy)?
this is just another VM like the 3.5.20 (parent proxy)
> What is blocking you from routing the traffic toward to the second parent proxy from the first one or from the router?
these two share the same LAN interface, these are VMware guests of my 
VMware host running Windows ...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3827 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161128/740764dd/attachment.bin>

More information about the squid-users mailing list