[squid-users] Hint for howto wanted ...
eliezer at ngtech.co.il
Mon Nov 28 21:45:45 UTC 2016
So much clear now to a solution.
If you don’t know what Policy Based Routing and you have a bunch of VM's and you are configuring the proxy in the browser manually you just need to install on the first proxy 3.5.22 that allows you to tunnel CONNECT requests to a parent proxy based on the request domain.
I am pretty sure that as Amos wrote you need to simplify things.
I will ask again:
What do you want to achieve? Content filtering? Special Routing(access the internet from another county)? Intercept the connections or use the browser settings to access the web?
Every question have a whole set of option and it's very simple to route CONNECT requests to a parent proxy if the client configures the proxy in it's settings.
Indeed you won't need 3.5.22 to do that but you will need something that can do that.
Now my conclusion is this:
Your need is to be able to pass CONNECT requests to a parent proxy.
Amos can you answer how it should be done and if it's possible at all using 3.1.X?
(Fastest to catch up should answer since I don't remember it by heart despite to the fact that this is one of my testing labs)
Linux System Administrator
Email: eliezer at ngtech.co.il
From: Walter H. [mailto:Walter.H at mathemainzel.info]
Sent: Monday, November 28, 2016 20:49
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Hint for howto wanted ...
On 28.11.2016 14:51, Eliezer Croitoru wrote:
> Now to me the picture is much clear technically.
> As Amos suggested fix the first proxy(and I am adding choose how to approach) and then move on to the next ones.
why fix the first proxy, I wouldn't need it, if ssl-bump plus parent
proxy (the remote one) worked ...
> There are couple subjects in your one single question which are conflicting your desire(or at least how they are written).
> If you want to Intercept ssl traffic of clients at the network 172.16.0.0/24(or what ever you have there..) specific clients such as that cannot use a proxy, you will need to either bump them(and splice if no bump required) on the router level of the network or route their traffic towards the right next-hop.
both proxies, the first and the local parent are VMs on my PC ...
> Since you are already blocking clients with iptables you should get familiar if not yet,
this is just a few iptables rules ...
> with connection marking or Policy Based Routing.
I don't know what you mean by that?
> What router are you using a CentOS also?
this is a NAT router, nothing more ...
> If so it would be pretty simple to configure a routing policy which will be based on the source IP address of the connections.
> Choose if you want to bump on the first proxy ie the 3.1.23 by upgrading to 3.5.X or route the traffic over a tunnel instead of just blocking the traffic.
a tunnel between 2 VMs which share the same LAN interface?
> Depend on your router OS you will have different instructions on how to route the "blocked" clients into a proxy that will intercept the connections which needs to be inspected.
this is neither needed nor wanted ..., the clients configure their proxy
manually ... this is my home LAN not a company environment ...
> Where are you stuck in the implementation?
how to have a parent proxy even when SSL-bump is done ...
> Can't you upgrade the 3.1.23(First proxy)?
this is just another VM like the 3.5.20 (parent proxy)
> What is blocking you from routing the traffic toward to the second parent proxy from the first one or from the router?
these two share the same LAN interface, these are VMware guests of my
VMware host running Windows ...
More information about the squid-users