[squid-users] HTTPS support

j m acctforjunk at yahoo.com
Wed May 3 21:30:16 UTC 2017 

I don't believe blocked outbound ports is the problem.  I can for example connect to several ports in the 8090 - 8100 range using services other than SSH.  I've also tried moving the SSH server to 443 and one of these aforementioned ports, but no go.

      From: Daniel Greenwald <dig at digcorp.net>
 To: "Craddock, Tommy" <Tommy.Craddock at bicgraphic.com> 
Cc: "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org>
 Sent: Wednesday, May 3, 2017 3:23 PM
 Subject: Re: [squid-users] HTTPS support
   
Seems to me you are overthinking this. What you're up against is blocked outbound ports. Simply run openvpn at your home over one of the allowed outbound ports eg 80 443 or possibly 3128/8080 according to your environment and call it a day. You won't need proxy authentication or haproxy etc..

On Wed, May 3, 2017 at 3:35 PM, Craddock, Tommy <Tommy.Craddock at bicgraphic.com> wrote:

Hello, Yeah, that guide is for PFsense in particular, but you could run HAProxy by itself (say in a VM) and get the same result.  Just fwd those ports from your router to the HAProxy box. 
Thanks!  From: squid-users [mailto:squid-users-bounces@ lists.squid-cache.org]On Behalf Of j m
Sent: Wednesday, May 03, 2017 3:14 PM
To: squid-users at lists.squid-cache. org
Subject: Re: [squid-users] HTTPS support Looks interesting, but it looks complex and sounds like I'd need more of a router than I have to do it.From: "Craddock, Tommy" <Tommy.Craddock at bicgraphic.com >
To: "squid-users at lists.squid- cache.org" <squid-users at lists.squid- cache.org>
Sent: Wednesday, May 3, 2017 2:04 PM
Subject: Re: [squid-users] HTTPS support Hello, Is this more in line with what your trying to do: http://loredo.me/post/ 116633549315/geeking-out-with- haproxy-on-pfsense-the- ultimate Tommy From: squid-users [mailto:squid-users-bounces@ lists.squid-cache.org]On Behalf Of j m
Sent: Wednesday, May 03, 2017 2:44 PM
To: squid-users at lists.squid-cache. org
Subject: Re: [squid-users] HTTPS support In any case, I'm finding SSH through proxy is undesirable or not possible.  I'm thinking shellinabox, which is insecure but run over a secure proxy link, is my best bet. From: Alex Rousskov <rousskov at measurement-factory. com>
To: j m <acctforjunk at yahoo.com>; "squid-users at lists.squid- cache.org" <squid-users at lists.squid- cache.org>
Sent: Wednesday, May 3, 2017 1:19 PM
Subject: Re: [squid-users] HTTPS support On 05/03/2017 11:37 AM, j m wrote:
> the plan was to use SSH through the proxy.

If your SSH clients support SSH through an HTTP proxy, then do not
authenticate them in Squid. Just do not let them go anywhere but the SSH
server. It would be like running an exposed-to-the-world SSH server, no
worse. Squid will still know nothing about SSH. Squid will just tunnel
opaque bytes from your SSH clients to your SSH server. You will use an
HTTP (not HTTPS) Squid port for this traffic because your SSH clients
are unlikely to support HTTPS to the proxy.

Your browsers will still use HTTPS to the proxy (and get authenticated).
Thus, you will have two different http_ports, one for HTTP
(unauthenticated SSH clients) and one for HTTPS (authenticated browsers).

If SSH blocking is not based on _protocol_ but on port, then follow
Antony Stone advice and change the SSH server port instead of
HTTP-proxying SSH connections.

Alex.



> ------------------------------ ------------------------------ ------------
> *From:* Alex Rousskov <rousskov at measurement-factory. com>
> *To:* "squid-users at lists.squid- cache.org"
> <squid-users at lists.squid- cache.org>
> *Cc:* j m <acctforjunk at yahoo.com>
> *Sent:* Wednesday, May 3, 2017 12:22 PM
> *Subject:* Re: [squid-users] HTTPS support
> 
> On 05/03/2017 10:57 AM, j m wrote:
>> I wanted to set up a proxy on my home server for use from remote
>> locations to use as a web proxy (of course) and also to run SSH over.
> 
> The "ssh" part is unrelated to Squid. Secure ssh separately from Squid.
> 
> 
>> This means that basic auth is undesirable due to the login being sent
>> in clear text.  So, someone suggested digest auth, and I was happy.
>>  But, now I'm finding that PuTTY and WinSCP do not support digest auth.
>>  And consequently, I haven't found any other SSH clients that support
>> digest. (sigh)
> 
> These problems will go away if you stop mixing Squid and ssh. Squid is
> HTTP while PuTTY/WinSCP is SSH. You gain very little by trying to use
> the same authentication mechanism for both protocols in your use case.
> 
> 
>> So, I'm back to plan b, and that is to have a secure proxy connection so
>> all browser-to-server communication is encrypted.
> 
> That is a good idea if all of your browsers support it. Popular browsers
> support HTTPS-to-proxy on desktop, but I am not sure about their mobile
> versions. You may have to jump through some hoops.
> 
> 
> 
>> So the question is, does
>> anyone know if squid 3.5 on Ubuntu 16.04 supports secure connections?
> 
> 
> Squid v3.5 supports secure connections to the proxy. See "TLS / SSL
> Options" for the http_port directive (not the https_port directive!).
> 
> You can install Squid v3.5 on Ubuntu. I do not know whether the official
> Ubuntu Squid package is built with the required support.
> 
> 
> HTH,
> 
> Alex.
> 
> 
> 
>  
______________________________ ______________________________ __________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________ ______________________________ __________
______________________________ ______________________________ __________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________ ______________________________ ________________________________________ _________________
squid-users mailing list
squid-users at lists.squid-cache. org
http://lists.squid-cache.org/ listinfo/squid-users 
______________________________ ______________________________ __________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________ ______________________________ __________
______________________________ ______________________________ __________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________ ______________________________ __________

______________________________ _________________
squid-users mailing list
squid-users at lists.squid-cache. org
http://lists.squid-cache.org/ listinfo/squid-users



_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170503/0c4929ee/attachment-0001.html>

More information about the squid-users mailing list