[squid-users] Non-standard proxy setup

Alex Rousskov rousskov at measurement-factory.com
Tue Jul 9 13:54:25 UTC 2019 

On 7/9/19 9:10 AM, Tardif, Christian wrote:

> I have a node on which there’s an application which isn’t proxy aware so
> basically, the only remaining option would be to use a transparent
> proxy. But my corporate proxy isn’t a transparent proxy. So I have to
> build this in two layers. My solution would be to:
> 
>  
> 
> 1)     Have a squid proxy on the node’s router host configured as a
> transparent proxy for both HTTP and HTTPS
> 
> 2)     Have this squid proxy configured to talk to the parent host,
> which would be my corporate proxy
> 
> 3)     Have this squid proxy able to decide if a particular flow should
> go to the corporate proxy or connect “directly” with the destination host
> 
>  
> 
> I’ve been successful at tasks #2 and #3 (well, in fact, I did it with
> tinyproxy but stopped because of task #1
> 
>  
> 
> I’ve partly succedded at task #1. In fact, it worked for HTTP. I haven’t
> figured out how to do it for HTTPS. My questions are:
> 
>  
> 
> 1)     I do not understand how the client would be able to perform a
> CONNECT to reach squid in HTTPS. So I’m assuming that there’s some other
> magic.

The client will attempt to open a TLS/TCP connection to the origin
server. Your router (or some such) will redirect client TLS/TCP bytes to
your Squid's https_port. If configured correctly, Squid will accept that
TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel
through the corporate proxy.


> 2)     The second thing I don’t understand is the certificates
> management. Let’s say my node tries to reach https://www.google.com but
> does not know anything about the proxy. I assume that the client will
> get the certificate from squid in some way, but would probably expect to
> receive a certificate from Google. How would that work?

* If you do not want your Squid to look inside the connection to
google.com, then your Squid will work at TCP level. Same for the
corporate proxy. Both proxies will forward Google certificate to the
unsuspecting client and everything will work fine most[XXX] of the time.

* Otherwise, you will need to use SslBump functionality and impersonate
the origin server, including faking its certificate. If you add your
proxy CA certificate to the client, this bumping will work for some
sites and will break others.

[XXX] The only HTTPS-related problem you may have in a tunneling-only
Squid is with TCP-level error reporting to the client (e.g., when Squid
cannot connect to the corporate proxy). By default, Squid may want to
bump the client connection (to report those errors to the client),
causing bumping problems mentioned in the second bullet above. For Squid
configurations that are not supposed to bump traffic at all, this
implicit bumping on errors is a bug/misfeature.


HTH,

Alex.

More information about the squid-users mailing list