[squid-users] MITM the MITM
Will BMD
will at brainmeltdown.net
Tue Jan 4 16:56:10 UTC 2022
On 04/01/2022 04:19, Grant Taylor wrote:
> On 1/3/22 5:19 PM, Will BMD wrote:
>> Hey all,
>
> Hi,
>
>> From the Firewalls perspective all client connections are originating
>> as the proxy server. We're wanting to use the https inspect feature
>> of the firewall,
>
> I'm taking "HTTPS inspect" to be the firewall's counterpart to ssl_bump.
That's correct.
>
>> but according to our firewall documentation it appears due to the
>> location of our proxy servers we would be unable to do so.
>
> Where does the firewall documentation / vendor want the proxy server
> to be?
That's a great question, I suspect that this might be an error in their
documentation.
>
>> My question is, if the proxy is behaving as a MITM between itself and
>> the client, can't the Firewall do the same thing between itself and
>> the proxy?
>
> I don't see why it can't.
That's good to hear.
>
>> I suspect it is possible, but might potentially involve a lot of
>> headaches and a big hit on performance?
>
> Do you are about original client IP addresses? If not, then I think
> this should be as simple as one proxy (Squid) talking to another proxy
> (firewall).
Yea, that's that we're looking to obtain.
>
>> Any insight into this would be greatly appreciated.
>
> I would wonder if WCCP /might/ be a viable option in this scenario or
> not. As in configure clients to use the firewall as a proxy and have
> the firewall do it's thing while leveraging Squid's caching capability
> via WCCP.
>
> There might also be the some room for having Squid view the firewall
> as a parent proxy.
I'm not aware of WCCP, but I'll look into it.
Thanks for info Grant.
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list