[squid-users] FW: Encrypted browser-Squid connection errors
Grant Taylor
gtaylor at tnetconsulting.net
Tue Oct 25 16:56:06 UTC 2022
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
> I prefer to explicitly state what one means by transparent because
> RFC2616 has defined transparent proxy diferently:
I do too. I /thought/ that I was explicitly stating. At least that was
my intention.
Aside: That's why I included my working definition. So hopefully you
would know what I meant even if I accidentally used the wrong term.
>> A "transparent proxy" is a proxy that does not modify the request
>> or response beyond what is required for proxy authentication and
>> identification.
>
> term "interception proxy" better defines what happens here:
>
>> Instead, an interception proxy filters or redirects outgoing TCP port
>> 80 packets (and occasionally other common port traffic).
It seems as if I should (re)read RFC 2616 and refine my use of terms.
Based on the quoted sections, it seems to me like an intercepting proxy
is a superset of a transparent proxy.
Aside: I can see a conceptual way to not modify any of the TCP
connection (source & destination IPs & ports) while still actively
proxying the traffic. -- I don't know if Squid supports this or not.
But I do see conceptually what would be done.
> FYI, Intercepting proxy must use measures to avoid host header forgery:
>
> https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
> https://www.kb.cert.org/vuls/id/435052
I'll have to read those.
> squid must find out the original destination IP used and check, while in
> explicit mode it makes no sense.
I'll have to think about that. Probably more so after reading the links
you provided.
Aside: I've long been a fan of and preferred explicit client
configuration to use a proxy.
> this is a bit different kind of hacks.
>
> Generally the SOCKS library know where/how to connect, socks wrappers
> (like socksify, tsocks, proxychains) are used to make other software use
> socks proxy even if it does not support it.
Agreed.
> and of course socks is generic bidiretional tcp/udp proxy, which makes
> it possible to implement it near over any kind of communication.
Yes, SOCKS is bidirectional. However, inbound connections through it,
e.g. FTP active connections, are time limited. -- At least I'm not
aware of any way to have a SOCKS proxy allow inbound traffic
indefinitely a la. port forwarding in NAT or SSH remote port forwarding
(assuming the real server is the SSH client).
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221025/fe25d625/attachment.bin>
More information about the squid-users
mailing list