[squid-users] FW: Encrypted browser-Squid connection errors
Grant Taylor
gtaylor at tnetconsulting.net
Tue Oct 25 19:07:17 UTC 2022
On 10/25/22 12:57 PM, Matus UHLAR - fantomas wrote:
> That is why I prefer using "intercepting proxy" for case where
> connections between clients and servers intercepted by proxy, without it
> being configured in browsers.
Fair enough.
> precisely, so what exactly aren't you convinced about? :-)
The term "transparent" having multiple meanings.
I believe we were talking past each other and now are not.
> Have you noticed this with SOCKS server?
Yes, DANTE SOCKS server is exactly where I first read about the
limitation that I'm talking about. Subsequent reading of other SOCKS
servers supported this limitation.
N.B. I'm specifically talking about how a SOCKS aware (FTP) client can
ask that an external port be connected to the SOCKS client for a defined
period of time (ten minutes in the examples I saw). This is sufficient
for most active FTP connections (presuming that the ftp client is also
the socks client) as the data connection from the FTP server comes back
to the SOCKS server ~> FTP client in short order.
> I guess this applies for firewalls that will disable connections to the
> port later. But the same applies for PASV connections and the reply
> when firewall at serer side is used.
Agreed.
Aside: I don't think I've ever seen SOCKS be used to front public
services. Rather I've only ever seen SOCKS used for (private) clients.
> When ssl/tls is used between client and server, intermediate gateways
> and firewalls don't know what ports do endpoints agree on using PORT/PASV.
>
> Unless they intercept SSL conneciton (which kind of makes them FTP
> endpoints) or the client supports and issues FTP command "CCC" which is
> designed for this case. I'm afraid not many FTP clients do that.
Agreed.
I think this middle box behavior is far more common on HTTPS in larger
data centers where the middle box is used to enforce compliance and the
likes.
> agree.
>
> the workaround is to use static list of ports at server side and
> configure server firewall to statically allow connection to these ports
> (optionally NAT them).
Yep.
> however this is already not a SQUID issue.
Agreed.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221025/fa705b4b/attachment.bin>
More information about the squid-users
mailing list