<div dir="ltr"><span style="color:rgb(0,0,0);font-size:12.8px">Seems to me you are overthinking this. What you're up against is blocked outbound ports. Simply run openvpn at your home over one of the allowed outbound ports eg 80 443 or possibly 3128/8080 according to your environment and call it a day. You won't need proxy authentication or haproxy etc..</span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 3, 2017 at 3:35 PM, Craddock, Tommy <span dir="ltr"><<a href="mailto:Tommy.Craddock@bicgraphic.com" target="_blank">Tommy.Craddock@bicgraphic.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="blue" vlink="purple">
<div class="m_-3789798545183457897WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hello,
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yeah, that guide is for PFsense in particular, but you could run HAProxy by itself (say in a VM) and get the same result.  Just fwd those ports from your router
 to the HAProxy box. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><br>
Thanks!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">squid-users-bounces@<wbr>lists.squid-cache.org</a>]
<b>On Behalf Of </b>j m<br>
<b>Sent:</b> Wednesday, May 03, 2017 3:14 PM</span></p><div><div class="h5"><br>
<b>To:</b> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<b>Subject:</b> Re: [squid-users] HTTPS support<u></u><u></u></div></div><p></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5410">
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif";color:black">Looks interesting, but it looks complex and sounds like I'd need more of a router than I have to do it.<u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5500">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5499">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5498">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5666">
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">
<hr size="1" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:black"> "Craddock, Tommy" <<a href="mailto:Tommy.Craddock@bicgraphic.com" target="_blank">Tommy.Craddock@bicgraphic.com</a><wbr>><br>
<b>To:</b> "<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-<wbr>cache.org</a>" <<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-<wbr>cache.org</a>>
<br>
<b id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5819">Sent:</b> Wednesday, May 3, 2017 2:04 PM<br>
<b>Subject:</b> Re: [squid-users] HTTPS support</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5497">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"><u></u> <u></u></span></p>
<div id="m_-3789798545183457897yiv0837668946">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5496">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5495">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5664">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black">Hello,
</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5643">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black"> </span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5641">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black">Is this more in line with what your trying to do:</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5640">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black"> </span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5520">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black"><a href="http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate" target="_blank">http://loredo.me/post/<wbr>116633549315/geeking-out-with-<wbr>haproxy-on-pfsense-the-<wbr>ultimate</a></span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5517">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black"> </span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5516">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black">Tommy
</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5515">
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black"> </span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yiv0837668946yqt31524">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5514">
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in" id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5513">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5512">
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Helvetica","sans-serif";color:black"> squid-users [<a href="mailto:squid-users-bounces@lists.squid-cache.org" target="_blank">mailto:squid-users-bounces@<wbr>lists.squid-cache.org</a>]
<b>On Behalf Of </b>j m<br>
<b>Sent:</b> Wednesday, May 03, 2017 2:44 PM<br>
<b id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5821">To:</b> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">
squid-users@lists.squid-cache.<wbr>org</a><br>
<b>Subject:</b> Re: [squid-users] HTTPS support</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
</div>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5510">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"> <u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5494">
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10881">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5509">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif";color:black">In any case, I'm finding SSH through proxy is undesirable or not possible.  I'm thinking shellinabox, which is insecure but run over
 a secure proxy link, is my best bet.</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
</div>
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10900">
<div style="margin-bottom:12.0pt" id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5507">
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif";color:black"> </span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
</div>
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10904">
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10903">
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10902">
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10901">
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-family:"Helvetica","sans-serif";color:black">
<hr size="1" width="100%" align="center">
</span></div>
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5504">
<p class="MsoNormal" style="background:white"><b><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif";color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Helvetica","sans-serif";color:black"> Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.<wbr>com</a>><br>
<b>To:</b> j m <<a href="mailto:acctforjunk@yahoo.com" id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5502" target="_blank">acctforjunk@yahoo.com</a>>; "<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-<wbr>cache.org</a>" <<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-<wbr>cache.org</a>>
<br>
<b id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5823">Sent:</b> Wednesday, May 3, 2017 1:19 PM<br>
<b>Subject:</b> Re: [squid-users] HTTPS support</span><span style="font-family:"Helvetica","sans-serif";color:black"><u></u><u></u></span></p>
</div>
</div>
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10906">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5501">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"> <u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_10905">
<div id="m_-3789798545183457897yui_3_16_0_ym19_1_1493838446403_5493">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black">On 05/03/2017 11:37 AM, j m wrote:<br>
> the plan was to use SSH through the proxy.<br>
<br>
If your SSH clients support SSH through an HTTP proxy, then do not<br>
authenticate them in Squid. Just do not let them go anywhere but the SSH<br>
server. It would be like running an exposed-to-the-world SSH server, no<br>
worse. Squid will still know nothing about SSH. Squid will just tunnel<br>
opaque bytes from your SSH clients to your SSH server. You will use an<br>
HTTP (not HTTPS) Squid port for this traffic because your SSH clients<br>
are unlikely to support HTTPS to the proxy.<br>
<br>
Your browsers will still use HTTPS to the proxy (and get authenticated).<br>
Thus, you will have two different http_ports, one for HTTP<br>
(unauthenticated SSH clients) and one for HTTPS (authenticated browsers).<br>
<br>
If SSH blocking is not based on _protocol_ but on port, then follow<br>
Antony Stone advice and change the SSH server port instead of<br>
HTTP-proxying SSH connections.<br>
<br>
Alex.<u></u><u></u></span></p>
</div>
<div id="m_-3789798545183457897yiv0837668946yqtfd64275">
<div style="margin-bottom:12.0pt">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"><br>
<br>
<br>
<br>
> ------------------------------<wbr>------------------------------<wbr>------------<br>
> *From:* Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.<wbr>com</a>><br>
> *To:* "<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-<wbr>cache.org</a>"<br>
> <<a href="mailto:squid-users@lists.squid-cache.org" id="m_-3789798545183457897yiv0837668946yui_3_16_0_ym19_1_1493835252799_11003" target="_blank">squid-users@lists.squid-<wbr>cache.org</a>><br>
> *Cc:* j m <<a href="mailto:acctforjunk@yahoo.com" target="_blank">acctforjunk@yahoo.com</a>><br>
> *Sent:* Wednesday, May 3, 2017 12:22 PM<br>
> *Subject:* Re: [squid-users] HTTPS support<br>
> <br>
> On 05/03/2017 10:57 AM, j m wrote:<br>
>> I wanted to set up a proxy on my home server for use from remote<br>
>> locations to use as a web proxy (of course) and also to run SSH over.<br>
> <br>
> The "ssh" part is unrelated to Squid. Secure ssh separately from Squid.<br>
> <br>
> <br>
>> This means that basic auth is undesirable due to the login being sent<br>
>> in clear text.  So, someone suggested digest auth, and I was happy.<br>
>>  But, now I'm finding that PuTTY and WinSCP do not support digest auth.<br>
>>  And consequently, I haven't found any other SSH clients that support<br>
>> digest. (sigh)<br>
> <br>
> These problems will go away if you stop mixing Squid and ssh. Squid is<br>
> HTTP while PuTTY/WinSCP is SSH. You gain very little by trying to use<br>
> the same authentication mechanism for both protocols in your use case.<br>
> <br>
> <br>
>> So, I'm back to plan b, and that is to have a secure proxy connection so<br>
>> all browser-to-server communication is encrypted.<br>
> <br>
> That is a good idea if all of your browsers support it. Popular browsers<br>
> support HTTPS-to-proxy on desktop, but I am not sure about their mobile<br>
> versions. You may have to jump through some hoops.<br>
> <br>
> <br>
> <br>
>> So the question is, does<br>
>> anyone know if squid 3.5 on Ubuntu 16.04 supports secure connections?<br>
> <br>
> <br>
> Squid v3.5 supports secure connections to the proxy. See "TLS / SSL<br>
> Options" for the http_port directive (not the https_port directive!).<br>
> <br>
> You can install Squid v3.5 on Ubuntu. I do not know whether the official<br>
> Ubuntu Squid package is built with the required support.<br>
> <br>
> <br>
> HTH,<br>
> <br>
> Alex.<br>
> <br>
> <br>
> <br>
> <u></u><u></u></span></p>
</div>
</div>
</div>
<div style="margin-bottom:12.0pt">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"> <u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"><br>
______________________________<wbr>______________________________<wbr>__________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit <a href="http://www.symanteccloud.com/" target="_blank">
http://www.symanteccloud.com</a><br>
______________________________<wbr>______________________________<wbr>__________<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black"><br>
______________________________<wbr>______________________________<wbr>__________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit <a href="http://www.symanteccloud.com" target="_blank">http://www.symanteccloud.com</a><br>
______________________________<wbr>______________________________<wbr>__________<u></u><u></u></span></p>
</div>
</div>
<div id="m_-3789798545183457897yqt93069">
<p class="MsoNormal" style="background:white"><span style="font-family:"Helvetica","sans-serif";color:black">______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><u></u><u></u></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Helvetica","sans-serif";color:black"><u></u> <u></u></span></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
______________________________<wbr>______________________________<wbr>__________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit <a href="http://www.symanteccloud.com" target="_blank">http://www.symanteccloud.com</a><br>
______________________________<wbr>______________________________<wbr>__________<u></u><u></u></p>
</div></div></div><div><div class="h5">
<br clear="both">
______________________________<wbr>______________________________<wbr>__________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit <a href="http://www.symanteccloud.com" target="_blank">http://www.symanteccloud.com</a><br>
______________________________<wbr>______________________________<wbr>__________<br>
</div></div></div>


<br>______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
<br></blockquote></div><br></div>