[squid-users] HTTPS support
Daniel Greenwald
dig at digcorp.net
Wed May 3 20:22:27 UTC 2017
Seems to me you are overthinking this. What you're up against is blocked
outbound ports. Simply run openvpn at your home over one of the allowed
outbound ports eg 80 443 or possibly 3128/8080 according to your
environment and call it a day. You won't need proxy authentication or
haproxy etc..
On Wed, May 3, 2017 at 3:35 PM, Craddock, Tommy <
Tommy.Craddock at bicgraphic.com> wrote:
> Hello,
>
>
>
> Yeah, that guide is for PFsense in particular, but you could run HAProxy
> by itself (say in a VM) and get the same result. Just fwd those ports from
> your router to the HAProxy box.
>
>
> Thanks!
>
>
>
>
>
> *From:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org] *On
> Behalf Of *j m
> *Sent:* Wednesday, May 03, 2017 3:14 PM
>
> *To:* squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] HTTPS support
>
>
>
> Looks interesting, but it looks complex and sounds like I'd need more of a
> router than I have to do it.
> ------------------------------
>
> *From:* "Craddock, Tommy" <Tommy.Craddock at bicgraphic.com>
> *To:* "squid-users at lists.squid-cache.org" <squid-users at lists.squid-
> cache.org>
> *Sent:* Wednesday, May 3, 2017 2:04 PM
> *Subject:* Re: [squid-users] HTTPS support
>
>
>
> Hello,
>
>
>
> Is this more in line with what your trying to do:
>
>
>
> http://loredo.me/post/116633549315/geeking-out-with-
> haproxy-on-pfsense-the-ultimate
>
>
>
> Tommy
>
>
>
> *From:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org
> <squid-users-bounces at lists.squid-cache.org>] *On Behalf Of *j m
> *Sent:* Wednesday, May 03, 2017 2:44 PM
> *To:* squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] HTTPS support
>
>
>
> In any case, I'm finding SSH through proxy is undesirable or not
> possible. I'm thinking shellinabox, which is insecure but run over a
> secure proxy link, is my best bet.
>
>
> ------------------------------
>
> *From:* Alex Rousskov <rousskov at measurement-factory.com>
> *To:* j m <acctforjunk at yahoo.com>; "squid-users at lists.squid-cache.org" <
> squid-users at lists.squid-cache.org>
> *Sent:* Wednesday, May 3, 2017 1:19 PM
> *Subject:* Re: [squid-users] HTTPS support
>
>
>
> On 05/03/2017 11:37 AM, j m wrote:
> > the plan was to use SSH through the proxy.
>
> If your SSH clients support SSH through an HTTP proxy, then do not
> authenticate them in Squid. Just do not let them go anywhere but the SSH
> server. It would be like running an exposed-to-the-world SSH server, no
> worse. Squid will still know nothing about SSH. Squid will just tunnel
> opaque bytes from your SSH clients to your SSH server. You will use an
> HTTP (not HTTPS) Squid port for this traffic because your SSH clients
> are unlikely to support HTTPS to the proxy.
>
> Your browsers will still use HTTPS to the proxy (and get authenticated).
> Thus, you will have two different http_ports, one for HTTP
> (unauthenticated SSH clients) and one for HTTPS (authenticated browsers).
>
> If SSH blocking is not based on _protocol_ but on port, then follow
> Antony Stone advice and change the SSH server port instead of
> HTTP-proxying SSH connections.
>
> Alex.
>
>
>
>
>
> > ------------------------------------------------------------------------
> > *From:* Alex Rousskov <rousskov at measurement-factory.com>
> > *To:* "squid-users at lists.squid-cache.org"
> > <squid-users at lists.squid-cache.org>
> > *Cc:* j m <acctforjunk at yahoo.com>
> > *Sent:* Wednesday, May 3, 2017 12:22 PM
> > *Subject:* Re: [squid-users] HTTPS support
> >
> > On 05/03/2017 10:57 AM, j m wrote:
> >> I wanted to set up a proxy on my home server for use from remote
> >> locations to use as a web proxy (of course) and also to run SSH over.
> >
> > The "ssh" part is unrelated to Squid. Secure ssh separately from Squid.
> >
> >
> >> This means that basic auth is undesirable due to the login being sent
> >> in clear text. So, someone suggested digest auth, and I was happy.
> >> But, now I'm finding that PuTTY and WinSCP do not support digest auth.
> >> And consequently, I haven't found any other SSH clients that support
> >> digest. (sigh)
> >
> > These problems will go away if you stop mixing Squid and ssh. Squid is
> > HTTP while PuTTY/WinSCP is SSH. You gain very little by trying to use
> > the same authentication mechanism for both protocols in your use case.
> >
> >
> >> So, I'm back to plan b, and that is to have a secure proxy connection so
> >> all browser-to-server communication is encrypted.
> >
> > That is a good idea if all of your browsers support it. Popular browsers
> > support HTTPS-to-proxy on desktop, but I am not sure about their mobile
> > versions. You may have to jump through some hoops.
> >
> >
> >
> >> So the question is, does
> >> anyone know if squid 3.5 on Ubuntu 16.04 supports secure connections?
> >
> >
> > Squid v3.5 supports secure connections to the proxy. See "TLS / SSL
> > Options" for the http_port directive (not the https_port directive!).
> >
> > You can install Squid v3.5 on Ubuntu. I do not know whether the official
> > Ubuntu Squid package is built with the required support.
> >
> >
> > HTH,
> >
> > Alex.
> >
> >
> >
> >
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170503/a02cbeea/attachment-0001.html>
More information about the squid-users
mailing list