[squid-users] Non intrusive sslbump for whitelisting (asked many times but..)

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 11 01:54:20 UTC 2017


On 11/11/17 14:03, Amos Jeffries wrote:
> On 11/11/17 01:05, A. Benz wrote:
>> Hi Amos,
>>
>> Thanks for your continued support.
>>
>> 1.
>>
>>> Do you mean the VPN exit point has that 10/8 IP address? or that the 
>>> traffic from the client is altered to be going to that IP before it 
>>> reaches Squid?
>>>
>>> The latter is broken because it destroys the original dst-IP values 
>>> on the TCP connection. Which Squid needs to setup the server connection. 
>>
>> Let me put it as an example:
>>
>>  From the normal internet: mail.amosprivateserver.org > publicly 
>> accessible IP.
>>
>>  From my place: mail.amosprivateserver.org > 10.x.x.x (corporate 
>> network, accessible only from within the place).
>>
>> Anyways no worries about this! I decided to make an exception in the 
>> redirect rule, so that if the outgoing traffic matches the IP 10.x.x.x 
>> then the firewall will not redirect the traffic to squid and instead 
>> establish a connection directly.
>>
>> This is not ideal, but it works.
>>
> 
> Or have Squid relay everything through the same server(s) and
> the server do the distinguishing between traffic and just relay 
> everythign to the same
> 

Damn that sounds daft.

What I meant to write was:

Or have Squid relay everything through the same server(s) and
the server do the distinguishing between traffic .

Or setup a cache_peer and have the traffic with src IP of the internal 
clients going to that domain sent there.

Amos


More information about the squid-users mailing list