[squid-users] Non intrusive sslbump for whitelisting (asked many times but..)

[A. Benz]

Hi Amos,

Just wanted to follow up on this saying thanks for taking the time to reply.

Cheers.

Regards,
A. Benz

On 11/11/17 09:54, Amos Jeffries wrote:
> On 11/11/17 14:03, Amos Jeffries wrote:
>> On 11/11/17 01:05, A. Benz wrote:
>>> Hi Amos,
>>>
>>> Thanks for your continued support.
>>>
>>> 1.
>>>
>>>> Do you mean the VPN exit point has that 10/8 IP address? or that 
>>>> the traffic from the client is altered to be going to that IP 
>>>> before it reaches Squid?
>>>>
>>>> The latter is broken because it destroys the original dst-IP values 
>>>> on the TCP connection. Which Squid needs to setup the server 
>>>> connection. 
>>>
>>> Let me put it as an example:
>>>
>>>  From the normal internet: mail.amosprivateserver.org > publicly 
>>> accessible IP.
>>>
>>>  From my place: mail.amosprivateserver.org > 10.x.x.x (corporate 
>>> network, accessible only from within the place).
>>>
>>> Anyways no worries about this! I decided to make an exception in the 
>>> redirect rule, so that if the outgoing traffic matches the IP 
>>> 10.x.x.x then the firewall will not redirect the traffic to squid 
>>> and instead establish a connection directly.
>>>
>>> This is not ideal, but it works.
>>>
>>
>> Or have Squid relay everything through the same server(s) and
>> the server do the distinguishing between traffic and just relay 
>> everythign to the same
>>
>
> Damn that sounds daft.
>
> What I meant to write was:
>
> Or have Squid relay everything through the same server(s) and
> the server do the distinguishing between traffic .
>
> Or setup a cache_peer and have the traffic with src IP of the internal 
> clients going to that domain sent there.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users