[squid-users] squid-users Digest, Vol 59, Issue 10

Arunabha Saha arunabha.saha at gmail.com
Wed Jul 10 23:44:32 UTC 2019


>The client will attempt to open a TLS/TCP connection to the origin
>server. Your router (or some such) will redirect client TLS/TCP bytes to
>your Squid's https_port. If configured correctly, Squid will accept that
>TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel
>through the corporate proxy.

   I'm trying to accomplish something similiar but i don't see squid
wrap the connection to parent proxy in a HTTP CONNECT tunnel.
   User ----->Squid(Transparent Proxy)--------->Parent Proxy------>Internet.
   I need to see a CONNECT tunnel between Squid(Transparent Proxy)
and Parent Proxy but I don't.   Based on another thread, Is this
something that works only starting squid 4.X.   My version is squid
3.5.25.


On Wed, Jul 10, 2019 at 5:02 AM
<squid-users-request at lists.squid-cache.org> wrote:
>
> Send squid-users mailing list submissions to
>         squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. Non-standard proxy setup (Tardif, Christian)
>    2. Re: Non-standard proxy setup (Alex Rousskov)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 9 Jul 2019 13:10:21 +0000
> From: "Tardif, Christian" <christian.tardif at bell.ca>
> To: "squid-users at lists.squid-cache.org"
>         <squid-users at lists.squid-cache.org>
> Subject: [squid-users] Non-standard proxy setup
> Message-ID:
>         <adf806f395d24d45a575a0ee772759d3 at DG2MBX03-WYN.bell.corp.bce.ca>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I'm trying to figure out how to make the following setup work:
>
> I have a node on which there's an application which isn't proxy aware so basically, the only remaining option would be to use a transparent proxy. But my corporate proxy isn't a transparent proxy. So I have to build this in two layers. My solution would be to:
>
>
> 1)     Have a squid proxy on the node's router host configured as a transparent proxy for both HTTP and HTTPS
>
> 2)     Have this squid proxy configured to talk to the parent host, which would be my corporate proxy
>
> 3)     Have this squid proxy able to decide if a particular flow should go to the corporate proxy or connect "directly" with the destination host
>
> I've been successful at tasks #2 and #3 (well, in fact, I did it with tinyproxy but stopped because of task #1
>
> I've partly succedded at task #1. In fact, it worked for HTTP. I haven't figured out how to do it for HTTPS. My questions are:
>
>
> 1)     I do not understand how the client would be able to perform a CONNECT to reach squid in HTTPS. So I'm assuming that there's some other magic.
>
> 2)     The second thing I don't understand is the certificates management. Let's say my node tries to reach https://www.google.com but does not know anything about the proxy. I assume that the client will get the certificate from squid in some way, but would probably expect to receive a certificate from Google. How would that work?
>
> Can someone help me?   I'm running out of options...
>
> Thanks,
>
> Christian Tardif
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190709/fe8a972b/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 9 Jul 2019 09:54:25 -0400
> From: Alex Rousskov <rousskov at measurement-factory.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Non-standard proxy setup
> Message-ID:
>         <bf4b6e33-5075-ef84-dea9-c42ef68ac46f at measurement-factory.com>
> Content-Type: text/plain; charset=windows-1252
>
> On 7/9/19 9:10 AM, Tardif, Christian wrote:
>
> > I have a node on which there’s an application which isn’t proxy aware so
> > basically, the only remaining option would be to use a transparent
> > proxy. But my corporate proxy isn’t a transparent proxy. So I have to
> > build this in two layers. My solution would be to:
> >
> >
> >
> > 1)     Have a squid proxy on the node’s router host configured as a
> > transparent proxy for both HTTP and HTTPS
> >
> > 2)     Have this squid proxy configured to talk to the parent host,
> > which would be my corporate proxy
> >
> > 3)     Have this squid proxy able to decide if a particular flow should
> > go to the corporate proxy or connect “directly” with the destination host
> >
> >
> >
> > I’ve been successful at tasks #2 and #3 (well, in fact, I did it with
> > tinyproxy but stopped because of task #1
> >
> >
> >
> > I’ve partly succedded at task #1. In fact, it worked for HTTP. I haven’t
> > figured out how to do it for HTTPS. My questions are:
> >
> >
> >
> > 1)     I do not understand how the client would be able to perform a
> > CONNECT to reach squid in HTTPS. So I’m assuming that there’s some other
> > magic.
>
> The client will attempt to open a TLS/TCP connection to the origin
> server. Your router (or some such) will redirect client TLS/TCP bytes to
> your Squid's https_port. If configured correctly, Squid will accept that
> TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel
> through the corporate proxy.
>
>
> > 2)     The second thing I don’t understand is the certificates
> > management. Let’s say my node tries to reach https://www.google.com but
> > does not know anything about the proxy. I assume that the client will
> > get the certificate from squid in some way, but would probably expect to
> > receive a certificate from Google. How would that work?
>
> * If you do not want your Squid to look inside the connection to
> google.com, then your Squid will work at TCP level. Same for the
> corporate proxy. Both proxies will forward Google certificate to the
> unsuspecting client and everything will work fine most[XXX] of the time.
>
> * Otherwise, you will need to use SslBump functionality and impersonate
> the origin server, including faking its certificate. If you add your
> proxy CA certificate to the client, this bumping will work for some
> sites and will break others.
>
> [XXX] The only HTTPS-related problem you may have in a tunneling-only
> Squid is with TCP-level error reporting to the client (e.g., when Squid
> cannot connect to the corporate proxy). By default, Squid may want to
> bump the client connection (to report those errors to the client),
> causing bumping problems mentioned in the second bullet above. For Squid
> configurations that are not supposed to bump traffic at all, this
> implicit bumping on errors is a bug/misfeature.
>
>
> HTH,
>
> Alex.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 59, Issue 10
> *******************************************



-- 
regards,
Arun


More information about the squid-users mailing list