[squid-users] Question regarding TPROXY and sslBump

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 15 15:40:55 UTC 2020


On 16/02/20 2:58 am, Felipe Polanco wrote:
> Thanks for the reply,
> 
> Speaking strictly about TPROXY, are there any limitations compared to
> regular transparent intercept?

I assume that by "regular transparent intercept" you mean NAT intercept.

The primary difference between TPROXY and NAT ... is that NAT is *not*
"transparent". All the differences derive from that.

To use TPROXY the machine running it must have the ability to spoof IPs
on packets outgoing from Squid and to properly deliver them afterwards.
This primarily affects Squid hosted in cloud services where that
low-level control is not permitted or quite difficult.

The problems NAT introduces by having a different IP address on traffic
arriving at servers largely disappear. But all other issues related to
middleware touching the messages in transit remain the same.

Amos


More information about the squid-users mailing list