[squid-users] MITM the MITM
Grant Taylor
gtaylor at tnetconsulting.net
Tue Jan 4 04:19:13 UTC 2022
On 1/3/22 5:19 PM, Will BMD wrote:
> Hey all,
Hi,
> From the Firewalls perspective all client connections are originating
> as the proxy server. We're wanting to use the https inspect feature of
> the firewall,
I'm taking "HTTPS inspect" to be the firewall's counterpart to ssl_bump.
> but according to our firewall documentation it appears due to the
> location of our proxy servers we would be unable to do so.
Where does the firewall documentation / vendor want the proxy server to be?
> My question is, if the proxy is behaving as a MITM between itself and
> the client, can't the Firewall do the same thing between itself and the
> proxy?
I don't see why it can't.
> I suspect it is possible, but might potentially involve a lot of
> headaches and a big hit on performance?
Do you are about original client IP addresses? If not, then I think
this should be as simple as one proxy (Squid) talking to another proxy
(firewall).
> Any insight into this would be greatly appreciated.
I would wonder if WCCP /might/ be a viable option in this scenario or
not. As in configure clients to use the firewall as a proxy and have
the firewall do it's thing while leveraging Squid's caching capability
via WCCP.
There might also be the some room for having Squid view the firewall as
a parent proxy.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220103/5a62973b/attachment.bin>
More information about the squid-users
mailing list