[squid-users] MITM the MITM

Will BMD will at brainmeltdown.net
Tue Jan 4 16:56:10 UTC 2022


On 04/01/2022 04:19, Grant Taylor wrote:
> On 1/3/22 5:19 PM, Will BMD wrote:
>> Hey all,
>
> Hi,
>
>> From the Firewalls perspective all client connections are originating 
>> as the proxy server. We're wanting to use the https inspect feature 
>> of the firewall,
>
> I'm taking "HTTPS inspect" to be the firewall's counterpart to ssl_bump.
That's correct.
>
>> but according to our firewall documentation it appears due to the 
>> location of our proxy servers we would be unable to do so.
>
> Where does the firewall documentation / vendor want the proxy server 
> to be?
That's a great question, I suspect that this might be an error in their 
documentation.
>
>> My question is, if the proxy is behaving as a MITM between itself and 
>> the client, can't the Firewall do the same thing between itself and 
>> the proxy?
>
> I don't see why it can't.
That's good to hear.
>
>> I suspect it is possible, but might potentially involve a lot of 
>> headaches and a big hit on performance?
>
> Do you are about original client IP addresses?  If not, then I think 
> this should be as simple as one proxy (Squid) talking to another proxy 
> (firewall).
Yea, that's that we're looking to obtain.
>
>> Any insight into this would be greatly appreciated.
>
> I would wonder if WCCP /might/ be a viable option in this scenario or 
> not.  As in configure clients to use the firewall as a proxy and have 
> the firewall do it's thing while leveraging Squid's caching capability 
> via WCCP.
>
> There might also be the some room for having Squid view the firewall 
> as a parent proxy.

I'm not aware of WCCP, but I'll look into it.

Thanks for info Grant.
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list