[squid-users] FW: Encrypted browser-Squid connection errors

Grant Taylor gtaylor at tnetconsulting.net
Tue Oct 25 15:47:53 UTC 2022


On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
> if by "transparent" you mean "intercepting" proxy, that is incorrect

By "transparent" I mean using network techniques to force clients to use 
a proxy that aren't themselves aware that they are using a proxy.

> CONNECT is HTTP command designed for use with explicit HTTP proxy.

Agreed.

But what does Squid do differently after recognizing the request from 
the client; be it a GET, PUT, POST, or even a CONNECT; the former being 
transparent with the latter being explicit.  Squid will still proxy the 
request as it understands it dependent on configuration, ACLs, etc.

I currently maintain that there is little difference, other than the 
VERB used, between transparent and explicit proxy configuration.  Squid 
still largely does the same thing.

Or said another way, all Squid needed to do to be able to support both 
transparent and explicit was to understand the additional VERBs.  Much 
of the rest of the code was unchanged.

To me there is not a fundamental difference, beyond initial VERBs, for 
transparent and explicit configuration.  At least not anything like the 
differences between FTP, HTTP, and ICP.  Each of which are fundamentally 
different protocols.  Conversely transparent vs explicit is an extension 
of one protocol, namely HTTP.

> ok, there's no explicit need. And since there's no explicit need to use 
> port 80 for HTTP proxy, the convention is to use different port because 
> of reasons stated before.

So port 3128 is based on convention.  And that convention requires more 
explicit configuration in clients.  Okay.  So be it.

> These are the FTP protocol "hacks" I mentioned before.
> The HTTP protocol was created with proxying in mind, FTP was not.
> using specially crafted login name for connecting to anoter server is 
> one of those hacks.

Okay.

I (mis)took "hacks" to be things more severe like is typically done with 
proxifiers used with SOCKS servers, e.g. altering / overloading system 
library calls.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221025/952d9134/attachment.bin>


More information about the squid-users mailing list