[squid-users] FW: Encrypted browser-Squid connection errors

Tue Oct 25 16:18:33 UTC 2022

>On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
>>if by "transparent" you mean "intercepting" proxy, that is incorrect

On 25.10.22 09:47, Grant Taylor wrote:
>By "transparent" I mean using network techniques to force clients to 
>use a proxy that aren't themselves aware that they are using a proxy.

I prefer to explicitly state what one means by transparent because RFC2616 
has defined transparent proxy diferently:

       A
       "transparent proxy" is a proxy that does not modify the request or
       response beyond what is required for proxy authentication and
       identification.

term "interception proxy" better defines what happens here:

    Instead, an
    interception proxy filters or redirects outgoing TCP port 80 packets
    (and occasionally other common port traffic).

>>CONNECT is HTTP command designed for use with explicit HTTP proxy.
>
>Agreed.
>
>But what does Squid do differently after recognizing the request from 
>the client; be it a GET, PUT, POST, or even a CONNECT; the former 
>being transparent with the latter being explicit.  Squid will still 
>proxy the request as it understands it dependent on configuration, 
>ACLs, etc.

FYI, Intercepting proxy must use measures to avoid host header forgery:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
https://www.kb.cert.org/vuls/id/435052

squid must find out the original destination IP used and check, while in 
explicit mode it makes no sense.

>>These are the FTP protocol "hacks" I mentioned before.
>>The HTTP protocol was created with proxying in mind, FTP was not.
>>using specially crafted login name for connecting to anoter server 
>>is one of those hacks.
>
>Okay.
>
>I (mis)took "hacks" to be things more severe like is typically done 
>with proxifiers used with SOCKS servers, e.g. altering / overloading 
>system library calls.

this is a bit different kind of hacks.

Generally the SOCKS library know where/how to connect, socks wrappers (like 
socksify, tsocks, proxychains) are used to make other software use socks 
proxy even if it does not support it.

and of course socks is generic bidiretional tcp/udp proxy, which makes it 
possible to implement it near over any kind of communication.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors