[squid-users] FW: Encrypted browser-Squid connection errors

Grant Taylor gtaylor at tnetconsulting.net
Tue Oct 25 18:14:52 UTC 2022


On 10/25/22 11:03 AM, Matus UHLAR - fantomas wrote:
> I think intercepting is better, more precise.

I think that Squid can be an interception proxy as it can filter / alter 
content.

I also think that Squid (as an interception proxy) can be used 
transparently.

> those two are completely separate,

I'm not yet convinced.

> proxy may be intercepting and modify content (e.g. filter), including 
> squid.

I guess it could be said that the transparency, or modification of 
content, is one aspect and that how the client connects to the proxy, 
explicit or implicit (network magic), could be another aspect.

            +-------------+--------+
            | transparent | opaque |
+----------+-------------+--------+
| explicit |      2      |   1    |
+----------+-------------+--------+
| implicit |      3      |   4    |
+----------+-------------+--------+

I believe that Squid can be either transparent and / or opaque depending 
on it's configuration.

I also believe that Squid can be either explicit and / or implicit via 
networking magic.

When I said that intercepting was a superset of transparent, I was 
including all four quadrants.

> yes, especially PAC scripts are great to explicitly state what you need, 
> including using socks for other than http(s)/ftp connections (direct 
> smtp,imap,pop3 over socks)

Yep.

> I guess PORT connections have to be allowed on the SOCKS server which is 
> I'd say not common (can be dangerous)

Yes, the PORT connection must be allowed.  But the problem that I found 
was that the PORT declaration has a timeout / finite time that they 
would wait for connections.  E.g. ten minutes in the example I was 
looking at.

What's more is that the PORT connections must be declared /per/ 
/expected/ /connection/.  They aren't a generic forward traffic from any 
Internet connected system into the SOCKS client.

> passive connections are safe in case of ftp/ssl, where it's impossible 
> to know for the proxy/firewall who connects where.

I don't think that it's impossible.  Rather it's just improbable.  It's 
technically possible to do TLS bump in the wire or other things like 
known keys (non-ephemeral / non-PFS) or sharing ephemeral / PFS keys 
from internal server with TLS monkey in the middle proxy.  Such is 
technically possible, just highly improbable.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221025/5210b330/attachment.bin>


More information about the squid-users mailing list