On Mon, Dec 11, 2006, Shaun Skillin (home) wrote: > Thanks Adrian, I understand. Could you expand at on "hacking up squid"? > I have an immediate need for access control of all web requests, > including SSL. I know that if I set it in the browser, squid handles I'd implement in two parts - the first part, for the transparent, non parent case, is to use a TCP tunnel between client and server. tproxy will ensure that the client thinks its talking direct to server and server talks directly to client. There might be other stuff you can do for ACL matching on the SSL stream before things get nastily encrypted (eg match on the negotiation phase) but I haven't looked into it in that much depth. The second part, as Henrik replied, is in the case of a parent proxy. In this case its not going to be end-to-end transparent anyway so you might be able to get away with Squid issuing a CONNECT to the upstream proxy and handing back the unencrypted data. In both cases you'll only be able to build ACLs that use src/destination IP (and stuff like time, etc.) > all connections, including web, ssl, and ftp without a problem. So my > real question is, if squid can (obviously) handle this traffic, can it > be done in a transparent way instead of having to modify the browser. I > think I need more education on how the packets are presented to squid in > transparent vs. browser-based mode - browser-based sends everything via > 3128, so squid gets it on port 3128 - couldn't I just do another NAT > using iptables for this, and point 443 and 21 to 3128 as well as the > current 80? I've thought about transparently proxying FTP but it would require a little bit of hackery to do it with WCCPv2 without breaking clients. test-2(config)#wccp ? custom-web-cache Custom web caching service dns Caching Domain Name Service flow-redirect Redirect moved flows ftp Transparent FTP proxy caching service Apparently the old cisco cache engines implemented -something- to do with transparent FTP proxying but I've been concentrated on the web cache service stuff. I'd be happy to do the feasability work required but I can't say if/when I'm going to get a chance to implement this. Of course, if someone wanted to hire myself or Henrik to implement it in a short period of time I'm sure one of us could take care of it pretty quickly. It'd definitely help me finish off my WCCPv2 test lab as mask assignment-capable switch routers aren't cheap and I doubt anyone's going to donate one.. :) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
