Search squid archive

Re: CONNECT method support(for https) using squid3.1.0.6 + tproxy4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, Amos

>HTTPS encrypted traffic cannot be intercepted.

Yes, I know that. but, in this case, not "transparent".

>            (1)                     (2)
>
>             |                       |
>  +------+   |     +------------+    |    +---------+
>  |WWW   +---+     |            |    +----+ WWW     |
>  |Client|.2 |   .1| squid      |.1  |  .2|  Server |
>  +------+   +-----+   + tproxy +----+    |(tcp/443)|
>             |     | (tcp/8080) |    |    |(tcp/80) |
>             |     +------------+    |    +---------+
>       192.168.0.0/24          10.0.0.0/24
>
>  (1) 192.168.0.2 ------>  192.168.0.1:8080
>                                      ^^^^^
>  (2) 192.168.0.2 ------>  10.0.0.2:443
>                                    ^^^

Just only thing I'd like to do is "source address spoofing"
using tproxy.

Does that make sense ?

Sincerely,

--
Mikio Kishi


On Thu, Apr 9, 2009 at 10:52 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>> Hi, all
>>
>> Now, I evaluate the squid3.1.0.6 + tproxy4 environment like the
>> following network.
>>
>>             (1)                     (2)
>>
>>              |                       |
>>   +------+   |     +------------+    |    +---------+
>>   |WWW   +---+     |            |    +----+ WWW     |
>>   |Client|.2 |   .1| squid      |.1  |  .2|  Server |
>>   +------+   +-----+   + tproxy +----+    |(tcp/443)|
>>              |     | (tcp/8080) |    |    |(tcp/80) |
>>              |     +------------+    |    +---------+
>>        192.168.0.0/24          10.0.0.0/24
>>
>>   (1) 192.168.0.2 ------>  192.168.0.1:8080
>>   (2) 192.168.0.2 ------>  10.0.0.2:80
>>
>> HTTP communication is completely OK !
>> but in HTTPS(using CONNECT method) case
>>
>>   (1) 192.168.0.2 ------>  192.168.0.1:8080
>>   (2) 192.168.0.2 ------>  10.0.0.2:443
>>                                     ^^^^
>> the following error occurred.
>>
>>> commBind: Cannot bind socket FD 12 to 192.168.0.2: (99) Cannot
>>>           assign requested address
>>
>> I think that tunnelStart()#tunnel.cc don't support "COMM_TRANSPARENT"
>>
>>> tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int*
>>> status_ptr)
>>> {
>>>  ... snip ...
>>>    sock = comm_openex(SOCK_STREAM,
>>>                       IPPROTO_TCP,
>>>                       temp,
>>>                       COMM_NONBLOCKING,  // need COMM_TRANSPARENT
>>>                       getOutgoingTOS(request),
>>>                       url);
>>>  ... snip ...
>>
>> What do you think ?
>
> HTTPS encrypted traffic cannot be intercepted.
>
> Amos
>
>
>


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux