Hi, Amos >HTTPS encrypted traffic cannot be intercepted. Yes, I know that. but, in this case, not "transparent". > (1) (2) > > | | > +------+ | +------------+ | +---------+ > |WWW +---+ | | +----+ WWW | > |Client|.2 | .1| squid |.1 | .2| Server | > +------+ +-----+ + tproxy +----+ |(tcp/443)| > | | (tcp/8080) | | |(tcp/80) | > | +------------+ | +---------+ > 192.168.0.0/24 10.0.0.0/24 > > (1) 192.168.0.2 ------> 192.168.0.1:8080 > ^^^^^ > (2) 192.168.0.2 ------> 10.0.0.2:443 > ^^^ Just only thing I'd like to do is "source address spoofing" using tproxy. Does that make sense ? Sincerely, -- Mikio Kishi On Thu, Apr 9, 2009 at 10:52 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> Hi, all >> >> Now, I evaluate the squid3.1.0.6 + tproxy4 environment like the >> following network. >> >> (1) (2) >> >> | | >> +------+ | +------------+ | +---------+ >> |WWW +---+ | | +----+ WWW | >> |Client|.2 | .1| squid |.1 | .2| Server | >> +------+ +-----+ + tproxy +----+ |(tcp/443)| >> | | (tcp/8080) | | |(tcp/80) | >> | +------------+ | +---------+ >> 192.168.0.0/24 10.0.0.0/24 >> >> (1) 192.168.0.2 ------> 192.168.0.1:8080 >> (2) 192.168.0.2 ------> 10.0.0.2:80 >> >> HTTP communication is completely OK ! >> but in HTTPS(using CONNECT method) case >> >> (1) 192.168.0.2 ------> 192.168.0.1:8080 >> (2) 192.168.0.2 ------> 10.0.0.2:443 >> ^^^^ >> the following error occurred. >> >>> commBind: Cannot bind socket FD 12 to 192.168.0.2: (99) Cannot >>> assign requested address >> >> I think that tunnelStart()#tunnel.cc don't support "COMM_TRANSPARENT" >> >>> tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int* >>> status_ptr) >>> { >>> ... snip ... >>> sock = comm_openex(SOCK_STREAM, >>> IPPROTO_TCP, >>> temp, >>> COMM_NONBLOCKING, // need COMM_TRANSPARENT >>> getOutgoingTOS(request), >>> url); >>> ... snip ... >> >> What do you think ? > > HTTPS encrypted traffic cannot be intercepted. > > Amos > > >