Re: CONNECT method support(for https) using squid3.1.0.6 + tproxy4

Mikio Kishi <mkishi@xxxxxxx> · Sun, 12 Apr 2009 04:13:02 +0900

Hi, Amos

> What exactly are you trying to achieve with this?

I'm really sorry... It's a little bit difficult to explain...
The following is the more detail.

 -----------------------
     The Internet
        ---+------------
           |
 --------+-+-------------
         |
   +-----+-------+
   |  squid      | (1)
   |  (tcp/8080) |
   +-----+-------+
         |.2
 --------+-+---------------- 10.0.0.0/24
           |.1
        +--+--+
        |  R  |
        +--+--+
           |.1
 -------+--+---------------- 192.168.0.0/24
        |.2
   +----+--------+
   |  squid +    |
   |    tproxy   | (2)
   |  (tcp/8080) |
   +----+--------+
        |.2
 -------+--+---------------- 192.168.1.0/24
           |.3
        +--+-----+
        | client |
        +--------+

 - The demand
   - The client must use proxy(2) using tcp/8080
     - by browser settings
       HTTP  -> proxy(2) (192.168.1.2:8080)
       HTTPS -> proxy(2) (192.168.1.2:8080)
     - proxy(2) don't have to be "transparent"
   - The proxy(2)'s parent proxy must be proxy(1)
     using cache_peer
   - Both proxy(1) and proxy(2) must record
     "client original source address" in access log for security action
         !!! It's most important !!!

I think that I have to use tproxy(not transparent)
to achieve above demands... what do you think ?

Sincerely,
--
Mikio Kishi

On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> Mikio Kishi wrote:
>>
>> Hi, Amos
>>
>>> HTTPS encrypted traffic cannot be intercepted.
>>
>> Yes, I know that. but, in this case, not "transparent".
>>
>>>           (1)                     (2)
>>>
>>>            |                       |
>>>  +------+   |     +------------+    |    +---------+
>>>  |WWW   +---+     |            |    +----+ WWW     |
>>>  |Client|.2 |   .1| squid      |.1  |  .2|  Server |
>>>  +------+   +-----+   + tproxy +----+    |(tcp/443)|
>>>            |     | (tcp/8080) |    |    |(tcp/80) |
>>>            |     +------------+    |    +---------+
>>>      192.168.0.0/24          10.0.0.0/24
>>>
>>>  (1) 192.168.0.2 ------>  192.168.0.1:8080
>>>                                     ^^^^^
>>>  (2) 192.168.0.2 ------>  10.0.0.2:443
>>>                                   ^^^
>>
>> Just only thing I'd like to do is "source address spoofing"
>> using tproxy.
>>
>> Does that make sense ?
>
> No. Squid is perfectly capable of making HTTPS links outbound without
> tproxy. The far end only knows that some client connected.
>
> HTTPS cannot be spoofed, its part of the security involved with the SSL
> layer.
>
> What exactly are you trying to achieve with this?
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>  Current Beta Squid 3.1.0.6
>