Re: CONNECT method support(for https) using squid3.1.0.6 + tproxy4

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Mikio Kishi wrote:
> Hi, Amos
>
> > What exactly are you trying to achieve with this?
>
> I'm really sorry... It's a little bit difficult to explain...
> The following is the more detail.
>
>  -----------------------
>      The Internet
>         ---+------------
>            |
>  --------+-+-------------
>          |
>    +-----+-------+
>    |  squid      | (1)
>    |  (tcp/8080) |
>    +-----+-------+
>          |.2
>  --------+-+---------------- 10.0.0.0/24
>            |.1
>         +--+--+
>         |  R  |
>         +--+--+
>            |.1
>  -------+--+---------------- 192.168.0.0/24
>         |.2
>    +----+--------+
>    |  squid +    |
>    |    tproxy   | (2)
>    |  (tcp/8080) |
>    +----+--------+
>         |.2
>  -------+--+---------------- 192.168.1.0/24
>            |.3
>         +--+-----+
>         | client |
>         +--------+
>
>  - The demand
>    - The client must use proxy(2) using tcp/8080
>      - by browser settings
>        HTTP  -> proxy(2) (192.168.1.2:8080)
>        HTTPS -> proxy(2) (192.168.1.2:8080)
>      - proxy(2) don't have to be "transparent"
>    - The proxy(2)'s parent proxy must be proxy(1)
>      using cache_peer
>    - Both proxy(1) and proxy(2) must record
>      "client original source address" in access log for security action
>          !!! It's most important !!!
>
> I think that I have to use tproxy(not transparent)
> to achieve above demands... what do you think ?

Ah, you need the follow_x_forwarded_for feature on Proxy(1).

proxy(2) will always be trying to set X-Forwarded-For header indicating 
the client IP. Which gets passed to proxy(1).

By enabling follow_x_forwarded_for and log_uses_indirect_ip. proxy(1) 
should log the original client IP.

http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
http://www.squid-cache.org/Doc/config/log_uses_indirect_client/


Amos

> Sincerely,
> --
> Mikio Kishi
>
> On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> > Mikio Kishi wrote:
> > > Hi, Amos
> > >
> > > > HTTPS encrypted traffic cannot be intercepted.
> > > Yes, I know that. but, in this case, not "transparent".
> > >
> > > >           (1)                     (2)
> > > >
> > > >            |                       |
> > > >  +------+   |     +------------+    |    +---------+
> > > >  |WWW   +---+     |            |    +----+ WWW     |
> > > >  |Client|.2 |   .1| squid      |.1  |  .2|  Server |
> > > >  +------+   +-----+   + tproxy +----+    |(tcp/443)|
> > > >            |     | (tcp/8080) |    |    |(tcp/80) |
> > > >            |     +------------+    |    +---------+
> > > >      192.168.0.0/24          10.0.0.0/24
> > > >
> > > >  (1) 192.168.0.2 ------>  192.168.0.1:8080
> > > >                                     ^^^^^
> > > >  (2) 192.168.0.2 ------>  10.0.0.2:443
> > > >                                   ^^^
> > > Just only thing I'd like to do is "source address spoofing"
> > > using tproxy.
> > >
> > > Does that make sense ?
> > No. Squid is perfectly capable of making HTTPS links outbound without
> > tproxy. The far end only knows that some client connected.
> >
> > HTTPS cannot be spoofed, its part of the security involved with the SSL
> > layer.
> >
> > What exactly are you trying to achieve with this?
> >
> > Amos
> > --
> > Please be using
> >  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
> >  Current Beta Squid 3.1.0.6


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6