I'm wanting to know whether this is a capability of squid, or if anyone
knows another FOSS product that can do it.
The scenario:
I have an upstream firewall and proxy that I do not control, and the
only access to the internet is via the proxy, which uses proxy basic
authentication (and is probably running squid).
I am running my own copy of squid on the network, passing through proxy
authentication credentials to the upstream proxy.
Some devices (android phones mostly) on the local network don't have a
facility to specify a proxy server. For these devices, I intercept the
http traffic at my squid box and send it to the upstream proxy with
squid supplying a generic proxy password to the upstream proxy.
The upstream proxy is represented by two different cache_peer lines in
the config; the one used is selected by ACLs.
This all works very well for http. However, I would like to do the same
for https traffic. This should be quite do-able, but as far as I can
tell squid can't do this?
HTTPs traffic could be intercepted by iptables and sent to a port on
which squid listens. Squid can find the original intended destination
IP via a syscall, then supply the generic password to the upstream proxy
and use a CONNECT to connect through to that address. Squid would not
need to be "in the middle" and deal with decryption/encryption, it would
simply pass through the data as it does when set as an https proxy in
the normal case.
Can squid be configured to do this? What other options are there?
Cheers,
Alex
