On 02/12/10 17:17, Alex King wrote:
I'm wanting to know whether this is a capability of squid, or if anyone knows another FOSS product that can do it. The scenario: I have an upstream firewall and proxy that I do not control, and the only access to the internet is via the proxy, which uses proxy basic authentication (and is probably running squid). I am running my own copy of squid on the network, passing through proxy authentication credentials to the upstream proxy. Some devices (android phones mostly) on the local network don't have a facility to specify a proxy server. For these devices, I intercept the http traffic at my squid box and send it to the upstream proxy with squid supplying a generic proxy password to the upstream proxy.
Check if IPv6 traffic is placed under such harsh limits as IPv4 on your network. I have clients using Android which use IPv6 when their IPv4 is blocked.
If you are lucky they will have new enough Android versions which rumour has it support zero-conf WPAD/PAC instead of manual configuration.
The upstream proxy is represented by two different cache_peer lines in the config; the one used is selected by ACLs. This all works very well for http. However, I would like to do the same for https traffic. This should be quite do-able, but as far as I can tell squid can't do this? HTTPs traffic could be intercepted by iptables and sent to a port on which squid listens. Squid can find the original intended destination IP via a syscall, then supply the generic password to the upstream proxy and use a CONNECT to connect through to that address. Squid would not need to be "in the middle" and deal with decryption/encryption, it would simply pass through the data as it does when set as an https proxy in the normal case.
Interesting. That might actually be doable. As long as there is absolutely zero touching of the internal encrypted traffic.
My experience with SSL indicates that the IPs and maybe even the TCP ports are included in the actual transfer though, so there may be problems when the upstream proxy IP connects to the server with an (encrypted) client certificate containing the clients real IP.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3
