You know St. Peter won't call my name, purgat! 2010/12/13 00:20:23 +0330 purgat <purgatio@xxxxxxxxx> => To squid-users@xxxxxxxxxxxxxxx : p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote: p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit : p> > > Maybe not exactly what you are looking for, but have you thought of p> > > using IPSec? You could deploy IPSec and encrypt every connection from p> > > your clients to the Proxy. p> > > I don't know what you are trying to achieve, but if your objective is p> > > to encrypt connections from the Clients to the proxy, IPSec would be p> > > perfectly transparent and scalable. p> > > p> > > On Sunday, December 12, 2010, purgat <purgatio@xxxxxxxxx> wrote: p> > > > Hi p> > > > I have seen similar discussions in the list in the past but none exactly p> > > > answers my question. p> > > > This is the setup I am looking for: p> > > > a server somewhere out there runs one or more instances of squid. p> > > > user at home sets up the browser to use the proxy. p> > > > whenever user puts an address in their browser address bar, request, is p> > > > encrypted with ssl and sent to squid. Instances (if more than one is p> > > > necessary) of squid then request the page through normal http from the p> > > > Internet and send the response through ssl back to the client. p> > > > Unfortunately the answers I have seen to this question in past seem to p> > > > ignore the fact that the user may want to use different websites. I p> > > > don't want just a couple of addresses to be accelerated by squid and p> > > > sent through ssl. What I am looking for is not a normal reverse proxy, p> > > > glorified with ssl. Unfortunately there is no example of such a setup in p> > > > wiki though I know a lot of people would want this set up for securing p> > > > data in their unsecure local network. The explanations on the web about p> > > > how to set this up come short of explaining a lot of things about an p> > > > already complex matter. p> > > > Is Squid able to help me with this? p> > > > By the way... ssh tunnelling is not an option for me. p> > > > p> > > > Regards p> > > > purgat p> > As far as I know, this is impossible with squid p> > buth there is a mod_ for apache that does that, just look for it p> > p> > LD p> p> Thanks for the info. I'll check that mod. p> Anyone else can confirm this? I don't know what apache's particular module is this about. I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how I named it the transp[arent mode. The diagram is as follows: http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png This means that having ssl enabled on a hosting you can use any of your url, say, scheme://host.tld/path?params into this: https://your.ssl.host/yourpath/scheme/host.tld/path?params Furthermore, I convert any of the URLs I ask in my browser into this url by mean of somewhat complicated stuff which involves ( optionally privoxy ) squid with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx with URL rewrite, again. URL is being rewritten only once: in a squid for http urls and inside the nginx for https urls. I use it because I hate any of my ISPs to know what I use to google out about and what pictures I see. As a fact, I have much more multiple choice about SSL hosting with a Perl. The main disadvantage of such an approach is that I can't verify certificate of a site to be visited ( by means of a perl on a hosting, it's a code yet to be written as well as certificates manager, including exceptions, saved x.509 certificates and many more stuff like basic auth and content filters ) AND the certificate of the fcgiproxy's web server as well ( nginx is not able yet to check the https uplinks' certificates by CAs or any other way, Russian explanation is: http://forum.nginx.org/read.php?21,83157,85692#msg-85692 ). I think such a stuff can be useful not only for a personal use to satisfy a suspicity, but for a corporate environment, too. At the least you can use the web-served fcgiproxy part on a corporate proxy side and the client side, currently implemented by means of squid, 3proxy and an nginx proxy, to avoid information leaks and a viruses spyware including the contents of the bypassing https, too. Commercially I see the service as an anonymizer with commercials on a sidebar. Client side setup is still a complication yet, but it can be implemented as a system-tray application or standalone system service since its only intention is to rewrite the URL as it is mentioned above. I have no idea if such a thing can be made as a browser pluginn but it's obvious to try with a javascript in hand. Also, things like that may happen to be possible without anything other than just squid, but not with versions older than 2+years from now. 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) -- http://vereshagin.org
