Search squid archive

Re: https to http translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Any time of year you can find me here purgat.
2010/12/13 22:23:48 +0330 purgat <purgatio@xxxxxxxxx> => To squid-users@xxxxxxxxxxxxxxx :
p> This definitely is too complicated for me. Getting all these working
p> together doesn't seem an easy task for someone who have never used any
p> of these for anything before. From what I could understand from your
p> diagram and explanation, I would say this is an option that works as I
p> need but that's it.
p> I'll try to see if I can find easier options. I am starting to think I
p> need to spend a few months and loads of caffeine to write something
p> myself (though it is sort of life/death scenario involved, and time
p> matters so much).
p> Options are running out fast...
p> :(
p> 
p> 
p> On Mon, 2010-12-13 at 13:20 +0300, Peter Vereshagin wrote:
p> > You know St. Peter won't call my name, purgat!
p> > 2010/12/13 00:20:23 +0330 purgat <purgatio@xxxxxxxxx> => To squid-users@xxxxxxxxxxxxxxx :
p> > p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote:
p> > p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit :
p> > p> > > Maybe not exactly what you are looking for, but have you thought of
p> > p> > > using IPSec? You could deploy IPSec and encrypt every connection from
p> > p> > > your clients to the Proxy.
p> > p> > > I don't know what you are trying to achieve, but if your objective is
p> > p> > > to encrypt connections from the Clients to the proxy, IPSec would be
p> > p> > > perfectly transparent and scalable.
p> > p> > > 
p> > p> > > On Sunday, December 12, 2010, purgat <purgatio@xxxxxxxxx> wrote:
p> > p> > > > Hi
p> > p> > > > I have seen similar discussions in the list in the past but none exactly
p> > p> > > > answers my question.
p> > p> > > > This is the setup I am looking for:
p> > p> > > > a server somewhere out there runs one or more instances of squid.
p> > p> > > > user at home sets up the browser to use the proxy.
p> > p> > > > whenever user puts an address in their browser address bar, request, is
p> > p> > > > encrypted with ssl and sent to squid. Instances (if more than one is
p> > p> > > > necessary) of squid then request the page through normal http from the
p> > p> > > > Internet and send the response through ssl back to the client.
p> > p> > > > Unfortunately the answers I have seen to this question in past seem to
p> > p> > > > ignore the fact that the user may want to use different websites. I
p> > p> > > > don't want just a couple of addresses to be accelerated by squid and
p> > p> > > > sent through ssl. What I am looking for is not a normal reverse proxy,
p> > p> > > > glorified with ssl. Unfortunately there is no example of such a setup in
p> > p> > > > wiki though I know a lot of people would want this set up for securing
p> > p> > > > data in their unsecure local network. The explanations on the web about
p> > p> > > > how to set this up come short of explaining a lot of things about an
p> > p> > > > already complex matter.
p> > p> > > > Is Squid able to help me with this?
p> > p> > > > By the way... ssh tunnelling is not an option for me.
p> > p> > > > 
p> > p> > > > Regards
p> > p> > > > purgat
p> > p> > As far as I know, this is impossible with squid
p> > p> > buth there is a mod_ for apache that does that, just look for it
p> > p> > 
p> > p> > LD
p> > p> 
p> > p> Thanks for the info. I'll check that mod.
p> > p> Anyone else can confirm this?
p> > 
p> > I don't know what apache's particular module is this about.
p> > I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy  in the how I named
p> > it the transp[arent mode. The diagram is as follows:
p> > 
p> > http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png
p> > 
p> > This means that having ssl enabled on a hosting you can use any of your url,
p> > say, scheme://host.tld/path?params into this:
p> > 
p> > https://your.ssl.host/yourpath/scheme/host.tld/path?params
p> > 
p> > Furthermore, I convert any of the URLs I ask in my browser into this url by
p> > mean of somewhat complicated stuff which involves ( optionally privoxy ) squid
p> > with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx
p> > with URL rewrite, again. URL is being rewritten only once: in a squid for http
p> > urls and inside the nginx for https urls.
p> > I use it because I hate any of my ISPs to know what I use to google out about
p> > and what pictures I see. As a fact, I have much more multiple choice about SSL
p> > hosting with a Perl.
p> > The main disadvantage of such an approach is that I can't verify certificate of
p> > a site to be visited ( by means of a perl on a hosting, it's a code yet to be
p> > written as well as certificates manager, including exceptions, saved x.509
p> > certificates and many more stuff like basic auth and content filters ) AND the
p> > certificate of the fcgiproxy's web server as well ( nginx is not able yet to
p> > check the https uplinks' certificates by CAs or any other way, Russian
p> > explanation is: http://forum.nginx.org/read.php?21,83157,85692#msg-85692 ).
p> > I think such a stuff can be useful not only for a personal use to satisfy a
p> > suspicity, but for a corporate environment, too. At the least you can  use the
p> > web-served fcgiproxy part on a corporate proxy side and the client side,
p> > currently implemented by means of squid, 3proxy and an nginx proxy,  to avoid
p> > information leaks and a viruses spyware including the contents of the bypassing
p> > https, too.
p> > Commercially I see the service as an anonymizer with commercials on a sidebar.
p> > Client side setup is still a complication yet, but it can be implemented as a
p> > system-tray application or standalone system service since its only intention
p> > is to rewrite the URL as it is mentioned above. I have no idea if such a thing
p> > can be made as a browser pluginn but it's obvious to try with a javascript in
p> > hand.
p> > Also, things like that may happen to be possible without anything other than
p> > just squid, but not with versions  older than 2+years from now.
p> > 

Why do you try with application IP layer anyway?
I think that encrypted Layer3 solution, something like openvpn with ssl and a
NAT ( and/or Squid ) should suit your needs and is pretty simple.
The appropriate VPS plans I know for this use to cost about $2/month. I'm not
sure but there are cloud providers who supply even hourly-rated virtual
machines ( $0.0X/hour  ). And, it's nothing supernatural to ask whoever to set
up such a thing for one-time fee.

73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB  12F8 0CE1 4AAC A0E2 6627)
--
http://vereshagin.org


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux