On Tue, 2010-12-14 at 10:55 +0300, Peter Vereshagin wrote: > Any time of year you can find me here purgat. > 2010/12/13 22:23:48 +0330 purgat <purgatio@xxxxxxxxx> => To squid-users@xxxxxxxxxxxxxxx : > p> This definitely is too complicated for me. Getting all these working > p> together doesn't seem an easy task for someone who have never used any > p> of these for anything before. From what I could understand from your > p> diagram and explanation, I would say this is an option that works as I > p> need but that's it. > p> I'll try to see if I can find easier options. I am starting to think I > p> need to spend a few months and loads of caffeine to write something > p> myself (though it is sort of life/death scenario involved, and time > p> matters so much). > p> Options are running out fast... > p> :( > p> > p> > p> On Mon, 2010-12-13 at 13:20 +0300, Peter Vereshagin wrote: > p> > You know St. Peter won't call my name, purgat! > p> > 2010/12/13 00:20:23 +0330 purgat <purgatio@xxxxxxxxx> => To squid-users@xxxxxxxxxxxxxxx : > p> > p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote: > p> > p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit : > p> > p> > > Maybe not exactly what you are looking for, but have you thought of > p> > p> > > using IPSec? You could deploy IPSec and encrypt every connection from > p> > p> > > your clients to the Proxy. > p> > p> > > I don't know what you are trying to achieve, but if your objective is > p> > p> > > to encrypt connections from the Clients to the proxy, IPSec would be > p> > p> > > perfectly transparent and scalable. > p> > p> > > > p> > p> > > On Sunday, December 12, 2010, purgat <purgatio@xxxxxxxxx> wrote: > p> > p> > > > Hi > p> > p> > > > I have seen similar discussions in the list in the past but none exactly > p> > p> > > > answers my question. > p> > p> > > > This is the setup I am looking for: > p> > p> > > > a server somewhere out there runs one or more instances of squid. > p> > p> > > > user at home sets up the browser to use the proxy. > p> > p> > > > whenever user puts an address in their browser address bar, request, is > p> > p> > > > encrypted with ssl and sent to squid. Instances (if more than one is > p> > p> > > > necessary) of squid then request the page through normal http from the > p> > p> > > > Internet and send the response through ssl back to the client. > p> > p> > > > Unfortunately the answers I have seen to this question in past seem to > p> > p> > > > ignore the fact that the user may want to use different websites. I > p> > p> > > > don't want just a couple of addresses to be accelerated by squid and > p> > p> > > > sent through ssl. What I am looking for is not a normal reverse proxy, > p> > p> > > > glorified with ssl. Unfortunately there is no example of such a setup in > p> > p> > > > wiki though I know a lot of people would want this set up for securing > p> > p> > > > data in their unsecure local network. The explanations on the web about > p> > p> > > > how to set this up come short of explaining a lot of things about an > p> > p> > > > already complex matter. > p> > p> > > > Is Squid able to help me with this? > p> > p> > > > By the way... ssh tunnelling is not an option for me. > p> > p> > > > > p> > p> > > > Regards > p> > p> > > > purgat > p> > p> > As far as I know, this is impossible with squid > p> > p> > buth there is a mod_ for apache that does that, just look for it > p> > p> > > p> > p> > LD > p> > p> > p> > p> Thanks for the info. I'll check that mod. > p> > p> Anyone else can confirm this? > p> > > p> > I don't know what apache's particular module is this about. > p> > I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how I named > p> > it the transp[arent mode. The diagram is as follows: > p> > > p> > http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png > p> > > p> > This means that having ssl enabled on a hosting you can use any of your url, > p> > say, scheme://host.tld/path?params into this: > p> > > p> > https://your.ssl.host/yourpath/scheme/host.tld/path?params > p> > > p> > Furthermore, I convert any of the URLs I ask in my browser into this url by > p> > mean of somewhat complicated stuff which involves ( optionally privoxy ) squid > p> > with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx > p> > with URL rewrite, again. URL is being rewritten only once: in a squid for http > p> > urls and inside the nginx for https urls. > p> > I use it because I hate any of my ISPs to know what I use to google out about > p> > and what pictures I see. As a fact, I have much more multiple choice about SSL > p> > hosting with a Perl. > p> > The main disadvantage of such an approach is that I can't verify certificate of > p> > a site to be visited ( by means of a perl on a hosting, it's a code yet to be > p> > written as well as certificates manager, including exceptions, saved x.509 > p> > certificates and many more stuff like basic auth and content filters ) AND the > p> > certificate of the fcgiproxy's web server as well ( nginx is not able yet to > p> > check the https uplinks' certificates by CAs or any other way, Russian > p> > explanation is: http://forum.nginx.org/read.php?21,83157,85692#msg-85692 ). > p> > I think such a stuff can be useful not only for a personal use to satisfy a > p> > suspicity, but for a corporate environment, too. At the least you can use the > p> > web-served fcgiproxy part on a corporate proxy side and the client side, > p> > currently implemented by means of squid, 3proxy and an nginx proxy, to avoid > p> > information leaks and a viruses spyware including the contents of the bypassing > p> > https, too. > p> > Commercially I see the service as an anonymizer with commercials on a sidebar. > p> > Client side setup is still a complication yet, but it can be implemented as a > p> > system-tray application or standalone system service since its only intention > p> > is to rewrite the URL as it is mentioned above. I have no idea if such a thing > p> > can be made as a browser pluginn but it's obvious to try with a javascript in > p> > hand. > p> > Also, things like that may happen to be possible without anything other than > p> > just squid, but not with versions older than 2+years from now. > p> > > > Why do you try with application IP layer anyway? > I think that encrypted Layer3 solution, something like openvpn with ssl and a > NAT ( and/or Squid ) should suit your needs and is pretty simple. > The appropriate VPS plans I know for this use to cost about $2/month. I'm not > sure but there are cloud providers who supply even hourly-rated virtual > machines ( $0.0X/hour ). And, it's nothing supernatural to ask whoever to set > up such a thing for one-time fee. > > 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) > -- > http://vereshagin.org Thanks Peter The suggestion is right. It does suit my needs. I encountered difficulty setting it up though. May be when I am more experienced I will seek your guidance to try this solution too. For the time being I found something else.
