On 05/01/11 05:45, Roberto Franchesco wrote:
I know Squid loses some of its capabilities when its set up to run in
Transparent/intercept mode. But looking around I can't find a
definitive answer to the following question:
If squid is set up in transparent mode, can it still tunnel secure
traffic (via the CONNECT method)?
Yes.
Currently I have this set up with squid acting as a normal proxy
(where the client's browser knows to send traffic to squid) and I can
route any traffic (regular http or https via CONNECT) to my first
squid proxy, and then send it to another squid proxy in the hierarchy.
client --> squid ----> squid ---> destination
I know this works because I can see the CONNECT statements in my
access log for the second squid proxy.
My question is, if I were to set up the first squid proxy to run in
transparent mode--so the client's browser would not have to be set to
direct traffic to the first squid--could I still then route all
traffic in the same way as the above diagram?
Yes. You may need to configure:
nonhierarchical_direct off
never_direct allow CONNECT
Removing any hierarchy_stoplist directives from your config will also
increase the peer traffic.
It was my understanding that squid takes SSL traffic and wraps it in
HTTP CONNECT and passes it along without ever touching any of it. So
No, the opposite is true. Squid by default takes CONNECT and unwraps it
to form a direct SSL connection.
Such wrapping is one way to do SSL interception, but this capability has
not yet been added to Squid.
to me it seems like a squid set in transparent mode would just wrap
the SSL traffic up and keep passing it. But I could be mistaken.
Squid cannot intercept and forge server responses to SSL traffic yet.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
