On 12/10/11 17:33, nipun_mlist Assam wrote:
This may be relevant to this question. While trying to use squid for transparent proxy (tproxy ) on linux (kerne 2.6.39 with centos 6.0), I noticed the following 1. Client IP spoofing doesn't work (but for our work, this requirement was a must).
In what way?
2. Squid with tproxy doesn't work with HTTPS traffic.
In what way? HTTP: http_port 1 tproxy ... HTTPS: https_port 2 tproxy ...
I made fixes for both the issues and then above problems were solved. I made an assumption that traffic with destination port 443 will be always used for HTTPs, and, that I used as an indication to switch to SSL on squid side. Squid will transparently listen on two ports, one of this port will be used for port 80 traffic and the other for port 443 traffic.
You cannot make this assumption. The system administrator has configured the port (http_port vs https_port) to match the traffic arriving. Both in Squid and in the firewall. Replacing this manual configuration automatically with a possibly wrong assumption is not a good thing to do.
Also, Squid does not correctly handle the SSL when it arrives via interception. Due to not having the SSL security keys which are installed on the destination web server the client was contacting.
Do not confuse this with a TPROXY failure.
I made the changes in squid 3.2.0.10 code base. I am wondering if those fixes are already available somewhere. Regards, Nipun
Please first re-check your solution to #2 in light of the https_port directive and comments above.
Please check that the changes will still apply easily on the latest 3.2 series or 3.HEAD series code.
Then please submit to squid-dev mailing list for review. The submission guidelines can be found at:
http://wiki.squid-cache.org/MergeProcedure Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.12
