On 29/04/2014 9:51 a.m., Lee Kemp wrote: > Hello Squid Mailing List (my 1st post :) ) > > Looking to setup a small squid proxy for around 12 mobile devices > without the need to add a proxy to the devices, because the network i am > doing this for already has a firewall (which we have no direct control) > and an "upstream" proxy does there need to be any configuration changes > on the firewall or can squid just be told there is an upstream proxy and > requests are forwarded to it. Lets see if I am understanding your requirements... You have devices that you cannot change, sending traffic through a firewall/routing system you cant change, to an upstream you cant change. Some difficulties but solvable ones. The existence of a parent proxy could be a good thing. Intercepting the existing client traffic to parent proxy is actually safer and easier than intercepting port 80 traffic. You will need a device you can control configuration of on the wire/path these clients traffic is using. That could be A) a small router just pointing the packets at a separate squid machine, or B) the Squid machine itself with bridge or router setup in its OS settings. If the clients are explicitly configured to use the parent proxy. Those connections *can* be NATed to a separate Squid machines http_port. *do not* use the "intercept" option in squid.conf for this traffic - setup Squid as a regular forward proxy (it is standing in for the parent proxy). If the parent proxy is intercepting too (no proxy configured on the clients). Then the port 80 (and/or 443) NAT (or TPROXY) *must* occur on the same machine Squid is running on and the "intercept" (or "tproxy") flag is required. To deliver traffic to the parent proxy use a "cache_peer" directive of type parent pointing Squid at it. That is all. > > the reason i ask is because i have tried to use some other router > distro's Smoothwall Express for example and they have not been able to > forward any of the https traffic. I don't have an essential need for the > local proxy to cache internet pages, simply to provide a connection is > enough. I'm not clear on what you mean by "forward any of the https traffic". FWIW Smoothwall is a Squid based product. Albeit using an old version last time I checked. So you will likely find Squid (or any HTTP proxy) has the same limitations. HTTPS is designed not to allow middleware operations on the traffic, doing so is tricky and far from "transparent". Amos
