On 13/12/2016 10:15 p.m., Per Jessen wrote: > Amos Jeffries wrote: > >> On 13/12/2016 5:11 a.m., Fomo Dong wrote: >>> Hi all, >>> >>> For couple of days I'm trying to figure out how to get a transparent >>> HTTPs proxy to work with Squid. What I'm trying to achieve is a proxy >>> that accepts internet traffic from ports 80 & 443, routes them >>> through Squid to Privoxy and finally through Tor and returns back the >>> data. So essentially I want to "automatically" revert some traffic >>> through Tor without the user needing to add a proxy to their >>> connection. >>> >>> I know how to setup the Privoxy and Tor part, but I'm struggling with >>> the Squid & IP tables configuration. >> >> The first thing to be aware of is that Squid obeys the HTTPS >> requirement that traffic received on TLS connection also goes out one. >> So your Privoxy must be capable of receiving TLS connections from >> Squid. >> >> If Privoxy cannot do TLS like that you could have Squid do the privacy >> filtering. But then Tor would face the same requirement. >> >> >> Second thing I want to make clear is that a *transparent* proxy is the >> opposite of anonyizing proxy. A transparent proxy hides *itself* while >> _revealing_ the client. An anonymous proxy reveals itself, while >> hiding the client(s). They are almost direct opposites in behaviour. >> >> Anyhow, what you meant by the word "transparent" turns out to actually >> be "intercepting". > > We also run a "transparent" proxy, but it is transparent for the > _client_. The main office router simply sends an ICMP redirect to > point clients to the proxy. > Uh, ICMP redirect informs the client that its not contacting the original server. It also implies there are no NAT records for the proxy to lookup to resolve the ORIGINAL_DST address. How does that work with the 'transparent' mode flag on your http_port line(s)? Not well I suspect. It is people calling non-transparent things like that "transparent" which has led to Fomo's problem of the configuration being half *actual* Transparent Proxy (TPROXY, 'tproxy' mode) and half NAT interception (REDIRECT, 'intercept' mode). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users