Search squid archive

Re: Non intrusive sslbump for whitelisting (asked many times but..)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/11/17 14:03, Amos Jeffries wrote:
On 11/11/17 01:05, A. Benz wrote:
Hi Amos,

Thanks for your continued support.

1.

Do you mean the VPN exit point has that 10/8 IP address? or that the traffic from the client is altered to be going to that IP before it reaches Squid?

The latter is broken because it destroys the original dst-IP values on the TCP connection. Which Squid needs to setup the server connection.

Let me put it as an example:

 From the normal internet: mail.amosprivateserver.org > publicly accessible IP.

 From my place: mail.amosprivateserver.org > 10.x.x.x (corporate network, accessible only from within the place).

Anyways no worries about this! I decided to make an exception in the redirect rule, so that if the outgoing traffic matches the IP 10.x.x.x then the firewall will not redirect the traffic to squid and instead establish a connection directly.

This is not ideal, but it works.


Or have Squid relay everything through the same server(s) and
the server do the distinguishing between traffic and just relay everythign to the same


Damn that sounds daft.

What I meant to write was:

Or have Squid relay everything through the same server(s) and
the server do the distinguishing between traffic .

Or setup a cache_peer and have the traffic with src IP of the internal clients going to that domain sent there.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux