On 7/9/19 9:10 AM, Tardif, Christian wrote: > I have a node on which there’s an application which isn’t proxy aware so > basically, the only remaining option would be to use a transparent > proxy. But my corporate proxy isn’t a transparent proxy. So I have to > build this in two layers. My solution would be to: > > > > 1) Have a squid proxy on the node’s router host configured as a > transparent proxy for both HTTP and HTTPS > > 2) Have this squid proxy configured to talk to the parent host, > which would be my corporate proxy > > 3) Have this squid proxy able to decide if a particular flow should > go to the corporate proxy or connect “directly” with the destination host > > > > I’ve been successful at tasks #2 and #3 (well, in fact, I did it with > tinyproxy but stopped because of task #1 > > > > I’ve partly succedded at task #1. In fact, it worked for HTTP. I haven’t > figured out how to do it for HTTPS. My questions are: > > > > 1) I do not understand how the client would be able to perform a > CONNECT to reach squid in HTTPS. So I’m assuming that there’s some other > magic. The client will attempt to open a TLS/TCP connection to the origin server. Your router (or some such) will redirect client TLS/TCP bytes to your Squid's https_port. If configured correctly, Squid will accept that TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel through the corporate proxy. > 2) The second thing I don’t understand is the certificates > management. Let’s say my node tries to reach https://www.google.com but > does not know anything about the proxy. I assume that the client will > get the certificate from squid in some way, but would probably expect to > receive a certificate from Google. How would that work? * If you do not want your Squid to look inside the connection to google.com, then your Squid will work at TCP level. Same for the corporate proxy. Both proxies will forward Google certificate to the unsuspecting client and everything will work fine most[XXX] of the time. * Otherwise, you will need to use SslBump functionality and impersonate the origin server, including faking its certificate. If you add your proxy CA certificate to the client, this bumping will work for some sites and will break others. [XXX] The only HTTPS-related problem you may have in a tunneling-only Squid is with TCP-level error reporting to the client (e.g., when Squid cannot connect to the corporate proxy). By default, Squid may want to bump the client connection (to report those errors to the client), causing bumping problems mentioned in the second bullet above. For Squid configurations that are not supposed to bump traffic at all, this implicit bumping on errors is a bug/misfeature. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
