>The client will attempt to open a TLS/TCP connection to the origin >server. Your router (or some such) will redirect client TLS/TCP bytes to >your Squid's https_port. If configured correctly, Squid will accept that >TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel >through the corporate proxy. I'm trying to accomplish something similiar but i don't see squid wrap the connection to parent proxy in a HTTP CONNECT tunnel. User ----->Squid(Transparent Proxy)--------->Parent Proxy------>Internet. I need to see a CONNECT tunnel between Squid(Transparent Proxy) and Parent Proxy but I don't. Based on another thread, Is this something that works only starting squid 4.X. My version is squid 3.5.25. On Wed, Jul 10, 2019 at 5:02 AM <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote: > > Send squid-users mailing list submissions to > squid-users@xxxxxxxxxxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > squid-users-request@xxxxxxxxxxxxxxxxxxxxx > > You can reach the person managing the list at > squid-users-owner@xxxxxxxxxxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. Non-standard proxy setup (Tardif, Christian) > 2. Re: Non-standard proxy setup (Alex Rousskov) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 9 Jul 2019 13:10:21 +0000 > From: "Tardif, Christian" <christian.tardif@xxxxxxx> > To: "squid-users@xxxxxxxxxxxxxxxxxxxxx" > <squid-users@xxxxxxxxxxxxxxxxxxxxx> > Subject: Non-standard proxy setup > Message-ID: > <adf806f395d24d45a575a0ee772759d3@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="utf-8" > > Hi, > > I'm trying to figure out how to make the following setup work: > > I have a node on which there's an application which isn't proxy aware so basically, the only remaining option would be to use a transparent proxy. But my corporate proxy isn't a transparent proxy. So I have to build this in two layers. My solution would be to: > > > 1) Have a squid proxy on the node's router host configured as a transparent proxy for both HTTP and HTTPS > > 2) Have this squid proxy configured to talk to the parent host, which would be my corporate proxy > > 3) Have this squid proxy able to decide if a particular flow should go to the corporate proxy or connect "directly" with the destination host > > I've been successful at tasks #2 and #3 (well, in fact, I did it with tinyproxy but stopped because of task #1 > > I've partly succedded at task #1. In fact, it worked for HTTP. I haven't figured out how to do it for HTTPS. My questions are: > > > 1) I do not understand how the client would be able to perform a CONNECT to reach squid in HTTPS. So I'm assuming that there's some other magic. > > 2) The second thing I don't understand is the certificates management. Let's say my node tries to reach https://www.google.com but does not know anything about the proxy. I assume that the client will get the certificate from squid in some way, but would probably expect to receive a certificate from Google. How would that work? > > Can someone help me? I'm running out of options... > > Thanks, > > Christian Tardif > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190709/fe8a972b/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Tue, 9 Jul 2019 09:54:25 -0400 > From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Non-standard proxy setup > Message-ID: > <bf4b6e33-5075-ef84-dea9-c42ef68ac46f@xxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset=windows-1252 > > On 7/9/19 9:10 AM, Tardif, Christian wrote: > > > I have a node on which there’s an application which isn’t proxy aware so > > basically, the only remaining option would be to use a transparent > > proxy. But my corporate proxy isn’t a transparent proxy. So I have to > > build this in two layers. My solution would be to: > > > > > > > > 1) Have a squid proxy on the node’s router host configured as a > > transparent proxy for both HTTP and HTTPS > > > > 2) Have this squid proxy configured to talk to the parent host, > > which would be my corporate proxy > > > > 3) Have this squid proxy able to decide if a particular flow should > > go to the corporate proxy or connect “directly” with the destination host > > > > > > > > I’ve been successful at tasks #2 and #3 (well, in fact, I did it with > > tinyproxy but stopped because of task #1 > > > > > > > > I’ve partly succedded at task #1. In fact, it worked for HTTP. I haven’t > > figured out how to do it for HTTPS. My questions are: > > > > > > > > 1) I do not understand how the client would be able to perform a > > CONNECT to reach squid in HTTPS. So I’m assuming that there’s some other > > magic. > > The client will attempt to open a TLS/TCP connection to the origin > server. Your router (or some such) will redirect client TLS/TCP bytes to > your Squid's https_port. If configured correctly, Squid will accept that > TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel > through the corporate proxy. > > > > 2) The second thing I don’t understand is the certificates > > management. Let’s say my node tries to reach https://www.google.com but > > does not know anything about the proxy. I assume that the client will > > get the certificate from squid in some way, but would probably expect to > > receive a certificate from Google. How would that work? > > * If you do not want your Squid to look inside the connection to > google.com, then your Squid will work at TCP level. Same for the > corporate proxy. Both proxies will forward Google certificate to the > unsuspecting client and everything will work fine most[XXX] of the time. > > * Otherwise, you will need to use SslBump functionality and impersonate > the origin server, including faking its certificate. If you add your > proxy CA certificate to the client, this bumping will work for some > sites and will break others. > > [XXX] The only HTTPS-related problem you may have in a tunneling-only > Squid is with TCP-level error reporting to the client (e.g., when Squid > cannot connect to the corporate proxy). By default, Squid may want to > bump the client connection (to report those errors to the client), > causing bumping problems mentioned in the second bullet above. For Squid > configurations that are not supposed to bump traffic at all, this > implicit bumping on errors is a bug/misfeature. > > > HTH, > > Alex. > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > > End of squid-users Digest, Vol 59, Issue 10 > ******************************************* -- regards, Arun _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
