Search squid archive

Re: FW: Encrypted browser-Squid connection errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
if by "transparent" you mean "intercepting" proxy, that is incorrect

On 25.10.22 09:47, Grant Taylor wrote:
By "transparent" I mean using network techniques to force clients to use a proxy that aren't themselves aware that they are using a proxy.

I prefer to explicitly state what one means by transparent because RFC2616 has defined transparent proxy diferently:

      A
      "transparent proxy" is a proxy that does not modify the request or
      response beyond what is required for proxy authentication and
      identification.

term "interception proxy" better defines what happens here:

   Instead, an
   interception proxy filters or redirects outgoing TCP port 80 packets
   (and occasionally other common port traffic).

CONNECT is HTTP command designed for use with explicit HTTP proxy.

Agreed.

But what does Squid do differently after recognizing the request from the client; be it a GET, PUT, POST, or even a CONNECT; the former being transparent with the latter being explicit. Squid will still proxy the request as it understands it dependent on configuration, ACLs, etc.

FYI, Intercepting proxy must use measures to avoid host header forgery:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
https://www.kb.cert.org/vuls/id/435052

squid must find out the original destination IP used and check, while in explicit mode it makes no sense.

These are the FTP protocol "hacks" I mentioned before.
The HTTP protocol was created with proxying in mind, FTP was not.
using specially crafted login name for connecting to anoter server is one of those hacks.

Okay.

I (mis)took "hacks" to be things more severe like is typically done with proxifiers used with SOCKS servers, e.g. altering / overloading system library calls.

this is a bit different kind of hacks.

Generally the SOCKS library know where/how to connect, socks wrappers (like socksify, tsocks, proxychains) are used to make other software use socks proxy even if it does not support it.

and of course socks is generic bidiretional tcp/udp proxy, which makes it possible to implement it near over any kind of communication.

--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux