Search squid archive

Re: FW: Encrypted browser-Squid connection errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/25/22 11:03 AM, Matus UHLAR - fantomas wrote:

I think intercepting is better, more precise.
I think that Squid can be an interception proxy as it can filter / alter content.
I also think that Squid (as an interception proxy) can be used transparently. 


those two are completely separate,


I'm not yet convinced.
proxy may be intercepting and modify content (e.g. filter), including squid.
I guess it could be said that the transparency, or modification of content, is one aspect and that how the client connects to the proxy, explicit or implicit (network magic), could be another aspect. 

           +-------------+--------+
           | transparent | opaque |
+----------+-------------+--------+
| explicit |      2      |   1    |
+----------+-------------+--------+
| implicit |      3      |   4    |
+----------+-------------+--------+
I believe that Squid can be either transparent and / or opaque depending on it's configuration.
I also believe that Squid can be either explicit and / or implicit via networking magic.
When I said that intercepting was a superset of transparent, I was including all four quadrants.
yes, especially PAC scripts are great to explicitly state what you need, including using socks for other than http(s)/ftp connections (direct smtp,imap,pop3 over socks) 

Yep.
I guess PORT connections have to be allowed on the SOCKS server which is I'd say not common (can be dangerous)
Yes, the PORT connection must be allowed. But the problem that I found was that the PORT declaration has a timeout / finite time that they would wait for connections. E.g. ten minutes in the example I was looking at.
What's more is that the PORT connections must be declared /per/ /expected/ /connection/. They aren't a generic forward traffic from any Internet connected system into the SOCKS client.
passive connections are safe in case of ftp/ssl, where it's impossible to know for the proxy/firewall who connects where.
I don't think that it's impossible. Rather it's just improbable. It's technically possible to do TLS bump in the wire or other things like known keys (non-ephemeral / non-PFS) or sharing ephemeral / PFS keys from internal server with TLS monkey in the middle proxy. Such is technically possible, just highly improbable. 



--
Grant. . . .
unix || die

<<attachment: smime.p7s>>

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux