Re: [squid-users] Transparent proxy to upstream authenticating proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 27 Jul 2009 23:59:09 +1200

Vosloo, Jaco wrote:
> From: Amos Jeffries
>> From: Henrik Nordstrom
>>> From: Vosloo, Jaco
>>>> I need to configure a transparent proxy to an upstream
> authenticating
>>>> proxy and I believe that Squid should be able to do this. I've been
>>>> searching the net for months now and would really appreciate any
> advice
>>>> or pointers.
>>> interception and authentication is mutually exclusive.
>>>
>>>> 2. The FAQ says authentication can not be run on a transparent
> proxy,
>>>> this is acceptable because I do not want to authenticate on the
>>>> transparent proxy, I want the transparent proxy to let the user
>>>> authenticate to the upstream proxy.
>>> Does not matter. What matters is that the browser isn't configured
> for
>>> using a proxy so it does not accept that the requested web server (as
>>> far as the browser knows, it's talking to the IP of the requested web
>>> server) suddenly requests proxy authentication.
>>>
>> He seems to be asking for a way to let Squid ignore the Proxy-Auth
>> headers and simply not strip any that go through if the BC does ask for
>
>> it. Semantic transparency et al.
>
>
> Thanks for the replies. Amos is correct, I'm trying to use squid as a
> truly transparent proxy, it should not add anything or take anything
> away except when the object is cacheable.
>
> The browser is configured to use the upstream proxy. I want the
> transparent proxy to be a MITM between the browser and the upstream
> proxy and cache whatever can be cached. This is why I am wondering if a
> reverse proxy in front of the upstream proxy might provide the solution?
>
> I have full control over the browsers as well as the internal DNS so I
> can change the DNS to point to whatever proxy I want.
>
> Current setup:
> Browser --Auth--> Proxy1 --> Web server
>
> New setup:
> Browser --Tunnel Auth--> ProxyMITM --Tunnel Auth--> Proxy1 --> Web
> Server
>
> Regards
> Jaco Vosloo

In theory Squid could do semantic transparency. In reality it does not.
All current releases began as pure forward-proxies and have been
migrating very slowly towards transparency.

Squid is currently just moving from interception level of transparency
to IP-level invisibility. The headers passing through are still handled
roughly as they would be for a regular proxy hop.

Note that to serve anything at all from the cache is a complete break of
semantic transparency anyway. So you will not be possible to have both a
cache and a semantically transparent proxy. Particularly if
authentication is going to be involved at any point of the
request/response chain.

Sounds like time we (the developers) discussed whether there are any
side effects to passing auth through unaltered on transparent requests.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.10 or 3.1.0.11
Received on Mon Jul 27 2009 - 11:59:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 27 2009 - 12:00:05 MDT