On 05/01/11 05:45, Roberto Franchesco wrote:
> I know Squid loses some of its capabilities when its set up to run in
> Transparent/intercept mode. But looking around I can't find a
> definitive answer to the following question:
>
> If squid is set up in transparent mode, can it still tunnel secure
> traffic (via the CONNECT method)?
Yes.
>
> Currently I have this set up with squid acting as a normal proxy
> (where the client's browser knows to send traffic to squid) and I can
> route any traffic (regular http or https via CONNECT) to my first
> squid proxy, and then send it to another squid proxy in the hierarchy.
>
> client --> squid ----> squid ---> destination
>
> I know this works because I can see the CONNECT statements in my
> access log for the second squid proxy.
>
> My question is, if I were to set up the first squid proxy to run in
> transparent mode--so the client's browser would not have to be set to
> direct traffic to the first squid--could I still then route all
> traffic in the same way as the above diagram?
Yes. You may need to configure:
nonhierarchical_direct off
never_direct allow CONNECT
Removing any hierarchy_stoplist directives from your config will also
increase the peer traffic.
>
> It was my understanding that squid takes SSL traffic and wraps it in
> HTTP CONNECT and passes it along without ever touching any of it. So
No, the opposite is true. Squid by default takes CONNECT and unwraps it
to form a direct SSL connection.
Such wrapping is one way to do SSL interception, but this capability has
not yet been added to Squid.
> to me it seems like a squid set in transparent mode would just wrap
> the SSL traffic up and keep passing it. But I could be mistaken.
Squid cannot intercept and forge server responses to SSL traffic yet.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4Received on Fri Jan 07 2011 - 05:02:30 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 07 2011 - 12:00:02 MST