[squid-users] Multiple-Choice chain proxies, preferably over authenticated HTTPS

From: Hakim Moore <hakimmoore_at_i2pmail.org>
Date: Thu, 4 Aug 2011 17:23:48 +0000 (UTC)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy all,

I'm trying to make squid into a form of redirect, such that I can point
portable firefox and portable thunderbird at it as a proxy and have all
communications securely routed into the appropriate locally-run (well,
local to the server squid's running on) proxy. The goal is to have most
URLs and all .onion go into localhost:8118, clear HTTP .i2p urls go
through localhost:4444, HTTPS .i2p urls into 4445 and local urls be
directly sent to the local address. Also, DNS for all proxied URLs
should go through the relevant proxy. So, as examples:

http://blah.com/blah => 127.0.0.1:8118
https://blah.com/blah => 127.0.0.1:8118
http://blah.onion => 127.0.0.1:8118
http://blah.i2p => 127.0.0.1:4444
https://blah.i2p => 127.0.0.1:4445
http://127.0.0.1:7660 (I2P mail tunnel) => Direct

I hope to eventually run this over authenticated HTTPS, such that the
communications and authentication are encrypted between me and Squid,
and such that only I can do it. Feel free to point me at a whole bunch
of guides. I just can't seem to find the right information on how to
make this happen. Here's my current (and obviously insufficient)
squid.conf:

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dstdomain localhost
acl to_TOR dstdom_regex -i \.onion
acl to_I2P dstdom_regex -i \.i2p
acl to_SSL proto HTTPS

acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
http_access allow all

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

always_direct allow to_localhost
always_direct deny !to_localhost
cache_peer tor.proxy parent 8118 0 default no-query no-digest
no-netdb-exchange
cache_peer i2p.proxy parent 4444 0 default no-query no-digest
no-netdb-exchange
cache_peer i2ps.proxy parent 4445 0 default no-query no-digest
no-netdb-exchange
cache_peer_access i2p.proxy allow to_I2P !to_SSL
cache_peer_access i2ps.proxy allow to_I2P to_SSL
cache_peer_access tor.proxy allow all

# The following settings are helpful in removing some sensitive
# HTTP headers which could divulge unwanted information:
#
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 256 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Thanks very much for the help.

Hakim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOOtWPAAoJEP7VY232fngzRWEP/3q3Xo35YXxGxirKV8rPg6lp
EFXw/zk5hjwY/qW0XkpvcnWzsgOR2ixOrivI+r/PlUFjDPQ/9G5bbmT53SW5YNC/
jrtybIoeD0wZpTPLwVQZNKL9h7fvu2oUenhrumea9geXDHtWC1JZHfSyivVao5fx
yLoTD1jNWCHpmhSHaEyflRTxy3jtyDsZBGOKMK+pawMW1zTyInsIkpOLtlSTgdnK
5BQzV8Qc0uidQuVH3PLWTEVxFCK+3+XLT7RWz+h6tiT+sSAcGNVCm8LZb/t2dbNB
TfN/NbGTD/5piTepSr+j6cRx8tobgcuMZcPDfZ+AHlKMSUWe2QWzTlb2OCfPHpPA
5b29j+WOoihU83uz3uQSo/LQO2vD3o7PzigGd56uRlnJVLTpCUdu8kgg54AVU5yy
/NsZuOaB3tBmKEBDCu3X/kwT0vLKC8DKKOOjXxYcuZyRSLxnmRc7lgayksEfrtVy
kKbN44viS0uMxDn7a+6yKdu43wzoFKn1ogmRcpNJuTQoeGxI3BPh8mKwalNVRBMB
905HMVB6zrtqefN3e1iL0TAeDJ24qPhM+iP9EWMsefJtGavEZea+V/tnFkmWwnY3
n0v17X38hU01TxqJYCHcRSgJ18EmOHuyH1J+xfNVj5gyO3GyqvDOQiRiwsvEzUEg
0NjyGd2ket6iru17M8nJ
=s9SD
-----END PGP SIGNATURE-----
Received on Thu Aug 04 2011 - 19:59:02 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 05 2011 - 12:00:01 MDT