Re: [squid-users] Transparent proxy with HTTPS on freebsd

From: abdul sami <sami.memon_at_gmail.com>
Date: Wed, 29 Apr 2009 20:21:23 +0500

First of all let me Thank you v much to all for replies.

i am searching/reading for PAC / port forwarding for squid on FreeBSD,
but it would be grateful to me if you provide me an example/source.

again i repeat i only want to allow https site like (gmail, yahoo)
behind my transparent proxy to work.

With Regards,
.Goody.
On Wed, Apr 29, 2009 at 7:03 PM, Stefan Hartmann <hartm_at_odn.de> wrote:
> Goody,
>
> if you simply want to have http and https go through the same unix box,
> you can use squid for http and a port forwarding (for example using
> iptables) for https.
>
> Regards,
> Stefan
>
>
> nyoman karna wrote:
>> nope,
>> you can NOT use transparent proxy for HTTPS.
>>
>> since using transparent proxy for HTTPS
>> will be considered as man-in-the-middle attack.
>>
>> you probably may use PAC (as Amos suggested)
>> but IMO it ruin the basic idea of using transparent proxy
>> (which is user does not need to put any setting in their browser)
>>
>> ------------------------
>> Nyoman Bogi Aditya Karna
>>       IM Telkom
>> http://www.imtelkom.ac.id
>> ------------------------
>>
>>
>>
>> --- On Wed, 4/29/09, goody goody <thinkodd_at_yahoo.com> wrote:
>>
>>> From: goody goody <thinkodd_at_yahoo.com>
>>> Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd
>>> To: squid-users_at_squid-cache.org
>>> Cc: "Amos Jeffries" <squid3_at_treenet.co.nz>
>>> Date: Wednesday, April 29, 2009, 7:30 AM
>>>
>>> Dear Amos,
>>>
>>> i say http works but https doesn't behind transparent proxy
>>> (no proxy details specified in browser) and this is simply I
>>> just want to achieve as some sites such as yahoo, gmail use
>>> https to connect to.
>>>
>>> so if you guide my how can i configure squid to allow https
>>> sites to connect behind transparent proxy.
>>>
>>> Further info regarding squid and bsd os is as follows.
>>>
>>> squid version info
>>>
>>> Squid Cache: Version 2.5.STABLE10
>>> configure options:  --enable-storeio=diskd,ufs
>>> --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic
>>> ntlm' --enable-wccp '--enable-removal-policies=heap lru'
>>>
>>> BSD OS Info
>>>
>>> FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30
>>> 18:16:33 PKT 2007     root_at_xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER
>>> i386
>>>
>>> an early response would be very much appreciated.
>>>
>>> Regards,
>>>
>>>
>>> --- On Wed, 4/29/09, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>
>>>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>>>> Subject: Re: [squid-users] Transparent proxy with
>>> HTTPS on freebsd
>>>> To: "abdul sami" <sami.memon_at_gmail.com>
>>>> Cc: squid-users_at_squid-cache.org
>>>> Date: Wednesday, April 29, 2009, 1:49 PM
>>>> abdul sami wrote:
>>>>> Dear all,
>>>>>
>>>>> subject settings doesn't work when i set the
>>>> transparent proxy though
>>>>> http traffic works. on analysis of traffic i have
>>> come
>>>> to know that
>>>>> proxy doesn't add it's source address to https
>>> traffic
>>>> rather simply
>>>>> forwards it with local net address to
>>> gateway/firewall
>>>> device which
>>>>> ultimately drops the packets.
>>>>>
>>>>> any suggestion in shape of steps/article would
>>> be
>>>> highly appreciated.
>>>>> Regards,
>>>> Pardon?
>>>>   HTTPS being transparently intercepted (miracle
>>> #1) and the
>>>> users not phoning you about being attacked? (miracle
>>> #2).
>>>> HTTPS == HTTP via _secure_ SSL.
>>>> transparent proxy == man-in-middle network attack on
>>>> traffic.
>>>>
>>>> HTTPS was created to prevent transparent interception
>>>> amongst other things. So yes I'm not surprised it
>>> won't
>>>> work.
>>>>
>>>> What are you trying to achieve with this?
>>>>
>>>> Amos
>>>> -- Please be using
>>>>   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>>>>   Current Beta Squid 3.1.0.7
>>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
> --
> 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
> ---
> OnlineDienst Nordbayern   | http://www.odn.de/    | Internet-Systemhaus
> GmbH & Co.KG              | E-Mail: hartm_at_odn.de  | Hosting, Housing
> Steinstr. 19              | Tel: 0911 / 933877-0  | Consulting, VoIP
> 90419 Nuernberg - Germany | Fax: 0911 / 933877-55 | Programmierung
> GF Christiane Teichgräber | AG Nürnberg HRA 13304 |
>
>
Received on Wed Apr 29 2009 - 15:21:25 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 30 2009 - 12:00:03 MDT