Re: [squid-users] https traffic & squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 16 Dec 2009 10:21:08 +1300

On Tue, 15 Dec 2009 17:22:27 +0500, "Asim Ahmed @ Folio3"
<aahmed_at_folio3.com> wrote:
> Hi,
>
> I am using squid 3.0 STABLE20 on RHEL5 in conjunction with shorewall
> 4.4.4-1. I am using squid in non-transparent proxy mode. Currently I m
> working like this:
>
> Shorewall & squid are installed on same box. Shorewall is listening on
> this box on local interface and forwarding all http (port 80) traffic to

> squid-port (3128). since squid is running in non-transparent mode, I've
> set all client browsers with this proxy's address & port. Now i've two
> questions that might only be performance issue or may be i m doing some
> extra work here: I am using this because I need to process all other
> traffic (ftp / ssh / gopher / https) through shorewall. Only port 80
> traffic shud go to squid.
>
> 1. When squid is running in non-transparent mode and client browsers are

> set with proxy address & port, is it necessary to still redirect port 80

> traffic to squid through shorewall?

Only you can know that. There are software out there that use HTTP and
can't be configured to use a proxy. Nobody here is able to know if your
network has such software. It's often only found out by firewalling port 80
and waiting for client complaints.

> Should not all clients automatically
> communicate with squid on that address & port?

_should_ yes.

>
> 2. Does squid dorectly listen to traffic sent to it from client browsers

> or it needs the traffic redirected to it by another software like
> iptables / shhorewall?

Yes squid does. You do not need to do redirection to reach Squid unless
your network design is broken.

>
> I am confused b/w two scenarios what approach should be taken? Further,
> how can i send https traffic to squid as well for filtering.

The browsers which are setup to send HTTP to Squid have another box next
to the HTTP one saying send HTTPS to Squid.

NOTE: HTTPS has very limited details available to Squid for filtering. the
encrypted portion of the data cannot be decrypted by Squid 3.0.

Amos
Received on Tue Dec 15 2009 - 21:21:12 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 16 2009 - 12:00:02 MST