Re: [squid-users] https to http translation

From: Peter Vereshagin <peter_at_vereshagin.org>
Date: Mon, 13 Dec 2010 13:20:15 +0300

You know St. Peter won't call my name, purgat!
2010/12/13 00:20:23 +0330 purgat <purgatio_at_gmail.com> => To squid-users_at_squid-cache.org :
p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote:
p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit :
p> > > Maybe not exactly what you are looking for, but have you thought of
p> > > using IPSec? You could deploy IPSec and encrypt every connection from
p> > > your clients to the Proxy.
p> > > I don't know what you are trying to achieve, but if your objective is
p> > > to encrypt connections from the Clients to the proxy, IPSec would be
p> > > perfectly transparent and scalable.
p> > >
p> > > On Sunday, December 12, 2010, purgat <purgatio_at_gmail.com> wrote:
p> > > > Hi
p> > > > I have seen similar discussions in the list in the past but none exactly
p> > > > answers my question.
p> > > > This is the setup I am looking for:
p> > > > a server somewhere out there runs one or more instances of squid.
p> > > > user at home sets up the browser to use the proxy.
p> > > > whenever user puts an address in their browser address bar, request, is
p> > > > encrypted with ssl and sent to squid. Instances (if more than one is
p> > > > necessary) of squid then request the page through normal http from the
p> > > > Internet and send the response through ssl back to the client.
p> > > > Unfortunately the answers I have seen to this question in past seem to
p> > > > ignore the fact that the user may want to use different websites. I
p> > > > don't want just a couple of addresses to be accelerated by squid and
p> > > > sent through ssl. What I am looking for is not a normal reverse proxy,
p> > > > glorified with ssl. Unfortunately there is no example of such a setup in
p> > > > wiki though I know a lot of people would want this set up for securing
p> > > > data in their unsecure local network. The explanations on the web about
p> > > > how to set this up come short of explaining a lot of things about an
p> > > > already complex matter.
p> > > > Is Squid able to help me with this?
p> > > > By the way... ssh tunnelling is not an option for me.
p> > > >
p> > > > Regards
p> > > > purgat
p> > As far as I know, this is impossible with squid
p> > buth there is a mod_ for apache that does that, just look for it
p> >
p> > LD
p>
p> Thanks for the info. I'll check that mod.
p> Anyone else can confirm this?

I don't know what apache's particular module is this about.
I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how I named
it the transp[arent mode. The diagram is as follows:

http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png

This means that having ssl enabled on a hosting you can use any of your url,
say, scheme://host.tld/path?params into this:

https://your.ssl.host/yourpath/scheme/host.tld/path?params

Furthermore, I convert any of the URLs I ask in my browser into this url by
mean of somewhat complicated stuff which involves ( optionally privoxy ) squid
with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx
with URL rewrite, again. URL is being rewritten only once: in a squid for http
urls and inside the nginx for https urls.
I use it because I hate any of my ISPs to know what I use to google out about
and what pictures I see. As a fact, I have much more multiple choice about SSL
hosting with a Perl.
The main disadvantage of such an approach is that I can't verify certificate of
a site to be visited ( by means of a perl on a hosting, it's a code yet to be
written as well as certificates manager, including exceptions, saved x.509
certificates and many more stuff like basic auth and content filters ) AND the
certificate of the fcgiproxy's web server as well ( nginx is not able yet to
check the https uplinks' certificates by CAs or any other way, Russian
explanation is: http://forum.nginx.org/read.php?21,83157,85692#msg-85692 ).
I think such a stuff can be useful not only for a personal use to satisfy a
suspicity, but for a corporate environment, too. At the least you can use the
web-served fcgiproxy part on a corporate proxy side and the client side,
currently implemented by means of squid, 3proxy and an nginx proxy, to avoid
information leaks and a viruses spyware including the contents of the bypassing
https, too.
Commercially I see the service as an anonymizer with commercials on a sidebar.
Client side setup is still a complication yet, but it can be implemented as a
system-tray application or standalone system service since its only intention
is to rewrite the URL as it is mentioned above. I have no idea if such a thing
can be made as a browser pluginn but it's obvious to try with a javascript in
hand.
Also, things like that may happen to be possible without anything other than
just squid, but not with versions older than 2+years from now.

73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)

--
http://vereshagin.org
Received on Mon Dec 13 2010 - 10:20:36 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 13 2010 - 12:00:02 MST