Re: HTTPS transparent proxy with Squid

2001-07-26 Thread Alson van der Meulen 

On Thu, Jul 26, 2001 at 08:52:53AM +0400, Ant wrote:
> AvdM> HTTPS uses port 443, so it won't work with your current ipchains setup.
> AvdM> You might be able to start a second squid process, and redirect HTTPS
> AvdM> requists through it.
> Could you tell me how to redirect HTTPS through squid, and give an example of
> configuration. It is very interesting for me for the ICQ with HTTPS proxing option
> enabled.
Just look for HTTPS proxy options in ICQ...

a few points:
- Don't use transparant proxying if you don't really need it. Some
  services (last time I cheked the hotmail attachment function didn't
  work thru a transparant proxy). This is because some pages check for
  proxy settings, and use some different way if a proxy is detected.
  They won't detect a transparant proxy though. There often are ways you
  can set proxy settings centralized, f.e. in Windows 9x and NT4, you
  can make some 'policy' to do it (contact me if you need an
  administrative template for it). Windows 2000 can set it in group
  policies. In *nix you can often set it using some export
  http_proxy=http://foo:8080 (or ftp_proxy) in /etc/profile, or setenv
  http_proxy http://foo:8080 in cshrc for csh. I guess there are
  similair ways to do it for netscape & friends. For other proxy
  settings, consult your application's manual.

- HTTPS won't be cached by any proxy, for security reasons, so proxying
  HTTPS won't speed up anything. If possible, just NAT (masquerade) it.

- The only valid reason to transproxy HTTPS is if your internet
  connection does not allow direct connections to port 443 (some
  restrictive firewall f.e.), and the clients are too decentralized to
  enforce real proxy settings.

I think you'll need specific HTTPS transproxy support in squid (or some
other transproxy) to be able to transproxy HTTPS. The HTTPS requests
should just be tunneled thru a proxy (using CONNECT, read my previous
mail for more info). AFAIK a transparant proxy usually uses GET
requests, for normal HTTP requests. Since HTTPS is encrypted, you can't
decode the GET request, and translate it in some proxy GET request. The
transparant proxy should establish a CONNECTion thru the proxy, and
redirect the traffic thru that tunnel.

If you find (or make) a transparant proxy with HTTPS support (thru
CONNECT), you'll have to set it up in ipchains just like http
(substitute all occurances of port 80 with port 443). Then instruct the
transparant proxy to listen for requests to port 443 (http_accel_port
443).

I never really tested transproxying with HTTPS, always just masqueraded
it, so don't ask me for real example configurations for transproxy HTTPS
;)

Cheers,
Alson


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re[2]: HTTPS transparent proxy with Squid

2001-07-25 Thread Ant 

Hello Alson,

AvdM> HTTPS uses port 443, so it won't work with your current ipchains setup.
AvdM> You might be able to start a second squid process, and redirect HTTPS
AvdM> requists through it.
Could you tell me how to redirect HTTPS through squid, and give an example of
configuration. It is very interesting for me for the ICQ with HTTPS proxing option
enabled.

Best regards,
 Antmailto:[EMAIL PROTECTED]



--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: HTTPS transparent proxy with Squid

2001-07-25 Thread Alson van der Meulen 

On Wed, Jul 25, 2001 at 11:41:32AM +0100, Sean Kelly wrote:
Hello,

>   I read an article of yours on
> http://www.mail-archive.com/debian-isp@lists.debian.org/msg02194.html and
> was wondering if you could offer some advice.
> 
>   I am transparently proxying HTTP requests using Linux and Squid.
> The linux kernel (using IPChains) is set to send any port 80 requests to the
> proxy port (3128).  This works fine.  However, if I try the same thing with
> HTTPS requests it does not work.
HTTPS uses port 443, so it won't work with your current ipchains setup.
You might be able to start a second squid process, and redirect HTTPS
requists through it. HTTPS is not proxied anyway, it's tunnelled thru a
proxy (http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12). I'm not
sure if squid will proxy HTTPS, since it's a different protocol from
HTTP. I'm afraid it won't work.

I suggest you masquerade the traffic if possible (using ipchains
ip masquerading), since it won't be cached anyway. If you really have to
go through a proxy, and it won't work with a second squid process, you'll
have to write your own transproxy. http://www.transproxy.nlc.net.au/ is a
different transparant proxy program, it only forwards requests to a proxy,
doesn't proxy itself. You might be able to adapt it to work with HTTPS,
then you'll have to read the RFC's on that topic. Don't ask me how to do
that, never done it really :)

Someone else on debian-isp might have more experience on transproxying
HTTPS trafic

Cheers,
Alson
-- 
,---.
> Name:   Alson van der Meulen  <
> Personal:   [EMAIL PROTECTED]   <
> School:   [EMAIL PROTECTED]<
`---'
What's this switch for anyways...?
-


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]