Re: [squid-users] https could not access with ssl bump in squid 3.4

2014-02-28 Thread Amos Jeffries 
On 28/02/2014 8:49 p.m., Jerry OELoo wrote:
> To summarize it. Please correct me if anything wrong, Thanks in advance.
> 

Please be a lot more specific. The area we are discussing has a LOT of
complexity and very small distinctions between things cause very big
differences in configuration and behaviour.


> If I want to just transparent pass through http/https packets (Do not
> read, modify it), I can just use http_port to open some port, and
> client set browser proxy+port directly, and from my testing, it is
> right.

Please avoid saying "transparent" because there are several
"transparent" (proxy/relay/authentication/redirect/interception) terms
in HTTP plus several which people call "transparent" when they are not
actually. 3 of those very different meanings apply to what we have been
talking about so far. I cant tell if you are adding in some of the other
meanings as criteria or not.


Can you please use the port number to indicate which protocol stack of
traffic you are talking about for each requirement.
 Because "HTTPS" and "https://"; are different things, and port 443 and
80 traffic is a mix of the two along with various other things I am
trying to avoid confusing you with.



> 
> If I want to get client's https request,

Are you taking about HTTP with https://, or HTTP with CONNECT tunnel of
HTTPS, or HTTP on port 443?
 All of those have different answers to the question you are asking.
Please be specific.

> such as get the browser html
> content in https, insert some javascript into client's browser https
> response page,

Format of the reply object is not relevant. Please skip that.

> I need set up NAT on server B

For transparent intercept of port 443 that would be yes.

> (B should be a gateway or server?

It should be setup as a router.

> A is a LAN PC whose gateway points
> B?,

IF you choose to make PC B the LAN network gateway.

> Am i right here?),

There is no absolute right/wrong. Each of your choices about how to send
the traffic from PC A to PC B determines how PC A and PC B have to be
configured.


> 
> and then iptables to redirect client A's https packets to squid
> https_port. then use squid ssl bump to read/write client's html
> content in https.
> 

Lets avoid the generic terms:

* transparent - a single word with an category of action with 8
different meanings, 6 of which apply to different Squid configs.

* redirect - an action with >20 different configurations involving
different combination of 3 slayers of the networking stack). None of
which are what you meant to say!


Amos

[squid-users] how to get rid of IPv6 caused error messages ...?

2014-02-28 Thread Walter H. 

Hello,

the router from ISP has IPv6 disabled; my public IP is only IPv4;

I get regularily a message like this:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL:http://www.google.com/firefox?

The following error was encountered:

* *Connection to 2a00:1450:4001:80b::1017 Failed *

The system returned:
/(101) Network is unreachable/
The remote host or network may be down. Please try the request again.
Your cache administrator is my-email.

Generated Fri, 28 Feb 2014 13:03:40 GMT by myproxy-host (squid/3.3.11)


my squid is running on CentOS 6.5 64-bit;

I already have the following in squid.conf

tcp_outgoing_address myproxy-host's IPv4-address all
and
dns_v4_first on

Thanks for help,
Walter

[squid-users] how to get rid of IPv6 caused messages ...

2014-02-28 Thread Walter H. 

Hello,

the router from ISP has IPv6 disabled; my public IP is only IPv4;

I get regularily a message like this:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL:http://www.google.com/firefox?

The following error was encountered:

* *Connection to 2a00:1450:4001:80b::1017 Failed *

The system returned:
/(101) Network is unreachable/
The remote host or network may be down. Please try the request again.
Your cache administrator is my-email.

Generated Fri, 28 Feb 2014 13:03:40 GMT by myproxy-host (squid/3.3.11)


my squid is running on CentOS 6.5 64-bit;

I already have the following in squid.conf

tcp_outgoing_address myproxy-host's IPv4-address all
and
dns_v4_first on

Thanks for help,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature

[squid-users] Better to run Squid on router or bridge network topology

2014-02-28 Thread On Offer All 
Hi


I have a server going to run SQUID (see simple diagram below). 

Like to know whether the server should be configure as a router or bridge ?
Kindly advise pros & cons for each implementation.
(I do not need WCCP solution)


firewall
   |
server w 2 network port (SQUID)

   |
switch (connect to 10 workstations)


Thanks
Steve