Re: [squid-users] Queries regarding squid
On that particular website (as well as most of the others who offer a similar service) the key for detection is "via" field in headers. Turn it off in your conf and they will not detect your proxy (if you care). There are websites who give you more details and you can adjust your headers according to your needs. (Am I allowed to post links here?) On Tue, 2010-12-21 at 16:05 +1300, Amos Jeffries wrote: > On 20/12/10 18:38, benjamin fernandis wrote: > > Hi Friends, > > > > I setup squid 3.1 on RHEL 5.5.It is working fine.But when i check from > > client side whatipmyip.com i can get "Your IP Address Is: (server > > public ip) > > Possible Proxy Detected: 1.1 cache.engine (squid)..." > > > > Can u suggest me how they catch my squid info and proxy detection... > > > > And as per my deployment...i have a server which is working as squid > > cacheing ang gateway for my clients. > > > > Wan router> Squid + gateway (server)-> > > Switch---> Client machines > > > > And please guide me how to hide my proxy info from others > > > The *fact* of a proxies existence being detectable is not something to > worry about. It can be detected by any number of means which are beyond > your control. That site is just one of many sites doing a wide array of > link tests. > > Amos
Re: [squid-users] https to http translation
Just for the sake of helping other people... Thanks to everybody's help specially Amos my problem is somewhat solved though a lot of fine-tuning is yet to be done. One thing I want to stress on is ease and simplicity. I heard of several options here, interestingly, most of which made sense theoretically though I didn't have the technical experience to handle the complexity. The solution that worked for me as was suggested by Amos, was "stunnel" with squid. This would be suitable for someone with relatively low knowledge of networking who is relatively comfortable doing things on command-line. say you set up your browser settings to use 127.0.0.1 with any unused port of your choice. Set up stunnel on client and set it up in client mode to forward the mentioned port to some port on your server. Only 4 lines of conf file are to be added/modified 1 for client mode and 3 for accepting and forwarding the port to server (I commented out most of the rest of the sample file for the time being). Then you set up stunnel on server side with exactly reverse settings. Exit port this time is what your squid (or other proxy server of your choice) is listening to. Extremely simple and effective. I haven't tried it on Windows yet but I believe it must be fine. My thanks to everybody for their help and support P.S. Amos I didn't find the Firefox bug that you mentioned. If you have an address it would be great because I may be able to contribute one way or another. On Tue, 2010-12-14 at 01:05 +, Amos Jeffries wrote: > On Mon, 13 Dec 2010 22:06:01 +0330, purgat wrote: > > Hey > > ok let me see if I got this right (excuse the noob!): > > Let's say you set up squid to listen to ssl over 8081 and set up proxy > > settings of your browser to use 8081 for both http and https. Now if you > > type in an address with https in your browser you will send your data to > > squid over ssl (probably ssl of the target website) but if you use http, > > browser will not understand that the proxy on the other side is looking > > for an ssl connection. Did I get this right? > > Yes. > > > If that is the case, one other option would be setting up a proxy daemon > > on the local machine and try to get it connected to the main proxy > > server over an encrypted connection. Can THAT be done with squid? > > Yes, people have had success with stunnel and others. I don't do it myself > so can't help with the config side of those. > > Amos >
Re: [squid-users] https to http translation
On Tue, 2010-12-14 at 10:55 +0300, Peter Vereshagin wrote: > Any time of year you can find me here purgat. > 2010/12/13 22:23:48 +0330 purgat => To > squid-users@squid-cache.org : > p> This definitely is too complicated for me. Getting all these working > p> together doesn't seem an easy task for someone who have never used any > p> of these for anything before. From what I could understand from your > p> diagram and explanation, I would say this is an option that works as I > p> need but that's it. > p> I'll try to see if I can find easier options. I am starting to think I > p> need to spend a few months and loads of caffeine to write something > p> myself (though it is sort of life/death scenario involved, and time > p> matters so much). > p> Options are running out fast... > p> :( > p> > p> > p> On Mon, 2010-12-13 at 13:20 +0300, Peter Vereshagin wrote: > p> > You know St. Peter won't call my name, purgat! > p> > 2010/12/13 00:20:23 +0330 purgat => To > squid-users@squid-cache.org : > p> > p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote: > p> > p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit : > p> > p> > > Maybe not exactly what you are looking for, but have you thought > of > p> > p> > > using IPSec? You could deploy IPSec and encrypt every connection > from > p> > p> > > your clients to the Proxy. > p> > p> > > I don't know what you are trying to achieve, but if your > objective is > p> > p> > > to encrypt connections from the Clients to the proxy, IPSec would > be > p> > p> > > perfectly transparent and scalable. > p> > p> > > > p> > p> > > On Sunday, December 12, 2010, purgat wrote: > p> > p> > > > Hi > p> > p> > > > I have seen similar discussions in the list in the past but > none exactly > p> > p> > > > answers my question. > p> > p> > > > This is the setup I am looking for: > p> > p> > > > a server somewhere out there runs one or more instances of > squid. > p> > p> > > > user at home sets up the browser to use the proxy. > p> > p> > > > whenever user puts an address in their browser address bar, > request, is > p> > p> > > > encrypted with ssl and sent to squid. Instances (if more than > one is > p> > p> > > > necessary) of squid then request the page through normal http > from the > p> > p> > > > Internet and send the response through ssl back to the client. > p> > p> > > > Unfortunately the answers I have seen to this question in past > seem to > p> > p> > > > ignore the fact that the user may want to use different > websites. I > p> > p> > > > don't want just a couple of addresses to be accelerated by > squid and > p> > p> > > > sent through ssl. What I am looking for is not a normal reverse > proxy, > p> > p> > > > glorified with ssl. Unfortunately there is no example of such a > setup in > p> > p> > > > wiki though I know a lot of people would want this set up for > securing > p> > p> > > > data in their unsecure local network. The explanations on the > web about > p> > p> > > > how to set this up come short of explaining a lot of things > about an > p> > p> > > > already complex matter. > p> > p> > > > Is Squid able to help me with this? > p> > p> > > > By the way... ssh tunnelling is not an option for me. > p> > p> > > > > p> > p> > > > Regards > p> > p> > > > purgat > p> > p> > As far as I know, this is impossible with squid > p> > p> > buth there is a mod_ for apache that does that, just look for it > p> > p> > > p> > p> > LD > p> > p> > p> > p> Thanks for the info. I'll check that mod. > p> > p> Anyone else can confirm this? > p> > > p> > I don't know what apache's particular module is this about. > p> > I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how > I named > p> > it the transp[arent mode. The diagram is as follows: > p> > > p> > > http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png > p> > > p> > This means that h
Re: [squid-users] https to http translation
This definitely is too complicated for me. Getting all these working together doesn't seem an easy task for someone who have never used any of these for anything before. From what I could understand from your diagram and explanation, I would say this is an option that works as I need but that's it. I'll try to see if I can find easier options. I am starting to think I need to spend a few months and loads of caffeine to write something myself (though it is sort of life/death scenario involved, and time matters so much). Options are running out fast... :( On Mon, 2010-12-13 at 13:20 +0300, Peter Vereshagin wrote: > You know St. Peter won't call my name, purgat! > 2010/12/13 00:20:23 +0330 purgat => To > squid-users@squid-cache.org : > p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote: > p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit : > p> > > Maybe not exactly what you are looking for, but have you thought of > p> > > using IPSec? You could deploy IPSec and encrypt every connection from > p> > > your clients to the Proxy. > p> > > I don't know what you are trying to achieve, but if your objective is > p> > > to encrypt connections from the Clients to the proxy, IPSec would be > p> > > perfectly transparent and scalable. > p> > > > p> > > On Sunday, December 12, 2010, purgat wrote: > p> > > > Hi > p> > > > I have seen similar discussions in the list in the past but none > exactly > p> > > > answers my question. > p> > > > This is the setup I am looking for: > p> > > > a server somewhere out there runs one or more instances of squid. > p> > > > user at home sets up the browser to use the proxy. > p> > > > whenever user puts an address in their browser address bar, request, > is > p> > > > encrypted with ssl and sent to squid. Instances (if more than one is > p> > > > necessary) of squid then request the page through normal http from > the > p> > > > Internet and send the response through ssl back to the client. > p> > > > Unfortunately the answers I have seen to this question in past seem > to > p> > > > ignore the fact that the user may want to use different websites. I > p> > > > don't want just a couple of addresses to be accelerated by squid and > p> > > > sent through ssl. What I am looking for is not a normal reverse > proxy, > p> > > > glorified with ssl. Unfortunately there is no example of such a > setup in > p> > > > wiki though I know a lot of people would want this set up for > securing > p> > > > data in their unsecure local network. The explanations on the web > about > p> > > > how to set this up come short of explaining a lot of things about an > p> > > > already complex matter. > p> > > > Is Squid able to help me with this? > p> > > > By the way... ssh tunnelling is not an option for me. > p> > > > > p> > > > Regards > p> > > > purgat > p> > As far as I know, this is impossible with squid > p> > buth there is a mod_ for apache that does that, just look for it > p> > > p> > LD > p> > p> Thanks for the info. I'll check that mod. > p> Anyone else can confirm this? > > I don't know what apache's particular module is this about. > I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how I > named > it the transp[arent mode. The diagram is as follows: > > http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png > > This means that having ssl enabled on a hosting you can use any of your url, > say, scheme://host.tld/path?params into this: > > https://your.ssl.host/yourpath/scheme/host.tld/path?params > > Furthermore, I convert any of the URLs I ask in my browser into this url by > mean of somewhat complicated stuff which involves ( optionally privoxy ) squid > with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx > with URL rewrite, again. URL is being rewritten only once: in a squid for http > urls and inside the nginx for https urls. > I use it because I hate any of my ISPs to know what I use to google out about > and what pictures I see. As a fact, I have much more multiple choice about SSL > hosting with a Perl. > The main disadvantage of such an approach is that I can't verify certificate > of > a site to be visited ( by means of a perl on a hosting, it's a code yet to be > written as well a
Re: [squid-users] https to http translation
Hey ok let me see if I got this right (excuse the noob!): Let's say you set up squid to listen to ssl over 8081 and set up proxy settings of your browser to use 8081 for both http and https. Now if you type in an address with https in your browser you will send your data to squid over ssl (probably ssl of the target website) but if you use http, browser will not understand that the proxy on the other side is looking for an ssl connection. Did I get this right? If that is the case, one other option would be setting up a proxy daemon on the local machine and try to get it connected to the main proxy server over an encrypted connection. Can THAT be done with squid? Cheers Purgat On Mon, 2010-12-13 at 01:04 +, Amos Jeffries wrote: > On Mon, 13 Dec 2010 00:20:23 +0330, purgat wrote: > > On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote: > >> Le dimanche 12 décembre 2010 11:00:43, guest01 a écrit : > >> > Maybe not exactly what you are looking for, but have you thought of > >> > using IPSec? You could deploy IPSec and encrypt every connection from > >> > your clients to the Proxy. > >> > I don't know what you are trying to achieve, but if your objective is > >> > to encrypt connections from the Clients to the proxy, IPSec would be > >> > perfectly transparent and scalable. > >> > > >> > On Sunday, December 12, 2010, purgat wrote: > >> > > Hi > >> > > I have seen similar discussions in the list in the past but none > >> > > exactly > >> > > answers my question. > >> > > This is the setup I am looking for: > >> > > a server somewhere out there runs one or more instances of squid. > >> > > user at home sets up the browser to use the proxy. > >> > > whenever user puts an address in their browser address bar, > request, > >> > > is > >> > > encrypted with ssl and sent to squid. Instances (if more than one > is > > Squid provides https_port for accepting SSL connections from clients. > > THE PROBLEM is that browsers do not use it for browser->proxy > communications. > > >> > > necessary) of squid then request the page through normal http from > >> > > the > >> > > Internet and send the response through ssl back to the client. > >> > > Unfortunately the answers I have seen to this question in past seem > >> > > to > >> > > ignore the fact that the user may want to use different websites. I > >> > > don't want just a couple of addresses to be accelerated by squid > and > >> > > sent through ssl. What I am looking for is not a normal reverse > >> > > proxy, > > The common examples are all reverse proxy because that is the only way > browsers will play nice and send requests to Squid over SSL. > > Squid itself does not fuss over whether the socket is receiving forward or > reverse mode traffic. Only intercepted traffic has any problems on arrival, > and preventing that is why you use SSL right? > > > >> > > glorified with ssl. Unfortunately there is no example of such a > >> > > setup in > >> > > wiki though I know a lot of people would want this set up for > >> > > securing > > Remove the "accel" and related reverse-proxy options from any of the good > tutorial configs, use a certificate having the proxy public domain > name/port and you have a forward-proxy HTTPS listening setup. > "simples"(tm). > > > >> > > data in their unsecure local network. The explanations on the web > >> > > about > >> > > how to set this up come short of explaining a lot of things about > an > >> > > already complex matter. > >> > > Is Squid able to help me with this? > >> > > By the way... ssh tunnelling is not an option for me. > > Roll up your sleeves then and dig in. > Firefox has an open bug requesting this behaviour be supported. They need > code help and/or incentive by the looks of it. > > > Amos
Re: [squid-users] Share HTTPS over SQUID
Hey Someone else correct me if I am wrong but I believe you can use the guide at the beginning of http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate to create your keys. It is written for a *nix system but if you are a windows user I believe you can find a guide somewhere for OS of your choice and do these on your machine. good luck. Purgat On Mon, 2010-12-13 at 08:54 +0200, Ghassan Gharabli wrote: > Hello, > > I was trying to share HTTPS connection through Squid but it says that > i need a certificate to work! > > > The problem that I dont use Squid for a domain or with IIS! Im using > Squid as Transparent HTTP for caching purpose and to save traffic thus > I also want share HTTPS if its possible to work with HTTP Transparent > Enabled . > > > I thought like I can forward https requests from MikroTik Router to > Windows Server 2003 that has Squid installed . > > > If it should work properly then how to create .pem file or a certificate file > ? > > > Many Thanks for your help
Re: [squid-users] https to http translation
On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote: > Le dimanche 12 décembre 2010 11:00:43, guest01 a écrit : > > Maybe not exactly what you are looking for, but have you thought of > > using IPSec? You could deploy IPSec and encrypt every connection from > > your clients to the Proxy. > > I don't know what you are trying to achieve, but if your objective is > > to encrypt connections from the Clients to the proxy, IPSec would be > > perfectly transparent and scalable. > > > > On Sunday, December 12, 2010, purgat wrote: > > > Hi > > > I have seen similar discussions in the list in the past but none exactly > > > answers my question. > > > This is the setup I am looking for: > > > a server somewhere out there runs one or more instances of squid. > > > user at home sets up the browser to use the proxy. > > > whenever user puts an address in their browser address bar, request, is > > > encrypted with ssl and sent to squid. Instances (if more than one is > > > necessary) of squid then request the page through normal http from the > > > Internet and send the response through ssl back to the client. > > > Unfortunately the answers I have seen to this question in past seem to > > > ignore the fact that the user may want to use different websites. I > > > don't want just a couple of addresses to be accelerated by squid and > > > sent through ssl. What I am looking for is not a normal reverse proxy, > > > glorified with ssl. Unfortunately there is no example of such a setup in > > > wiki though I know a lot of people would want this set up for securing > > > data in their unsecure local network. The explanations on the web about > > > how to set this up come short of explaining a lot of things about an > > > already complex matter. > > > Is Squid able to help me with this? > > > By the way... ssh tunnelling is not an option for me. > > > > > > Regards > > > purgat > As far as I know, this is impossible with squid > buth there is a mod_ for apache that does that, just look for it > > LD Thanks for the info. I'll check that mod. Anyone else can confirm this?
[squid-users] https to http translation
Hi I have seen similar discussions in the list in the past but none exactly answers my question. This is the setup I am looking for: a server somewhere out there runs one or more instances of squid. user at home sets up the browser to use the proxy. whenever user puts an address in their browser address bar, request, is encrypted with ssl and sent to squid. Instances (if more than one is necessary) of squid then request the page through normal http from the Internet and send the response through ssl back to the client. Unfortunately the answers I have seen to this question in past seem to ignore the fact that the user may want to use different websites. I don't want just a couple of addresses to be accelerated by squid and sent through ssl. What I am looking for is not a normal reverse proxy, glorified with ssl. Unfortunately there is no example of such a setup in wiki though I know a lot of people would want this set up for securing data in their unsecure local network. The explanations on the web about how to set this up come short of explaining a lot of things about an already complex matter. Is Squid able to help me with this? By the way... ssh tunnelling is not an option for me. Regards purgat
