Re: [squid-users] Basic questions on transparent/intercept proxy
- Original Message - From: csn233 csn...@gmail.com To: Amm ammdispose-sq...@yahoo.com Cc: Sent: Tuesday, 30 July 2013 2:03 PM Subject: Re: [squid-users] Basic questions on transparent/intercept proxy Thanks to all who replied. Looks like the ssl_bump none all is required to stop those pop-warnings about self-signed certificates. Another related question, what do people do about ftp://... that no longer works in an intercepted proxy Please use reply all instead of reply! For intercepted proxy, you only use HTTP/HTTPS interception. So browser will access FTP site directly. (Unless you have blocked/redirected FTP port) Amm.
Re: [squid-users] Basic questions on transparent/intercept proxy
Please use reply all instead of reply! For intercepted proxy, you only use HTTP/HTTPS interception. So browser will access FTP site directly. (Unless you have blocked/redirected FTP port) Amm. Clicked wrong button... It's to do with the requirement to log all traffic, including FTP, as well as the caching benefits.
Re: [squid-users] Basic questions on transparent/intercept proxy
On 30/07/2013 9:28 p.m., csn233 wrote: Please use reply all instead of reply! For intercepted proxy, you only use HTTP/HTTPS interception. So browser will access FTP site directly. (Unless you have blocked/redirected FTP port) Amm. Clicked wrong button... It's to do with the requirement to log all traffic, including FTP, as well as the caching benefits. As stated that requirement is impossible to implement via Squid. You need to chop it down to a smaller size. In particular there are many overheads in the TCP/IP layer and in other non-HTTP protocols which Squid cannot measure nor log. Only the system firewall and related Layer-2 software has sufficient access to all the information a full measurement needs. For all protocols other than plain-text HTTP there are *no* caching benefits from Squid. Squid will simply *add* overheads of processing and possibly some few hundred bytes necessary to setup CONNECT tunnels to peers. Unless you are using ssl-bump to decrypt HTTPS into plain-text HTTP for Squids usage it is also one of those other protocols where you get no caching benefit - because everything a cache needs to use is locked away inside the encryption. NP: adding SSL-bump just to get a measurement is a very bad reason to do it on a production proxy. Better to accept that HTTPS has no cache gains and leave it for now. Amos
Re: [squid-users] Basic questions on transparent/intercept proxy
- Original Message - From: csn233 csn...@gmail.com To: squid-users@squid-cache.org squid-users@squid-cache.org To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? No. But it will log only IPs not the host name or URL. Amm
Re: [squid-users] Basic questions on transparent/intercept proxy
On Sun, Jul 28, 2013 at 9:11 PM, Amm ammdispose-sq...@yahoo.com wrote: - Original Message - From: csn233 csn...@gmail.com To: squid-users@squid-cache.org squid-users@squid-cache.org To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? No. But it will log only IPs not the host name or URL. Amm No, as in ssl-bump is not a requirement for HTTPS traffic to be logged? Your answer seems to be different from other replies. Can you provide examples of how?
Re: [squid-users] Basic questions on transparent/intercept proxy
From: csn233 csn...@gmail.com Sent: Monday, 29 July 2013 10:40 PM Subject: Re: [squid-users] Basic questions on transparent/intercept proxy On Sun, Jul 28, 2013 at 9:11 PM, Amm ammdispose-sq...@yahoo.com wrote: - Original Message - From: csn233 csn...@gmail.com To: squid-users@squid-cache.org squid-users@squid-cache.org To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? No. But it will log only IPs not the host name or URL. Amm No, as in ssl-bump is not a requirement for HTTPS traffic to be logged? Your answer seems to be different from other replies. Can you provide examples of how? I am not sure if I understood your previous question right. I think what others said is right. Here is what I have done. (simplified version) https_port 8081 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/ssl_cert/squid.pem #ssl_bump none all #--- this line is not required So ssl-bump as a keyword is required on https_port but you dont need ssl_bump ACL line (by default it bumps nothing). Traffic will be logged just as IP. (Not actual hostname) Regards, Amm.
[squid-users] Basic questions on transparent/intercept proxy
To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? Is this any different with TPROXY?
Re: [squid-users] Basic questions on transparent/intercept proxy
On 07/28/2013 03:37 PM, csn233 wrote: To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? Is this any different with TPROXY? Indeed SSL-bump is a must.. You will be able to record the CONNECT traffic when using: sslbump deny all like acl. I do not remember the exact way to do it but it is possible. Eliezer
Re: [squid-users] Basic questions on transparent/intercept proxy
On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote: On 07/28/2013 03:37 PM, csn233 wrote: To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? Is this any different with TPROXY? Indeed SSL-bump is a must.. You will be able to record the CONNECT traffic when using: sslbump deny all like acl. I do not remember the exact way to do it but it is possible. Eliezer Beyond the minor fact that there should be *no* CONNECT traffic on intercepted port 80 or port 443 because CONNECT is a client-to-proxy request method - which should only be seen on port 3128 or similar HTTP proxy ports. The current releases of Squid (3.3.8 and 3.4.0.1) should take intercepted port-443 traffic and relay it untouched if there is no decrypting done. They may convert it into a CONNECT if the traffic needs relaying to a cache_peer, but otherwise it is just tunneled along to the original destination server. Amos
Re: [squid-users] Basic questions on transparent/intercept proxy
On 07/28/2013 05:21 PM, Amos Jeffries wrote: On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote: On 07/28/2013 03:37 PM, csn233 wrote: To intercept HTTPS traffic, is SSL-bump a must? Even when I only want to record the CONNECT traffic in access.log just like a normal forward proxy without decrypting anything? Is this any different with TPROXY? Indeed SSL-bump is a must.. You will be able to record the CONNECT traffic when using: sslbump deny all like acl. ssl_bump none all You will not be decrypting or bumping any traffic with this, but you will be using a little bit of code introduced by the SslBump-related projects. Beyond the minor fact that there should be *no* CONNECT traffic on intercepted port 80 or port 443 because CONNECT is a client-to-proxy request method - which should only be seen on port 3128 or similar HTTP proxy ports. To be more precise, there are actually a few CONNECT requests inside real-world intercepted traffic, but a non-bumping Squid which assumes that the traffic is SSL will not see any of those CONNECTS as it will blindly forward them to where they were going. The current releases of Squid (3.3.8 and 3.4.0.1) should take intercepted port-443 traffic and relay it untouched if there is no decrypting done. They may convert it into a CONNECT if the traffic needs relaying to a cache_peer, but otherwise it is just tunneled along to the original destination server. Please note that tunneling intercepted but not bumped traffic through cache_peers (via CONNECT) is officially supported only in v3.4 (added as trunk r12905 dated 2013-06-10). HTH, Alex.
