Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-30 Thread Amm




- Original Message -
 From: csn233 csn...@gmail.com
 To: Amm ammdispose-sq...@yahoo.com
 Cc: 
 Sent: Tuesday, 30 July 2013 2:03 PM
 Subject: Re: [squid-users] Basic questions on transparent/intercept proxy

Thanks to all who replied. Looks like the ssl_bump none all is
 required to stop those pop-warnings about self-signed certificates.
 
 Another related question, what do people do about ftp://... that no
 longer works in an intercepted proxy


Please use reply all instead of reply!

For intercepted proxy, you only use HTTP/HTTPS interception. So browser
will access FTP site directly. (Unless you have blocked/redirected FTP port)

Amm.



Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-30 Thread csn233
 Please use reply all instead of reply!

 For intercepted proxy, you only use HTTP/HTTPS interception. So browser
 will access FTP site directly. (Unless you have blocked/redirected FTP port)

 Amm.

Clicked wrong button... It's to do with the requirement to log all
traffic, including FTP, as well as the caching benefits.


Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-30 Thread Amos Jeffries

On 30/07/2013 9:28 p.m., csn233 wrote:

Please use reply all instead of reply!

For intercepted proxy, you only use HTTP/HTTPS interception. So browser
will access FTP site directly. (Unless you have blocked/redirected FTP port)

Amm.

Clicked wrong button... It's to do with the requirement to log all
traffic, including FTP, as well as the caching benefits.


As stated that requirement is impossible to implement via Squid. You 
need to chop it down to a smaller size. In particular there are many 
overheads in the TCP/IP layer and in other non-HTTP protocols which 
Squid cannot measure nor log. Only the system firewall and related 
Layer-2 software has sufficient access to all the information a full 
measurement needs.


For all protocols other than plain-text HTTP there are *no* caching 
benefits from Squid. Squid will simply *add* overheads of processing and 
possibly some few hundred bytes necessary to setup CONNECT tunnels to 
peers. Unless you are using ssl-bump to decrypt HTTPS into plain-text 
HTTP for Squids usage it is also one of those other protocols where you 
get no caching benefit - because everything a cache needs to use is 
locked away inside the encryption.



NP: adding SSL-bump just to get a measurement is a very bad reason to do 
it on a production proxy. Better to accept that HTTPS has no cache gains 
and leave it for now.


Amos



Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-29 Thread Amm
- Original Message -

 From: csn233 csn...@gmail.com
 To: squid-users@squid-cache.org squid-users@squid-cache.org

To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
 to record the CONNECT traffic in access.log just like a normal forward
 proxy without decrypting anything?

No. But it will log only IPs not the host name or URL.

Amm



Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-29 Thread csn233
On Sun, Jul 28, 2013 at 9:11 PM, Amm ammdispose-sq...@yahoo.com wrote:
 - Original Message -

 From: csn233 csn...@gmail.com
 To: squid-users@squid-cache.org squid-users@squid-cache.org

To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
 to record the CONNECT traffic in access.log just like a normal forward
 proxy without decrypting anything?

 No. But it will log only IPs not the host name or URL.

 Amm

No, as in ssl-bump is not a requirement for HTTPS traffic to be
logged? Your answer seems to be different from other replies. Can you
provide examples of how?


Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-29 Thread Amm
 From: csn233 csn...@gmail.com
Sent: Monday, 29 July 2013 10:40 PM
Subject: Re: [squid-users] Basic questions on transparent/intercept proxy



On Sun, Jul 28, 2013 at 9:11 PM, Amm ammdispose-sq...@yahoo.com wrote:
 - Original Message -

 From: csn233 csn...@gmail.com
 To: squid-users@squid-cache.org squid-users@squid-cache.org

To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
 to record the CONNECT traffic in access.log just like a normal forward
 proxy without decrypting anything?

 No. But it will log only IPs not the host name or URL.

 Amm



No, as in ssl-bump is not a requirement for HTTPS traffic to be
logged? Your answer seems to be different from other replies. Can you
provide examples of how?



I am not sure if I understood your previous question right. I think what others 
said is right.


Here is what I have done. (simplified version)

https_port 8081 intercept ssl-bump generate-host-certificates=on 
cert=/etc/squid/ssl_cert/squid.pem
#ssl_bump none all #--- this line is not required


So ssl-bump as a keyword is required on https_port but you dont need ssl_bump 
ACL line (by default it bumps nothing).


Traffic will be logged just as IP. (Not actual hostname)


Regards,


Amm.



[squid-users] Basic questions on transparent/intercept proxy

2013-07-28 Thread csn233
To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
to record the CONNECT traffic in access.log just like a normal forward
proxy without decrypting anything?

Is this any different with TPROXY?


Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-28 Thread Eliezer Croitoru
On 07/28/2013 03:37 PM, csn233 wrote:
 To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
 to record the CONNECT traffic in access.log just like a normal forward
 proxy without decrypting anything?
 
 Is this any different with TPROXY?
 
Indeed SSL-bump is a must..
You will be able to record the CONNECT traffic when using:
sslbump deny all like acl.
I do not remember the exact way to do it but it is possible.

Eliezer


Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-28 Thread Amos Jeffries

On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote:

On 07/28/2013 03:37 PM, csn233 wrote:

To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
to record the CONNECT traffic in access.log just like a normal forward
proxy without decrypting anything?

Is this any different with TPROXY?


Indeed SSL-bump is a must..
You will be able to record the CONNECT traffic when using:
sslbump deny all like acl.
I do not remember the exact way to do it but it is possible.

Eliezer


Beyond the minor fact that there should be *no* CONNECT traffic on 
intercepted port 80 or port 443 because CONNECT is a client-to-proxy 
request method - which should only be seen on port 3128 or similar HTTP 
proxy ports.


The current releases of Squid (3.3.8 and 3.4.0.1) should take 
intercepted port-443 traffic and relay it untouched if there is no 
decrypting done. They may convert it into a CONNECT if the traffic needs 
relaying to a cache_peer, but otherwise it is just tunneled along to the 
original destination server.


Amos



Re: [squid-users] Basic questions on transparent/intercept proxy

2013-07-28 Thread Alex Rousskov
On 07/28/2013 05:21 PM, Amos Jeffries wrote:
 On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote:
 On 07/28/2013 03:37 PM, csn233 wrote:
 To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
 to record the CONNECT traffic in access.log just like a normal forward
 proxy without decrypting anything?

 Is this any different with TPROXY?

 Indeed SSL-bump is a must..
 You will be able to record the CONNECT traffic when using:
 sslbump deny all like acl.

   ssl_bump none all

You will not be decrypting or bumping any traffic with this, but you
will be using a little bit of code introduced by the SslBump-related
projects.


 Beyond the minor fact that there should be *no* CONNECT traffic on
 intercepted port 80 or port 443 because CONNECT is a client-to-proxy
 request method - which should only be seen on port 3128 or similar HTTP
 proxy ports.

To be more precise, there are actually a few CONNECT requests inside
real-world intercepted traffic, but a non-bumping Squid which assumes
that the traffic is SSL will not see any of those CONNECTS as it will
blindly forward them to where they were going.


 The current releases of Squid (3.3.8 and 3.4.0.1) should take
 intercepted port-443 traffic and relay it untouched if there is no
 decrypting done. They may convert it into a CONNECT if the traffic needs
 relaying to a cache_peer, but otherwise it is just tunneled along to the
 original destination server.

Please note that tunneling intercepted but not bumped traffic through
cache_peers (via CONNECT) is officially supported only in v3.4 (added as
trunk r12905 dated 2013-06-10).


HTH,

Alex.