[squid-users] GURU opinion required.

2009-04-27 Thread goody goody 

after going thru different articles and analyzing the behavior of squid 2.5 
stable10 transparent proxy over freebsd machine, it is not possible that https 
requests are entertained in other words it simply means proxying will not be 
done for https traffic.

now let's dvlvle in details.

in case of transparent squid proxy whenever https traffic is passed through the 
proxy, proxy does not adds it's ip addres rather it forwards the packets with 
original client ip address located on internal network. the packets then 
finally are natted at the firewall with the public ip address, and operation 
successfully completes.

but in my case my network colleagues who are managing firewall device have 
blocked any traffic originating from internal network and have only allowed 
proxy address hence any https traffic is blocked becoz they have the source 
address as internal address not of the proxy.

as it should be, any traffic that leaves the proxy with the modified source 
address as of proxy address , successfully completes the request.

hence http traffic and https traffic with manual/force proxy works but 
transparent proxy with https traffic doesn't work. 

if i am wrong or there is any work around would be highly appreciated.

Thanks in advance.

Re: [squid-users] GURU opinion required.

2009-04-28 Thread Pandu E Poluan 
IMO, you got that wrong.

Squid re-sends the https datagram in a wholly new packet, with Source IP
Address is the squid's IP Address.

I should know, for my firewall at my office totally block non-proxy
addresses. Yet employees still can access Gmail and/or Yahoo!Mail (both
of which use https for authentication purposes).

As usual, CMIIW.


Rgds,


[p]


goody goody wrote:
> after going thru different articles and analyzing the behavior of squid 2.5 
> stable10 transparent proxy over freebsd machine, it is not possible that 
> https requests are entertained in other words it simply means proxying will 
> not be done for https traffic.
>
> now let's dvlvle in details.
>
> in case of transparent squid proxy whenever https traffic is passed through 
> the proxy, proxy does not adds it's ip addres rather it forwards the packets 
> with original client ip address located on internal network. the packets then 
> finally are natted at the firewall with the public ip address, and operation 
> successfully completes.
>
> but in my case my network colleagues who are managing firewall device have 
> blocked any traffic originating from internal network and have only allowed 
> proxy address hence any https traffic is blocked becoz they have the source 
> address as internal address not of the proxy.
>
> as it should be, any traffic that leaves the proxy with the modified source 
> address as of proxy address , successfully completes the request.
>
> hence http traffic and https traffic with manual/force proxy works but 
> transparent proxy with https traffic doesn't work. 
>
> if i am wrong or there is any work around would be highly appreciated.
>
> Thanks in advance.
>
>
>
>
>
>
>   
>
>   

-- 
*Pandu E Poluan*
*Panin Sekuritas*
IT Manager / Infrastructure & Audit
Phone : +62-21-515-3055 ext 135
Fax :   +62-21-515-3061
Mobile :+62-856-8400-426
e-mail :pandu_pol...@paninsekuritas.co.id






Y!M :   hands0me_irc
MSN :   si-gant...@live.com
GTalk : pandu.ca...@gmail.com

Re: [squid-users] GURU opinion required.

2009-04-28 Thread goody goody 

Ok!

then what would i need to do in my ipfw to make things work accordingly. i 
already have natd in place!!!

Thanks,

--- On Tue, 4/28/09, Pandu E Poluan  wrote:

> From: Pandu E Poluan 
> Subject: Re: [squid-users] GURU opinion required.
> To: squid-users@squid-cache.org
> Date: Tuesday, April 28, 2009, 3:01 PM
> IMO, you got that wrong.
> 
> Squid re-sends the https datagram in a wholly new packet,
> with Source IP
> Address is the squid's IP Address.
> 
> I should know, for my firewall at my office totally block
> non-proxy
> addresses. Yet employees still can access Gmail and/or
> Yahoo!Mail (both
> of which use https for authentication purposes).
> 
> As usual, CMIIW.
> 
> 
> Rgds,
> 
> 
> [p]
> 
> 
> goody goody wrote:
> > after going thru different articles and analyzing the
> behavior of squid 2.5 stable10 transparent proxy over
> freebsd machine, it is not possible that https requests are
> entertained in other words it simply means proxying will not
> be done for https traffic.
> >
> > now let's dvlvle in details.
> >
> > in case of transparent squid proxy whenever https
> traffic is passed through the proxy, proxy does not adds
> it's ip addres rather it forwards the packets with original
> client ip address located on internal network. the packets
> then finally are natted at the firewall with the public ip
> address, and operation successfully completes.
> >
> > but in my case my network colleagues who are managing
> firewall device have blocked any traffic originating from
> internal network and have only allowed proxy address hence
> any https traffic is blocked becoz they have the source
> address as internal address not of the proxy.
> >
> > as it should be, any traffic that leaves the proxy
> with the modified source address as of proxy address ,
> successfully completes the request.
> >
> > hence http traffic and https traffic with manual/force
> proxy works but transparent proxy with https traffic doesn't
> work. 
> >
> > if i am wrong or there is any work around would be
> highly appreciated.
> >
> > Thanks in advance.
> >
> >
> >
> >
> >
> >
> >       
> >
> >   
> 
> -- 
> *Pandu E Poluan*
> *Panin Sekuritas*
> IT Manager / Infrastructure & Audit
> Phone :     +62-21-515-3055 ext 135
> Fax :     +62-21-515-3061
> Mobile :     +62-856-8400-426
> e-mail :     pandu_pol...@paninsekuritas.co.id
> <mailto:pandu_pol...@paninsekuritas.co.id>
> 
>     
>     
>     
>     
> Y!M :     hands0me_irc
> MSN :     si-gant...@live.com
> GTalk :     pandu.ca...@gmail.com
> 
>

Re: [squid-users] GURU opinion required.

2009-04-28 Thread Nyamul Hassan 
To my understanding, HTTPS will not work with transparent interception in a 
forward proxy setting.


Regards
HASSAN



- Original Message - 
From: "goody goody" 

To: 
Cc: "Pandu E Poluan" 
Sent: Tuesday, April 28, 2009 17:13
Subject: Re: [squid-users] GURU opinion required.



Ok!

then what would i need to do in my ipfw to make things work accordingly. i 
already have natd in place!!!


Thanks,

--- On Tue, 4/28/09, Pandu E Poluan  
wrote:



From: Pandu E Poluan 
Subject: Re: [squid-users] GURU opinion required.
To: squid-users@squid-cache.org
Date: Tuesday, April 28, 2009, 3:01 PM
IMO, you got that wrong.

Squid re-sends the https datagram in a wholly new packet,
with Source IP
Address is the squid's IP Address.

I should know, for my firewall at my office totally block
non-proxy
addresses. Yet employees still can access Gmail and/or
Yahoo!Mail (both
of which use https for authentication purposes).

As usual, CMIIW.


Rgds,


[p]


goody goody wrote:
> after going thru different articles and analyzing the
behavior of squid 2.5 stable10 transparent proxy over
freebsd machine, it is not possible that https requests are
entertained in other words it simply means proxying will not
be done for https traffic.
>
> now let's dvlvle in details.
>
> in case of transparent squid proxy whenever https
traffic is passed through the proxy, proxy does not adds
it's ip addres rather it forwards the packets with original
client ip address located on internal network. the packets
then finally are natted at the firewall with the public ip
address, and operation successfully completes.
>
> but in my case my network colleagues who are managing
firewall device have blocked any traffic originating from
internal network and have only allowed proxy address hence
any https traffic is blocked becoz they have the source
address as internal address not of the proxy.
>
> as it should be, any traffic that leaves the proxy
with the modified source address as of proxy address ,
successfully completes the request.
>
> hence http traffic and https traffic with manual/force
proxy works but transparent proxy with https traffic doesn't
work.
>
> if i am wrong or there is any work around would be
highly appreciated.
>
> Thanks in advance.
>
>
>
>
>
>
>
>
>

--
*Pandu E Poluan*
*Panin Sekuritas*
IT Manager / Infrastructure & Audit
Phone : +62-21-515-3055 ext 135
Fax : +62-21-515-3061
Mobile : +62-856-8400-426
e-mail : pandu_pol...@paninsekuritas.co.id
<mailto:pandu_pol...@paninsekuritas.co.id>





Y!M : hands0me_irc
MSN : si-gant...@live.com
GTalk : pandu.ca...@gmail.com