[squid-users] Transparent proxy with HTTPS on freebsd
Dear all, subject settings doesn't work when i set the transparent proxy though http traffic works. on analysis of traffic i have come to know that proxy doesn't add it's source address to https traffic rather simply forwards it with local net address to gateway/firewall device which ultimately drops the packets. any suggestion in shape of steps/article would be highly appreciated. Regards,
Re: [squid-users] Transparent proxy with HTTPS on freebsd
abdul sami wrote: Dear all, subject settings doesn't work when i set the transparent proxy though http traffic works. on analysis of traffic i have come to know that proxy doesn't add it's source address to https traffic rather simply forwards it with local net address to gateway/firewall device which ultimately drops the packets. any suggestion in shape of steps/article would be highly appreciated. Regards, Pardon? HTTPS being transparently intercepted (miracle #1) and the users not phoning you about being attacked? (miracle #2). HTTPS == HTTP via _secure_ SSL. transparent proxy == man-in-middle network attack on traffic. HTTPS was created to prevent transparent interception amongst other things. So yes I'm not surprised it won't work. What are you trying to achieve with this? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Dear Amos, i say http works but https doesn't behind transparent proxy (no proxy details specified in browser) and this is simply I just want to achieve as some sites such as yahoo, gmail use https to connect to. so if you guide my how can i configure squid to allow https sites to connect behind transparent proxy. Further info regarding squid and bsd os is as follows. squid version info Squid Cache: Version 2.5.STABLE10 configure options: --enable-storeio=diskd,ufs --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic ntlm' --enable-wccp '--enable-removal-policies=heap lru' BSD OS Info FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30 18:16:33 PKT 2007 r...@xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER i386 an early response would be very much appreciated. Regards, --- On Wed, 4/29/09, Amos Jeffries wrote: > From: Amos Jeffries > Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd > To: "abdul sami" > Cc: squid-users@squid-cache.org > Date: Wednesday, April 29, 2009, 1:49 PM > abdul sami wrote: > > Dear all, > > > > subject settings doesn't work when i set the > transparent proxy though > > http traffic works. on analysis of traffic i have come > to know that > > proxy doesn't add it's source address to https traffic > rather simply > > forwards it with local net address to gateway/firewall > device which > > ultimately drops the packets. > > > > any suggestion in shape of steps/article would be > highly appreciated. > > > > Regards, > > Pardon? > HTTPS being transparently intercepted (miracle #1) and the > users not phoning you about being attacked? (miracle #2). > > HTTPS == HTTP via _secure_ SSL. > transparent proxy == man-in-middle network attack on > traffic. > > HTTPS was created to prevent transparent interception > amongst other things. So yes I'm not surprised it won't > work. > > What are you trying to achieve with this? > > Amos > -- Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 > Current Beta Squid 3.1.0.7 >
Re: [squid-users] Transparent proxy with HTTPS on freebsd
nope, you can NOT use transparent proxy for HTTPS. since using transparent proxy for HTTPS will be considered as man-in-the-middle attack. you probably may use PAC (as Amos suggested) but IMO it ruin the basic idea of using transparent proxy (which is user does not need to put any setting in their browser) Nyoman Bogi Aditya Karna IM Telkom http://www.imtelkom.ac.id --- On Wed, 4/29/09, goody goody wrote: > From: goody goody > Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd > To: squid-users@squid-cache.org > Cc: "Amos Jeffries" > Date: Wednesday, April 29, 2009, 7:30 AM > > Dear Amos, > > i say http works but https doesn't behind transparent proxy > (no proxy details specified in browser) and this is simply I > just want to achieve as some sites such as yahoo, gmail use > https to connect to. > > so if you guide my how can i configure squid to allow https > sites to connect behind transparent proxy. > > Further info regarding squid and bsd os is as follows. > > squid version info > > Squid Cache: Version 2.5.STABLE10 > configure options: --enable-storeio=diskd,ufs > --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic > ntlm' --enable-wccp '--enable-removal-policies=heap lru' > > BSD OS Info > > FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30 > 18:16:33 PKT 2007 r...@xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER > i386 > > an early response would be very much appreciated. > > Regards, > > > --- On Wed, 4/29/09, Amos Jeffries > wrote: > > > From: Amos Jeffries > > Subject: Re: [squid-users] Transparent proxy with > HTTPS on freebsd > > To: "abdul sami" > > Cc: squid-users@squid-cache.org > > Date: Wednesday, April 29, 2009, 1:49 PM > > abdul sami wrote: > > > Dear all, > > > > > > subject settings doesn't work when i set the > > transparent proxy though > > > http traffic works. on analysis of traffic i have > come > > to know that > > > proxy doesn't add it's source address to https > traffic > > rather simply > > > forwards it with local net address to > gateway/firewall > > device which > > > ultimately drops the packets. > > > > > > any suggestion in shape of steps/article would > be > > highly appreciated. > > > > > > Regards, > > > > Pardon? > > HTTPS being transparently intercepted (miracle > #1) and the > > users not phoning you about being attacked? (miracle > #2). > > > > HTTPS == HTTP via _secure_ SSL. > > transparent proxy == man-in-middle network attack on > > traffic. > > > > HTTPS was created to prevent transparent interception > > amongst other things. So yes I'm not surprised it > won't > > work. > > > > What are you trying to achieve with this? > > > > Amos > > -- Please be using > > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 > > Current Beta Squid 3.1.0.7 > > > > > >
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Goody, if you simply want to have http and https go through the same unix box, you can use squid for http and a port forwarding (for example using iptables) for https. Regards, Stefan nyoman karna wrote: > nope, > you can NOT use transparent proxy for HTTPS. > > since using transparent proxy for HTTPS > will be considered as man-in-the-middle attack. > > you probably may use PAC (as Amos suggested) > but IMO it ruin the basic idea of using transparent proxy > (which is user does not need to put any setting in their browser) > > > Nyoman Bogi Aditya Karna > IM Telkom > http://www.imtelkom.ac.id > > > > > --- On Wed, 4/29/09, goody goody wrote: > >> From: goody goody >> Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd >> To: squid-users@squid-cache.org >> Cc: "Amos Jeffries" >> Date: Wednesday, April 29, 2009, 7:30 AM >> >> Dear Amos, >> >> i say http works but https doesn't behind transparent proxy >> (no proxy details specified in browser) and this is simply I >> just want to achieve as some sites such as yahoo, gmail use >> https to connect to. >> >> so if you guide my how can i configure squid to allow https >> sites to connect behind transparent proxy. >> >> Further info regarding squid and bsd os is as follows. >> >> squid version info >> >> Squid Cache: Version 2.5.STABLE10 >> configure options: --enable-storeio=diskd,ufs >> --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic >> ntlm' --enable-wccp '--enable-removal-policies=heap lru' >> >> BSD OS Info >> >> FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30 >> 18:16:33 PKT 2007 r...@xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER >> i386 >> >> an early response would be very much appreciated. >> >> Regards, >> >> >> --- On Wed, 4/29/09, Amos Jeffries >> wrote: >> >>> From: Amos Jeffries >>> Subject: Re: [squid-users] Transparent proxy with >> HTTPS on freebsd >>> To: "abdul sami" >>> Cc: squid-users@squid-cache.org >>> Date: Wednesday, April 29, 2009, 1:49 PM >>> abdul sami wrote: >>>> Dear all, >>>> >>>> subject settings doesn't work when i set the >>> transparent proxy though >>>> http traffic works. on analysis of traffic i have >> come >>> to know that >>>> proxy doesn't add it's source address to https >> traffic >>> rather simply >>>> forwards it with local net address to >> gateway/firewall >>> device which >>>> ultimately drops the packets. >>>> >>>> any suggestion in shape of steps/article would >> be >>> highly appreciated. >>>> Regards, >>> Pardon? >>> HTTPS being transparently intercepted (miracle >> #1) and the >>> users not phoning you about being attacked? (miracle >> #2). >>> HTTPS == HTTP via _secure_ SSL. >>> transparent proxy == man-in-middle network attack on >>> traffic. >>> >>> HTTPS was created to prevent transparent interception >>> amongst other things. So yes I'm not surprised it >> won't >>> work. >>> >>> What are you trying to achieve with this? >>> >>> Amos >>> -- Please be using >>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 >>> Current Beta Squid 3.1.0.7 >>> >> >> >> > > > > > -- 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0 --- OnlineDienst Nordbayern | http://www.odn.de/| Internet-Systemhaus GmbH & Co.KG | E-Mail: ha...@odn.de | Hosting, Housing Steinstr. 19 | Tel: 0911 / 933877-0 | Consulting, VoIP 90419 Nuernberg - Germany | Fax: 0911 / 933877-55 | Programmierung GF Christiane Teichgräber | AG Nürnberg HRA 13304 | signature.asc Description: OpenPGP digital signature
Re: [squid-users] Transparent proxy with HTTPS on freebsd
nyoman karna wrote: nope, you can NOT use transparent proxy for HTTPS. since using transparent proxy for HTTPS will be considered as man-in-the-middle attack. you probably may use PAC (as Amos suggested) but IMO it ruin the basic idea of using transparent proxy (which is user does not need to put any setting in their browser) Not quite. WPAD can be used with PAC so users only have 'auto-detect' on their browsers. The rest happens 'transparently' in one meaning of the term. Amos --- On Wed, 4/29/09, goody goody wrote: From: goody goody Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd To: squid-users@squid-cache.org Cc: "Amos Jeffries" Date: Wednesday, April 29, 2009, 7:30 AM Dear Amos, i say http works but https doesn't behind transparent proxy (no proxy details specified in browser) and this is simply I just want to achieve as some sites such as yahoo, gmail use https to connect to. so if you guide my how can i configure squid to allow https sites to connect behind transparent proxy. Further info regarding squid and bsd os is as follows. squid version info Squid Cache: Version 2.5.STABLE10 configure options: --enable-storeio=diskd,ufs --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic ntlm' --enable-wccp '--enable-removal-policies=heap lru' BSD OS Info FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30 18:16:33 PKT 2007 r...@xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER i386 an early response would be very much appreciated. Regards, --- On Wed, 4/29/09, Amos Jeffries wrote: From: Amos Jeffries Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd To: "abdul sami" Cc: squid-users@squid-cache.org Date: Wednesday, April 29, 2009, 1:49 PM abdul sami wrote: Dear all, subject settings doesn't work when i set the transparent proxy though http traffic works. on analysis of traffic i have come to know that proxy doesn't add it's source address to https traffic rather simply forwards it with local net address to gateway/firewall device which ultimately drops the packets. any suggestion in shape of steps/article would be highly appreciated. Regards, Pardon? HTTPS being transparently intercepted (miracle #1) and the users not phoning you about being attacked? (miracle #2). HTTPS == HTTP via _secure_ SSL. transparent proxy == man-in-middle network attack on traffic. HTTPS was created to prevent transparent interception amongst other things. So yes I'm not surprised it won't work. What are you trying to achieve with this? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7 -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
Re: [squid-users] Transparent proxy with HTTPS on freebsd
First of all let me Thank you v much to all for replies. i am searching/reading for PAC / port forwarding for squid on FreeBSD, but it would be grateful to me if you provide me an example/source. again i repeat i only want to allow https site like (gmail, yahoo) behind my transparent proxy to work. With Regards, .Goody. On Wed, Apr 29, 2009 at 7:03 PM, Stefan Hartmann wrote: > Goody, > > if you simply want to have http and https go through the same unix box, > you can use squid for http and a port forwarding (for example using > iptables) for https. > > Regards, > Stefan > > > nyoman karna wrote: >> nope, >> you can NOT use transparent proxy for HTTPS. >> >> since using transparent proxy for HTTPS >> will be considered as man-in-the-middle attack. >> >> you probably may use PAC (as Amos suggested) >> but IMO it ruin the basic idea of using transparent proxy >> (which is user does not need to put any setting in their browser) >> >> >> Nyoman Bogi Aditya Karna >> IM Telkom >> http://www.imtelkom.ac.id >> -------- >> >> >> >> --- On Wed, 4/29/09, goody goody wrote: >> >>> From: goody goody >>> Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd >>> To: squid-users@squid-cache.org >>> Cc: "Amos Jeffries" >>> Date: Wednesday, April 29, 2009, 7:30 AM >>> >>> Dear Amos, >>> >>> i say http works but https doesn't behind transparent proxy >>> (no proxy details specified in browser) and this is simply I >>> just want to achieve as some sites such as yahoo, gmail use >>> https to connect to. >>> >>> so if you guide my how can i configure squid to allow https >>> sites to connect behind transparent proxy. >>> >>> Further info regarding squid and bsd os is as follows. >>> >>> squid version info >>> >>> Squid Cache: Version 2.5.STABLE10 >>> configure options: --enable-storeio=diskd,ufs >>> --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic >>> ntlm' --enable-wccp '--enable-removal-policies=heap lru' >>> >>> BSD OS Info >>> >>> FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30 >>> 18:16:33 PKT 2007 r...@xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER >>> i386 >>> >>> an early response would be very much appreciated. >>> >>> Regards, >>> >>> >>> --- On Wed, 4/29/09, Amos Jeffries >>> wrote: >>> >>>> From: Amos Jeffries >>>> Subject: Re: [squid-users] Transparent proxy with >>> HTTPS on freebsd >>>> To: "abdul sami" >>>> Cc: squid-users@squid-cache.org >>>> Date: Wednesday, April 29, 2009, 1:49 PM >>>> abdul sami wrote: >>>>> Dear all, >>>>> >>>>> subject settings doesn't work when i set the >>>> transparent proxy though >>>>> http traffic works. on analysis of traffic i have >>> come >>>> to know that >>>>> proxy doesn't add it's source address to https >>> traffic >>>> rather simply >>>>> forwards it with local net address to >>> gateway/firewall >>>> device which >>>>> ultimately drops the packets. >>>>> >>>>> any suggestion in shape of steps/article would >>> be >>>> highly appreciated. >>>>> Regards, >>>> Pardon? >>>> HTTPS being transparently intercepted (miracle >>> #1) and the >>>> users not phoning you about being attacked? (miracle >>> #2). >>>> HTTPS == HTTP via _secure_ SSL. >>>> transparent proxy == man-in-middle network attack on >>>> traffic. >>>> >>>> HTTPS was created to prevent transparent interception >>>> amongst other things. So yes I'm not surprised it >>> won't >>>> work. >>>> >>>> What are you trying to achieve with this? >>>> >>>> Amos >>>> -- Please be using >>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 >>>> Current Beta Squid 3.1.0.7 >>>> >>> >>> >>> >> >> >> >> >> > > -- > 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0 > --- > OnlineDienst Nordbayern | http://www.odn.de/ | Internet-Systemhaus > GmbH & Co.KG | E-Mail: ha...@odn.de | Hosting, Housing > Steinstr. 19 | Tel: 0911 / 933877-0 | Consulting, VoIP > 90419 Nuernberg - Germany | Fax: 0911 / 933877-55 | Programmierung > GF Christiane Teichgräber | AG Nürnberg HRA 13304 | > >
Re: [squid-users] Transparent proxy with HTTPS on freebsd
> First of all let me Thank you v much to all for replies. > > i am searching/reading for PAC / port forwarding for squid on FreeBSD, > but it would be grateful to me if you provide me an example/source. http://wiki.squid-cache.org/Technology/WPAD > > again i repeat i only want to allow https site like (gmail, yahoo) > behind my transparent proxy to work. > Once the requests are going to Squid properly this is a simple matter of ACLs. Amos
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Deal All, So champs now the interesting part starts. ok A few days ago we had proxy configured in the following way. DR Site \ int: bge0 int: bge1 internal netlan switch\Squid on BSD-external firewallpublic net IP=X \ IP=Y \ Branches 1. Above diagram shows that our internal net & and DR site is connected to squid on interface bge0 and uses transparent proxy whereas branches come to bge1 and uses manual proxy to get access to internet. 2. in above configuration http and https was working perfectly fine. after that in our company major changes were made in network and in result our proxy working scenario also changed as below. DR site | int: bge0 | int: bge1 internal netlan switchSquid on BSD|-external firewallpublic net IP=X \ IP=Y \ Branches 1. By network guys DR site traffic forcibly shifted to bge1, and resultantly internet access at DR site stopped functioning. 2. my colleague who was previously looking proxy changed following rule in ipfw file as below (as per his statement), and after that internet access for http started working but https traffic stopped working at both sides where transparent proxy was working i-e at DR site and internal net, however https still work at branches. RULE: ipfw add divert natd all from any to any via bge1 CHANGED TO: RULE: ipfw add divert natd all from internal net/24 to any via bge1 3. my network colleague told me that proxy is adding it's address as source address to http packets but not to https, and passes https packets with source address of internal net, which is ultimately blocked at perimeter firewall. now pls note that i have freshly started working on squid couple of months has only passed. so when https didn't run, i gone through documentation, forums etc (one example is of your previous answers) and found that https would not work on squid on transprent configuration & Got SURPRISED that how it was working previously then. anyways now when i say this to my head that squid on transparent proxy mode wont work for https he is not ready to accept. I argued with network colleagues that there must be some other setttings had been done for https but the do not agree and say that we had checked every thing and no such settings was there proxy was doing all functionality, Repeating Problem: Currently proxy adds it address as source to http traffic but not https, in https case it simple forwards packets with soruce address of internal net. and perimeter firewall allows proxy ip traffic and drops internal net addresses, resultantly https does not work. So this is the whole story and i have got really stuck, what should i do. .SUGGESTIONS DESPARITLY NEEDED. With Regards, On Thu, Apr 30, 2009 at 8:24 AM, Amos Jeffries wrote: >> First of all let me Thank you v much to all for replies. >> >> i am searching/reading for PAC / port forwarding for squid on FreeBSD, >> but it would be grateful to me if you provide me an example/source. > > http://wiki.squid-cache.org/Technology/WPAD > >> >> again i repeat i only want to allow https site like (gmail, yahoo) >> behind my transparent proxy to work. >> > > Once the requests are going to Squid properly this is a simple matter of > ACLs. > > Amos > >
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Deal All, So champs now the interesting part starts. ok A few days ago we had proxy configured in the following way. DR Site \ \ int: bge0 intt: bge1 internal net -> lan switch -> \Squid on BSD -> firewall -> public net IP=X \ IP=Y \ Branches 1. Above diagram shows that our internal net & and DR site is connected to squid on interface bge0 and uses transparent proxy whereas branches come to bge1 and uses manual proxy to get access to internet. 2. in above configuration http and https was working perfectly fine. after that in our company major changes were made in network and in result our proxy working scenario also changed as below. DR site | int: bge0 | int: bge1 internal net -> lan switch -> Squid on BSD| -> firewall -> public net IP=X \ IP=Y \ Branches 1. By network guys DR site traffic forcibly shifted to bge1, and resultantly internet access at DR site stopped functioning. 2. my colleague who was previously looking proxy changed following rule in ipfw file as below (as per his statement), and after that internet access for http started working but https traffic stopped working at both sides where transparent proxy was working i-e at DR site and internal net, however https still work at branches. RULE: ipfw add divert natd all from any to any via bge1 CHANGED TO: RULE: ipfw add divert natd all from internal net/24 to any via bge1 3. my network colleague told me that proxy is adding it's address as source address to http packets but not to https, and passes https packets with source address of internal net, which is ultimately blocked at perimeter firewall. now pls note that i have freshly started working on squid couple of months has only passed. so when https didn't run, i gone through documentation, forums etc (one example is of your previous answers) and found that https would not work on squid on transprent configuration & Got SURPRISED that how it was working previously then. anyways now when i say this to my head that squid on transparent proxy mode wont work for https he is not ready to accept. I argued with network colleagues that there must be some other setttings had been done for https but the do not agree and say that we had checked every thing and no such settings was there proxy was doing all functionality, Repeating Problem: Currently proxy adds it address as source to http traffic but not https, in https case it simple forwards packets with soruce address of internal net. and perimeter firewall allows proxy ip traffic and drops internal net addresses, resultantly https does not work. So this is the whole story and i have got really stuck, what should i do. .SUGGESTIONS DESPARITLY NEEDED. With Regards, > > > > > On Thu, Apr 30, 2009 at 8:24 AM, Amos Jeffries wrote: >>> First of all let me Thank you v much to all for replies. >>> >>> i am searching/reading for PAC / port forwarding for squid on FreeBSD, >>> but it would be grateful to me if you provide me an example/source. >> >> http://wiki.squid-cache.org/Technology/WPAD >> >>> >>> again i repeat i only want to allow https site like (gmail, yahoo) >>> behind my transparent proxy to work. >>> >> >> Once the requests are going to Squid properly this is a simple matter of >> ACLs. >> >> Amos >> >> >
Re: [squid-users] Transparent proxy with HTTPS on freebsd
> Deal All, > > So champs now the interesting part starts. ok > > A few days ago we had proxy configured in the following way. > > DR Site > \ int: bge0 int: > bge1 > internal netlan switch\Squid on > BSD-external firewallpublic net > IP=X > \ IP=Y > \ > >Branches > > 1. Above diagram shows that our internal net & and DR site is > connected to squid on interface bge0 and uses transparent proxy > whereas branches come to bge1 and uses manual proxy to get access to > internet. > > 2. in above configuration http and https was working perfectly fine. > > after that in our company major changes were made in network and in > result our proxy working scenario also changed as below. > > DR > site >| > int: bge0 | int: > bge1 > internal netlan switchSquid on > BSD|-external firewallpublic net > IP=X > \ IP=Y > \ > >Branches > > 1. By network guys DR site traffic forcibly shifted to bge1, and > resultantly internet access at DR site stopped functioning. > > 2. my colleague who was previously looking proxy changed following > rule in ipfw file as below (as per his statement), and after that > internet access for http started working but https traffic stopped > working at both sides where transparent proxy was working i-e at DR > site and internal net, however https still work at branches. > > RULE: ipfw add divert natd all from any to any via bge1 > > CHANGED TO: > > RULE: ipfw add divert natd all from internal net/24 to any via bge1 > > 3. my network colleague told me that proxy is adding it's address as > source address to http packets but not to https, and passes https > packets with source address of internal net, which is ultimately > blocked at perimeter firewall. > > now pls note that i have freshly started working on squid couple of > months has only passed. > > so when https didn't run, i gone through documentation, forums etc > (one example is of your previous answers) and found that https would > not work on squid on transprent configuration & Got SURPRISED that how > it was working previously then. anyways now when i say this to my head > that squid on transparent proxy mode wont work for https he is not > ready to accept. > > I argued with network colleagues that there must be some other > setttings had been done for https but the do not agree and say that we > had checked every thing and no such settings was there proxy was doing > all functionality, > > > Repeating Problem: Currently proxy adds it address as source to http > traffic but not https, in https case it simple forwards packets with > soruce address of internal net. and perimeter firewall allows proxy ip > traffic and drops internal net addresses, resultantly https does not > work. > > So this is the whole story and i have got really stuck, what should i > do. Please note: HTTPS forwarding sounds like it is being done by the OS routing on the proxy box. Not by the proxy software itself. Also using the WPAD solution I already proposed will make the clients go through the proxy software. With same effects and controls as HTTP traffic. The other proper solution is for the main firewall to be updated to allow the appropriate internal IPs to use HTTPS port 443 outbound. One hack, which itself will break eventually and meanwhile has hole of its own ... is to configure the proxy box firewall with those same IPs which should be allowed HTTPS and source-NAT them to the proxy Box IP. Be careful you only allow the acceptable IPs through this NAT though. Amos
Re: [squid-users] Transparent proxy with HTTPS on freebsd
On 29.04.09 04:58, nyoman karna wrote: > you can NOT use transparent proxy for HTTPS. > > since using transparent proxy for HTTPS > will be considered as man-in-the-middle attack. > > you probably may use PAC (as Amos suggested) > but IMO it ruin the basic idea of using transparent proxy > (which is user does not need to put any setting in their browser) the whole idea of intercepting proxy (also called transparent) is sick. WPAD is way to go - browser will autodetect the proxy, so user can log there and all problems caused by intercepting connections will be gone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Hi, On Mon, 04 May 2009, Matus UHLAR - fantomas wrote: > On 29.04.09 04:58, nyoman karna wrote: > > you probably may use PAC (as Amos suggested) > > but IMO it ruin the basic idea of using transparent proxy > > (which is user does not need to put any setting in their browser) > > the whole idea of intercepting proxy (also called transparent) is sick. Would you care to substantiate that in a bit more detail? > WPAD is way to go - browser will autodetect the proxy, so user can log there > and all problems caused by intercepting connections will be gone. I've been down this road. We (a 3rd level college) have hundreds of users walking on and off a campus with their laptops, mobile phones, netbooks, pdas, etc. We used to have posters, docs, everything set up to tell people how to use the proxy. We had a proxy.pac. The support load was massive. The number of people coming into our office for help setting it up was huge. The number of applications that use HTTP but don't support proxy.pac files is surprisingly large. The users leave the campus and have to undo it the proxy settings, then redo them when next on campus. It was imperative for us to be able to give completely transparent web access. It's also a big requirement to have caching to reduce our bandwidth and give us some kind of logging. So we have transparent proxying of http traffic and we simply allow https traffic out. This policy has been hugely successful. You might argue that we should just allow all http and https traffic out but that is more expensive, slower and harder for us to keep track of (I'm not that keen on logging but it's necessary for a host of reasons). As it is now, the web just works for everyone. People are far happier and so are we. Gavin
Re: [squid-users] Transparent proxy with HTTPS on freebsd
On Mon, May 4, 2009 at 3:35 PM, Gavin McCullagh wrote: > Hi, > > On Mon, 04 May 2009, Matus UHLAR - fantomas wrote: > >> On 29.04.09 04:58, nyoman karna wrote: > >> > you probably may use PAC (as Amos suggested) >> > but IMO it ruin the basic idea of using transparent proxy >> > (which is user does not need to put any setting in their browser) >> >> the whole idea of intercepting proxy (also called transparent) is sick. > > Would you care to substantiate that in a bit more detail? > If your blocking content that would violate rights, maybe; if you are doing it to speed things up or blocking sites that have no place in the current facility I can not see how it can be claimed as sick. I think blocking most porn from schools and work is right. Maybe even blocking youtube from work because of how much time is waisted. >> WPAD is way to go - browser will autodetect the proxy, so user can log there >> and all problems caused by intercepting connections will be gone. > > I've been down this road. We (a 3rd level college) have hundreds of users > walking on and off a campus with their laptops, mobile phones, netbooks, > pdas, etc. We used to have posters, docs, everything set up to tell people > how to use the proxy. We had a proxy.pac. The support load was massive. > The number of people coming into our office for help setting it up was > huge. The number of applications that use HTTP but don't support proxy.pac > files is surprisingly large. The users leave the campus and have to undo > it the proxy settings, then redo them when next on campus. > > It was imperative for us to be able to give completely transparent web > access. It's also a big requirement to have caching to reduce our > bandwidth and give us some kind of logging. So we have transparent > proxying of http traffic and we simply allow https traffic out. > > This policy has been hugely successful. You might argue that we should > just allow all http and https traffic out but that is more expensive, > slower and harder for us to keep track of (I'm not that keen on logging but > it's necessary for a host of reasons). > > As it is now, the web just works for everyone. People are far happier and > so are we. > > Gavin > >
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Hi Jeff, On Mon, 04 May 2009, Jeff Sadowski wrote: > On Mon, May 4, 2009 at 3:35 PM, Gavin McCullagh > wrote: > >> the whole idea of intercepting proxy (also called transparent) is sick. > > > > Would you care to substantiate that in a bit more detail? > > If your blocking content that would violate rights, maybe; if you are > doing it to speed things up or blocking sites that have no place in > the current facility I can not see how it can be claimed as sick. > I think blocking most porn from schools and work is right. Maybe even > blocking youtube from work because of how much time is waisted. I think this misses the issue. A web proxy is indeed a convenient way to apply these sorts of blocks. However, whether you force people to configure proxies in order to get web access or you do it transparently doesn't change the blocking. Currently we have a very short list of blocked sites based mostly on file sharing. Personally, I'd like to remove that as I don't consider it useful. In certain labs (ie where the students use our computers) at certain busy times of the year we occasionally block "time-waster" sites in order to free up those computers for students doing assignments. Those who use their own laptops on wifi don't experience that. Our students are adults. We don't generally block based on content. In Ireland (where we are), primary and secondary schools are all given a government-sponsored central broadband connection which is content filtered transparently. It's not squid, but it's the same principal. Personally, I don't really like the idea, but being pragmatic, I understand why they did it. Prior to filtering, a large number of teachers were dead set against giving web access to students (we had bought our own connection). Now that they have a comfort blanket of state-sponsored content filtering, they're fine with students using it. Sadly, sites like youtube are blocked due to unsuitable content, which is really a shame as there is lots of very useful content. We recently started using HAVP to block viruses/malware, but I think most people would agree that that's in the student's interest. Transparent proxying (as opposed to wpad) doesn't make any of this blocking easier, though I guess perhaps it makes it less apparent. However, it makes net access far more convenient (as against wpad) for the user. Gavin
Re: [squid-users] Transparent proxy with HTTPS on freebsd
> > On 29.04.09 04:58, nyoman karna wrote: > > > you probably may use PAC (as Amos suggested) > > > but IMO it ruin the basic idea of using transparent proxy > > > (which is user does not need to put any setting in their browser) > On Mon, 04 May 2009, Matus UHLAR - fantomas wrote: > > the whole idea of intercepting proxy (also called transparent) is sick. On 04.05.09 22:35, Gavin McCullagh wrote: > Would you care to substantiate that in a bit more detail? Making clients think they connect to the destination server when they do not, breaks many things. It disables authentication, causes some TCP problems (pmtu discovery?)... > > WPAD is way to go - browser will autodetect the proxy, so user can log there > > and all problems caused by intercepting connections will be gone. > > I've been down this road. We (a 3rd level college) have hundreds of users > walking on and off a campus with their laptops, mobile phones, netbooks, > pdas, etc. We used to have posters, docs, everything set up to tell people > how to use the proxy. We had a proxy.pac. The support load was massive. > The number of people coming into our office for help setting it up was > huge. The number of applications that use HTTP but don't support proxy.pac > files is surprisingly large. That's bad, luckily many browsers can turn on autodetection and use it when available. > The users leave the campus and have to undo > it the proxy settings, then redo them when next on campus. Well, I always call intercepting a thing you should do in "last resort" and all troubles caused by the interception should be pointed as client errors. Yes, if you need, keep that there, but I hope you didn't stop providing WPAD for anyone who supports it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: [squid-users] Transparent proxy with HTTPS on freebsd
> >> On 29.04.09 04:58, nyoman karna wrote: > >> > you probably may use PAC (as Amos suggested) > >> > but IMO it ruin the basic idea of using transparent proxy > >> > (which is user does not need to put any setting in their browser) > > On Mon, 04 May 2009, Matus UHLAR - fantomas wrote: > >> the whole idea of intercepting proxy (also called transparent) is sick. > On Mon, May 4, 2009 at 3:35 PM, Gavin McCullagh > wrote: > > Would you care to substantiate that in a bit more detail? On 04.05.09 16:41, Jeff Sadowski wrote: > If your blocking content that would violate rights, maybe; if you are > doing it to speed things up or blocking sites that have no place in > the current facility I can not see how it can be claimed as sick. What is sick is the fact you must break someone's connection and insert something there, instead of letting him know about a proxy. Yes, applications that do not support proxy autodetection are problematic themselves. But that imho doesn't change the fact it's sick. OTOH, wpad and javascript autodconfiguration is not much better, but it is still better -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Hi, On Wed, 06 May 2009, Matus UHLAR - fantomas wrote: > On 04.05.09 22:35, Gavin McCullagh wrote: > > Would you care to substantiate that in a bit more detail? > > Making clients think they connect to the destination server when they do > not, breaks many things. It disables authentication, causes some TCP > problems (pmtu discovery?)... Many thanks for the extra info. Disabling authentication is unfortunate, but anyone managing a network and proxy server who decides to use transparent proxying necessarily makes the decision not to use authentication. PMTU discovery is not something I had thought about I must say. At a guess the main issue is that if a router between client and proxy sends a "datagram too big" to the proxy, it'll have the IP of the upstream host on it and will not get to the proxy. In our case (where the MTU is consistent across the whole path), that won't be an issue but I can see how it could be. I guess you could turn off PMTU disovery on the proxy to solve this, though that's a bit of a sledgehammer. There would also be an ambiguous MTU for the client (ie that of the client<->proxy and the client<->server) which would depend on what port the client was connecting on (eg it could mix http and https). I'd guess, perhaps wrongly (and assuming the icmps are not blocked) the client should just end up with the minimum MTU for both paths? > That's bad, luckily many browsers can turn on autodetection and use it when > available. You mean the browser downloading http://wpad./wpad.dat? This has been pretty flakey in our experience. In most cases you seem to have to turn it on explicitly which is a huge pain as students don't know how. > Well, I always call intercepting a thing you should do in "last resort" and > all troubles caused by the interception should be pointed as client errors. Fair enough. > Yes, if you need, keep that there, but I hope you didn't stop providing WPAD > for anyone who supports it. We still provide it alright, though I don't think it gets used much. One of our networks, where we require authentication still use it all the time. Gavin
Re: [squid-users] Transparent proxy with HTTPS on freebsd
Gavin McCullagh wrote: Hi, On Wed, 06 May 2009, Matus UHLAR - fantomas wrote: On 04.05.09 22:35, Gavin McCullagh wrote: Would you care to substantiate that in a bit more detail? Making clients think they connect to the destination server when they do not, breaks many things. It disables authentication, causes some TCP problems (pmtu discovery?)... Many thanks for the extra info. Disabling authentication is unfortunate, but anyone managing a network and proxy server who decides to use transparent proxying necessarily makes the decision not to use authentication. PMTU discovery is not something I had thought about I must say. At a guess the main issue is that if a router between client and proxy sends a "datagram too big" to the proxy, it'll have the IP of the upstream host on it and will not get to the proxy. In our case (where the MTU is consistent across the whole path), that won't be an issue but I can see how it could be. I guess you could turn off PMTU disovery on the proxy to solve this, though that's a bit of a sledgehammer. There would also be an ambiguous MTU for the client (ie that of the client<->proxy and the client<->server) which would depend on what port the client was connecting on (eg it could mix http and https). I'd guess, perhaps wrongly (and assuming the icmps are not blocked) the client should just end up with the minimum MTU for both paths? Should being the operative word. Though the trouble case occurs when the proxy tries to send a MTU too big to the client. You see the client machine has no knowledge that a TCP link to proxy is open at all and disregards the packet. Thus there are problems when the MTU between an intercepting proxy is smaller than the MTU between client and server directly or proxy and server. The workaround for this is to sit the proxy as the gateway router or direct intermediary. Which may or may not be an option under your packet loads. Additional issues occur when hierarchies of proxies (sometimes needed to cope with ISP level loads) move the actual link between proxy->server far away. That's bad, luckily many browsers can turn on autodetection and use it when available. You mean the browser downloading http://wpad./wpad.dat? This has been pretty flakey in our experience. In most cases you seem to have to turn it on explicitly which is a huge pain as students don't know how. wpad./wpad.dat, http://wpad/wpad.dat, http://wpad.TLD>/wpad.dat, whatever URL you configure in DHCP. Enabling them all is a good idea, and globally having students set "auto detect" is a good thing. Flakey or not. If it works you have none of the issues of interception. If not you have interception as a last resort backup. Well, I always call intercepting a thing you should do in "last resort" and all troubles caused by the interception should be pointed as client errors. Fair enough. Yes, if you need, keep that there, but I hope you didn't stop providing WPAD for anyone who supports it. We still provide it alright, though I don't think it gets used much. One of our networks, where we require authentication still use it all the time. Gavin Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
