[squid-users] https traffic squid
Hi, I am using squid 3.0 STABLE20 on RHEL5 in conjunction with shorewall 4.4.4-1. I am using squid in non-transparent proxy mode. Currently I m working like this: Shorewall squid are installed on same box. Shorewall is listening on this box on local interface and forwarding all http (port 80) traffic to squid-port (3128). since squid is running in non-transparent mode, I've set all client browsers with this proxy's address port. Now i've two questions that might only be performance issue or may be i m doing some extra work here: I am using this because I need to process all other traffic (ftp / ssh / gopher / https) through shorewall. Only port 80 traffic shud go to squid. 1. When squid is running in non-transparent mode and client browsers are set with proxy address port, is it necessary to still redirect port 80 traffic to squid through shorewall? Should not all clients automatically communicate with squid on that address port? 2. Does squid dorectly listen to traffic sent to it from client browsers or it needs the traffic redirected to it by another software like iptables / shhorewall? I am confused b/w two scenarios what approach should be taken? Further, how can i send https traffic to squid as well for filtering. -- Regards, Asim Ahmed Khan IT Manager, Folio3 (Pvt.) Ltd. www.folio3.com Direct: 92-21-4323721-4 Ext 110 Email: aah...@folio3.com
Re: [squid-users] https traffic squid
Asim Ahmed @ Folio3 wrote: Hi, I am using squid 3.0 STABLE20 on RHEL5 in conjunction with shorewall 4.4.4-1. I am using squid in non-transparent proxy mode. Currently I m working like this: Shorewall squid are installed on same box. Shorewall is listening on this box on local interface and forwarding all http (port 80) traffic to squid-port (3128). since squid is running in non-transparent mode, I've set all client browsers with this proxy's address port. Now i've two questions that might only be performance issue or may be i m doing some extra work here: I am using this because I need to process all other traffic (ftp / ssh / gopher / https) through shorewall. Only port 80 traffic shud go to squid. 1. When squid is running in non-transparent mode and client browsers are set with proxy address port, is it necessary to still redirect port 80 traffic to squid through shorewall? No. If you want, you can block outbound port 80 traffic, or redirect it to a page that gives instructions on setting up the proxy. Should not all clients automatically communicate with squid on that address port? Yes, as long as they are configured to. 2. Does squid dorectly listen to traffic sent to it from client browsers or it needs the traffic redirected to it by another software like iptables / shhorewall? This is what Squid was originally designed to do. Dealing with intercepted traffic is an add-on. I am confused b/w two scenarios what approach should be taken? Further, how can i send https traffic to squid as well for filtering. This is usually a browser setting. Often there is a Use this proxy for all protocols check box, or you can specify an HTTP, SSL, and Gopher proxy separately. Chris
Re: [squid-users] https traffic squid
On Tue, 15 Dec 2009 17:22:27 +0500, Asim Ahmed @ Folio3 aah...@folio3.com wrote: Hi, I am using squid 3.0 STABLE20 on RHEL5 in conjunction with shorewall 4.4.4-1. I am using squid in non-transparent proxy mode. Currently I m working like this: Shorewall squid are installed on same box. Shorewall is listening on this box on local interface and forwarding all http (port 80) traffic to squid-port (3128). since squid is running in non-transparent mode, I've set all client browsers with this proxy's address port. Now i've two questions that might only be performance issue or may be i m doing some extra work here: I am using this because I need to process all other traffic (ftp / ssh / gopher / https) through shorewall. Only port 80 traffic shud go to squid. 1. When squid is running in non-transparent mode and client browsers are set with proxy address port, is it necessary to still redirect port 80 traffic to squid through shorewall? Only you can know that. There are software out there that use HTTP and can't be configured to use a proxy. Nobody here is able to know if your network has such software. It's often only found out by firewalling port 80 and waiting for client complaints. Should not all clients automatically communicate with squid on that address port? _should_ yes. 2. Does squid dorectly listen to traffic sent to it from client browsers or it needs the traffic redirected to it by another software like iptables / shhorewall? Yes squid does. You do not need to do redirection to reach Squid unless your network design is broken. I am confused b/w two scenarios what approach should be taken? Further, how can i send https traffic to squid as well for filtering. The browsers which are setup to send HTTP to Squid have another box next to the HTTP one saying send HTTPS to Squid. NOTE: HTTPS has very limited details available to Squid for filtering. the encrypted portion of the data cannot be decrypted by Squid 3.0. Amos