Hello,
I'm trying to set up an encrypted communication between the browser and squid
theoretically, I followed this section to implement it :
https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
I tried to implement this on a dockerized Alpine, and a squid 5.5 with ope
On 10/14/22 10:32, LEMRAZZEQ, Wadie wrote:
I tried to implement this on a dockerized Alpine, and a squid 5.5 with openssl
module
FWIW, Squid v5.5 is unusable in many environments -- too many bugs. Use
v5.7 or later. I do not know whether one of those bugs are responsible
for the specific pro
> On 10/14/22 10:32, LEMRAZZEQ, Wadie wrote:
>> I tried to implement this on a dockerized Alpine, and a squid 5.5 with
>> openssl module
> FWIW, Squid v5.5 is unusable in many environments -- too many bugs. Use
> v5.7 or later. I do not know whether one of those bugs are responsible for
> the sp
On 10/18/22 04:55, LEMRAZZEQ, Wadie wrote:
I have problem only web browsers (Firefox, chromium), and I do
specify to use https proxy in the browser proxy config But if I use
curl, it works
ERROR: failure while accepting a TLS connection on conn77
local=172.17.0.2:3129 remote=172.17.0.1:56608
On 10/18/22 04:55, LEMRAZZEQ, Wadie wrote:
>>> I have problem only web browsers (Firefox, chromium), and I do specify
>>> to use https proxy in the browser proxy config But if I use curl, it
>>> works
ERROR: failure while accepting a TLS connection on conn77
local=172.17.0.2:3129 rem
On 10/19/22 09:53, LEMRAZZEQ, Wadie wrote:
As you can see firefox sends a plain text CONNECT request, and I did
parameter https proxy in firefox settings
I do not know exactly what you mean by "https proxy" in this context,
but I suspect that you are using the wrong FireFox setting. The easil
On 10/19/22 8:33 AM, Alex Rousskov wrote:
I do not know exactly what you mean by "https proxy" in this context,
but I suspect that you are using the wrong FireFox setting. The easily
accessible "HTTPS proxy" setting in the "Configure Proxy Access to the
Internet" dialog is _not_ what you need!
o at https://webproxy.diladele.com/docs/network/secure_proxy/browsers/
Best regards,
Rafael Akchurin
Diladele B.V.
-Original Message-
From: squid-users On Behalf Of
Grant Taylor
Sent: Thursday, October 20, 2022 2:39 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] FW: Encrypted bro
On 10/19/22 11:33 PM, Rafael Akchurin wrote:
The following line set in the Script Address box of the browser proxy
configuration will help - no need for a PAC file for quick tests. Be
sure to adjust the proxy name and port.
data:,function FindProxyForURL(u, h){return "HTTPS proxy.example.lan:8
On 10/19/22 11:33 PM, Rafael Akchurin wrote:
The following line set in the Script Address box of the browser
proxy configuration will help - no need for a PAC file for quick
tests. Be sure to adjust the proxy name and port.
data:,function FindProxyForURL(u, h){return "HTTPS proxy.example.lan:8
On 10/20/22 9:49 AM, Matus UHLAR - fantomas wrote:
proxy autoconfig is javascript-based but uses very limited javascript.
My comment was more directed at why is $LANGUAGE_DOESNT_MATTER used /in/
/the/ /location/ /field/?
while I agree javascript is not ideal, it's very hard to configure
pro
On 10/20/22 18:14, Grant Taylor wrote:
On 10/20/22 9:49 AM, Matus UHLAR - fantomas wrote:
because standard servers and not proxies usually run on standard ports.
I trust that you don't intend it to be, but that feels like a non-answer
to me.
It's basically by convention now. Port 3128 has b
On 10/20/22 9:49 AM, Matus UHLAR - fantomas wrote:
proxy autoconfig is javascript-based but uses very limited javascript.
On 20.10.22 10:14, Grant Taylor wrote:
My comment was more directed at why is $LANGUAGE_DOESNT_MATTER used
/in/ /the/ /location/ /field/?
apparently this is a hack to be
On 10/20/22 9:49 AM, Matus UHLAR - fantomas wrote:
Also, FTP protocol (port 21) does not support proxying, and using
FTP proxy usually involves hacks.
On 20.10.22 10:14, Grant Taylor wrote:
I completely disagree.
I've been using FTP through proxies for years. Firefox (and
Thunderbird) has
On 10/20/22 11:58 PM, Adam Majer wrote:
It's basically by convention now.
Sure.
Conventions change over time.
Long enough ago 3128 wasn't the conventional port for Squid.
It used to be a convention to allow smoking in public / government
offices. Now the convention is the exact opposite.
On 10/21/22 2:25 AM, Matus UHLAR - fantomas wrote:
apparently this is a hack to be able to define proxy autoconfig in the
location field.
Since it has very restricted capabilities, it's apparently non-issue.
I guess that you can only define FindProxyForURL() this way.
ACK
Thank you for the
On 10/21/22 11:25 AM, Grant Taylor wrote:
I remember reading things years ago where people would use a bog
standard FTP client to connect to an /FTP/ server acting as an /FTP/
proxy.
I knew that I had seen something about using an FTP proxy that wasn't
HTTP related.
I encourage you to read
On 10/21/22 2:51 AM, Matus UHLAR - fantomas wrote:
I should have added, that squid does support FTP proxying using one of
hacks I mentioned (I haven't tested it yet).
I think I used Squid's FTP protocol support years ago.
And, since this requires other (FTP) protocol than the default (HTTP) at
On 22/10/22 06:04, Grant Taylor wrote:
On 10/20/22 11:58 PM, Adam Majer wrote:
It's basically by convention now.
Sure.
Conventions change over time.
Long enough ago 3128 wasn't the conventional port for Squid.
Not just convention. AFAICT was formally registered with W3C, before
everyone
On 10/21/22 11:30 PM, Amos Jeffries wrote:
Not just convention. AFAICT was formally registered with W3C, before
everyone went to using IETF for registrations.
Please elaborate on what was formally registered. I've only seen 3128 /
3129 be the default for Squid (and a few things emulating squi
egards,
-Original Message-
From: squid-users On Behalf Of
Rafael Akchurin
Sent: Thursday, October 20, 2022 7:34 AM
To: Grant Taylor; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] FW: Encrypted browser-Squid connection errors
***This mail has been sent by an external sourc
On 10/24/22 9:48 AM, LEMRAZZEQ, Wadie wrote:
But anyway, my next step is to use a PAC file, since it is the legacy
method, if this doesn't work either I'm gonna use stunnels
I have (a superset of) the following in my PAC file.
It is working perfectly fine for me across multiple browsers and
m
On 10/21/22 2:25 AM, Matus UHLAR - fantomas wrote:
apparently this is a hack to be able to define proxy autoconfig in
the location field.
Since it has very restricted capabilities, it's apparently non-issue.
I guess that you can only define FindProxyForURL() this way.
On 21.10.22 11:25, Gran
On 24.10.22 15:48, LEMRAZZEQ, Wadie wrote:
I think this discussion had diverged from its subject
So I refocus in our subject, gents
I do not know exactly what you mean by "https proxy" in this context, but
I suspect that you are using the wrong FireFox setting. The easily
accessible "HTTPS pr
I do not know exactly what you mean by "https proxy" in this context, but
I suspect that you are using the wrong FireFox setting. The easily
accessible "HTTPS proxy" setting in the "Configure Proxy Access to the
Internet" dialog is _not_ what you >need! That setting configures a
plain text HT
On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
if by "transparent" you mean "intercepting" proxy, that is incorrect
By "transparent" I mean using network techniques to force clients to use
a proxy that aren't themselves aware that they are using a proxy.
CONNECT is HTTP command designed
On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
if by "transparent" you mean "intercepting" proxy, that is incorrect
On 25.10.22 09:47, Grant Taylor wrote:
By "transparent" I mean using network techniques to force clients to
use a proxy that aren't themselves aware that they are using a pro
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
I prefer to explicitly state what one means by transparent because
RFC2616 has defined transparent proxy diferently:
I do too. I /thought/ that I was explicitly stating. At least that was
my intention.
Aside: That's why I included my wor
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
I prefer to explicitly state what one means by transparent because
RFC2616 has defined transparent proxy diferently:
On 25.10.22 10:56, Grant Taylor wrote:
I do too. I /thought/ that I was explicitly stating. At least that
was my intention.
On 10/25/22 11:03 AM, Matus UHLAR - fantomas wrote:
I think intercepting is better, more precise.
I think that Squid can be an interception proxy as it can filter / alter
content.
I also think that Squid (as an interception proxy) can be used
transparently.
those two are completely separ
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
term "interception proxy" better defines what happens here:
Instead, an interception proxy filters or redirects outgoing TCP port
80 packets (and occasionally other common port traffic).
Where did you pull that quote from? I don't see "inte
On 10/25/22 11:03 AM, Matus UHLAR - fantomas wrote:
I think intercepting is better, more precise.
On 25.10.22 12:14, Grant Taylor wrote:
I think that Squid can be an interception proxy as it can filter /
alter content.
I also think that Squid (as an interception proxy) can be used
transpare
On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
term "interception proxy" better defines what happens here:
Instead, an interception proxy filters or redirects outgoing TCP
port 80 packets (and occasionally other common port traffic).
On 25.10.22 12:52, Grant Taylor wrote:
Where did you p
On 10/25/22 12:57 PM, Matus UHLAR - fantomas wrote:
That is why I prefer using "intercepting proxy" for case where
connections between clients and servers intercepted by proxy, without it
being configured in browsers.
Fair enough.
precisely, so what exactly aren't you convinced about? :-)
On 10/25/22 1:01 PM, Matus UHLAR - fantomas wrote:
sorry, this one is from 7230, section 2.3
Thank you for the reference.
If we don't use "data" and "network" in addition to "transparent",
result is ambiguous. "intercepting proxy" is not.
Agreed.
It seems as if "transparent" in the contex
On 10/25/22 1:09 PM, Grant Taylor wrote:
It seems as if "transparent" in the context of proxies is as ambiguous
as "secure" in the context of VPNs.
The former can be "data transparent" and / or "network transparent". The
latter can be "privacy secure" and / or "integrity secure". }:-)
Oy ve
On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:
These are the FTP protocol "hacks" I mentioned before.
FYI RFC 1919: Classical verses Transparent IP Proxies § 4.1 --
Transparent proxy connection example -- describes the operation of an
intercepting / (network) transparent FTP proxy that do
On 2022-10-23 06:10, Grant Taylor wrote:
On 10/21/22 11:30 PM, Amos Jeffries wrote:
Not just convention. AFAICT was formally registered with W3C, before
everyone went to using IETF for registrations.
Please elaborate on what was formally registered. I've only seen 3128
/ 3129 be the default
On 10/30/22 6:59 AM, squ...@treenet.co.nz wrote:
Duane W. would be the best one to ask about the details.
What I know is that some 10-12 years ago I discovered an message by
Duane mentioning that W3C had (given or accepted) port 3128 for Squid
use. I've checked the squid-cache archives and not
On 2022-11-01 11:38, Grant Taylor wrote:
On 10/30/22 6:59 AM, squ...@treenet.co.nz wrote:
Duane W. would be the best one to ask about the details.
What I know is that some 10-12 years ago I discovered an message by
Duane mentioning that W3C had (given or accepted) port 3128 for Squid
use. I'v
On 11/1/22 1:24 PM, squ...@treenet.co.nz wrote:
No I meant W3C. Back in the before times things were a bit messy.
Hum. I have more questions than answers. I'm not aware of W3C ever
assigning ports. I thought it was /always/ IANA.
Indeed, thus we cannot register it with IEFT/IANA now. The
On 2022-11-02 09:03, Grant Taylor wrote:
On 11/1/22 1:24 PM, squid3 wrote:
No I meant W3C. Back in the before times things were a bit messy.
Hum. I have more questions than answers. I'm not aware of W3C ever
assigning ports. I thought it was /always/ IANA.
Indeed, thus we cannot register
On 11/1/22 6:27 PM, squ...@treenet.co.nz wrote:
No, you cropped my use-case description. It specified a client which was
*unaware* that it was talking to a forward-proxy.
Sorry, that was unintentional.
Such a client will send requests that only a reverse-proxy or origin
server can handle prop
On 2022-11-02 15:35, Grant Taylor wrote:
On 11/1/22 6:27 PM, squid3 wrote:
The working ones deliver an HTTP/1.1 302 redirect to their companies
homepage if the request came from outside the company LAN. If the
request came from an administrators machine it may respond with stats
data about the
44 matches
Mail list logo
