Re: [squid-users] FW: Encrypted browser-Squid connection errors

Tue, 25 Oct 2022 09:18:48 -0700 

On 10/25/22 2:43 AM, Matus UHLAR - fantomas wrote:

if by "transparent" you mean "intercepting" proxy, that is incorrect


On 25.10.22 09:47, Grant Taylor wrote:

By "transparent" I mean using network techniques to force clients to 
use a proxy that aren't themselves aware that they are using a proxy.



I prefer to explicitly state what one means by transparent because RFC2616 
has defined transparent proxy diferently:


      A
      "transparent proxy" is a proxy that does not modify the request or
      response beyond what is required for proxy authentication and
      identification.

term "interception proxy" better defines what happens here:

   Instead, an
   interception proxy filters or redirects outgoing TCP port 80 packets
   (and occasionally other common port traffic).


CONNECT is HTTP command designed for use with explicit HTTP proxy.


Agreed.


But what does Squid do differently after recognizing the request from 
the client; be it a GET, PUT, POST, or even a CONNECT; the former 
being transparent with the latter being explicit.  Squid will still 
proxy the request as it understands it dependent on configuration, 
ACLs, etc.


FYI, Intercepting proxy must use measures to avoid host header forgery:

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
https://www.kb.cert.org/vuls/id/435052


squid must find out the original destination IP used and check, while in 
explicit mode it makes no sense.



These are the FTP protocol "hacks" I mentioned before.
The HTTP protocol was created with proxying in mind, FTP was not.

using specially crafted login name for connecting to anoter server 
is one of those hacks.


Okay.


I (mis)took "hacks" to be things more severe like is typically done 
with proxifiers used with SOCKS servers, e.g. altering / overloading 
system library calls.


this is a bit different kind of hacks.


Generally the SOCKS library know where/how to connect, socks wrappers (like 
socksify, tsocks, proxychains) are used to make other software use socks 
proxy even if it does not support it.



and of course socks is generic bidiretional tcp/udp proxy, which makes it 
possible to implement it near over any kind of communication.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users





























					Reply via email to