Hi, Amos
>HTTPS encrypted traffic cannot be intercepted.
Yes, I know that. but, in this case, not "transparent".
> (1) (2)
>
> | |
> +------+ | +------------+ | +---------+
> |WWW +---+ | | +----+ WWW |
> |Client|.2 | .1| squid |.1 | .2| Server |
> +------+ +-----+ + tproxy +----+ |(tcp/443)|
> | | (tcp/8080) | | |(tcp/80) |
> | +------------+ | +---------+
> 192.168.0.0/24 10.0.0.0/24
>
> (1) 192.168.0.2 ------> 192.168.0.1:8080
> ^^^^^
> (2) 192.168.0.2 ------> 10.0.0.2:443
> ^^^
Just only thing I'd like to do is "source address spoofing"
using tproxy.
Does that make sense ?
Sincerely,
--
Mikio Kishi
On Thu, Apr 9, 2009 at 10:52 AM, Amos Jeffries <squ...@treenet.co.nz> wrote:
>> Hi, all
>>
>> Now, I evaluate the squid3.1.0.6 + tproxy4 environment like the
>> following network.
>>
>> (1) (2)
>>
>> | |
>> +------+ | +------------+ | +---------+
>> |WWW +---+ | | +----+ WWW |
>> |Client|.2 | .1| squid |.1 | .2| Server |
>> +------+ +-----+ + tproxy +----+ |(tcp/443)|
>> | | (tcp/8080) | | |(tcp/80) |
>> | +------------+ | +---------+
>> 192.168.0.0/24 10.0.0.0/24
>>
>> (1) 192.168.0.2 ------> 192.168.0.1:8080
>> (2) 192.168.0.2 ------> 10.0.0.2:80
>>
>> HTTP communication is completely OK !
>> but in HTTPS(using CONNECT method) case
>>
>> (1) 192.168.0.2 ------> 192.168.0.1:8080
>> (2) 192.168.0.2 ------> 10.0.0.2:443
>> ^^^^
>> the following error occurred.
>>
>>> commBind: Cannot bind socket FD 12 to 192.168.0.2: (99) Cannot
>>> assign requested address
>>
>> I think that tunnelStart()#tunnel.cc don't support "COMM_TRANSPARENT"
>>
>>> tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int*
>>> status_ptr)
>>> {
>>> ... snip ...
>>> sock = comm_openex(SOCK_STREAM,
>>> IPPROTO_TCP,
>>> temp,
>>> COMM_NONBLOCKING, // need COMM_TRANSPARENT
>>> getOutgoingTOS(request),
>>> url);
>>> ... snip ...
>>
>> What do you think ?
>
> HTTPS encrypted traffic cannot be intercepted.
>
> Amos
>
>
>
