RE: [squid-users] ssl and transparent proxy problem

From: Ayca Ardic <aycaa@dont-contact.us>
Date: Wed, 24 Apr 2002 10:00:47 +0300

Mr. Talikov,
Thanx a lot for your attention.

We have approximately 700 users at our company. Disbaling transparency is
not a preferable solution for us. I think I have to disallow proxy for ssl.

I have these setting in my squid.conf file. What else should I add, not to
proxy ssl

acl QUERY urlpath_regex cgi-bin \? xxxbank
no_cache deny QUERY

acl bank dstdomain .xxxbank.com.tr
always_direct allow bank

And a few more information about our case:

1. We have a firewall. And all our users IP addresses are translated into a
single real IP by NAT. (So, even if I don't use transparent proxy, source IP
address is changed by firewall.)

2. All our salary order is being done with this bank. So all users want to
use this bank's web site.

3. There is one more bank that I use its online services. It also uses https
and ssl. But I have no problem with that bank. I called to my bank
(xxxbank.com.tr). They said that they are using ssl+java authentication.

4. I just now thought that maybe I can direct all xxxbank.com.tr packet
tables with iptables. Is it possible

Thanx a lot.
Have a good work.

-----Original Message-----
From: Alexey Talikov [mailto:alexey_talikov@texlab.com.uz]
Sent: Friday, April 19, 2002 4:29 PM
To: aycaa@havelsan.com.tr
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] ssl and transparent proxy problem

If you set all browsers at proxy
disable ransparent mode or not use proxy for ssl (in browsers if possible)

The Problem with Transparency

When Squid transparently caches a site, the source IP address of the
connection changes: the
request comes from the cache server rather than the client machine. This can
play havoc with web
sites that use IP-address authentication (such sites only allow requests
from a small set of IP
addresses, rather than authenticating requests with a name and password.)

Since the cache changes the source IP address of the connection, some
servers may deny legitimate
users access. In many cases, this will cost users money (they may pay for
the service, or use the
information on that site to make money.)

If you know your network inside out, and know exactly who would be accessing
a site like this,
there is probably no problem with using transparent caching. If this is the
case, though, it might
be easier to simply change all of your users' settings.

19.04.2002 17:52:25, "Ayca Ardic" <aycaa@havelsan.com.tr> wrote:

>
>Hi,
>
>I have a transparent proxy for internet connection. It is a Redhat 7.2
>(kernel 2.4.7) with squid 2.4.Stable6. Our connection is as shown below.
>Browser <-> Proxy <-> Firewall <-> Internet
>
>Proxy server is working fine but I have problem with SSL connections.
>When I want to connect to some internet banking sites, I can log in to
site,
>and connect at 443 but I'm not able to use any commands at the site.
>
>If I disable proxy, I can use all the banking services. Also, there is no
>problem if I manually configure my browser to use proxy and set the
firewall
>as my gateway.
>
>When I check log files, I saw the following error:
>2002/04/19 13:41:03| sslReadServer: FD 84: read failure: (104) Connection
>reset
>
>As I see from mailing-list archieves, this question is asked for a few
>times. But no solution is advised.
>
>I'll be glad if someone can advise some URL or document.
>
>Thanx for your atteniton.
>
Received on Wed Apr 24 2002 - 00:59:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:39 MST