Re: [squid-users] CONNECT method support(for https) using squid3.1.0.6 + tproxy4

From: Mikio Kishi <mkishi_at_104.net>
Date: Wed, 22 Apr 2009 15:58:09 +0900

Hi, Amos

> Ah, you need the follow_x_forwarded_for feature on Proxy(1).

That's right, I know about that, but I'd like to use "source address
spoofing"...

Just only following enables my anxiety.

replacing In tunnelStart()#tunnel.cc

> sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> COMM_NONBLOCKING,
> getOutgoingTOS(request),
> url);

with

> if (request->flags.spoof_client_ip) {
> sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> (COMM_NONBLOCKING|COMM_TRANSPARENT),
> getOutgoingTOS(request),
> url);
> } else {
> sock = comm_openex(SOCK_STREAM,
> IPPROTO_TCP,
> temp,
> COMM_NONBLOCKING,
> getOutgoingTOS(request),
> url);
> }

I think it has no harmful effects. I long for that.
Would you modify that ?

Sincerely,

--
Mikio Kishi
On Sun, Apr 12, 2009 at 1:25 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Mikio Kishi wrote:
>>
>> Hi, Amos
>>
>>> What exactly are you trying to achieve with this?
>>
>> I'm really sorry... It's a little bit difficult to explain...
>> The following is the more detail.
>>
>>  -----------------------
>>     The Internet
>>        ---+------------
>>           |
>>  --------+-+-------------
>>         |
>>   +-----+-------+
>>   |  squid      | (1)
>>   |  (tcp/8080) |
>>   +-----+-------+
>>         |.2
>>  --------+-+---------------- 10.0.0.0/24
>>           |.1
>>        +--+--+
>>        |  R  |
>>        +--+--+
>>           |.1
>>  -------+--+---------------- 192.168.0.0/24
>>        |.2
>>   +----+--------+
>>   |  squid +    |
>>   |    tproxy   | (2)
>>   |  (tcp/8080) |
>>   +----+--------+
>>        |.2
>>  -------+--+---------------- 192.168.1.0/24
>>           |.3
>>        +--+-----+
>>        | client |
>>        +--------+
>>
>>  - The demand
>>   - The client must use proxy(2) using tcp/8080
>>     - by browser settings
>>       HTTP  -> proxy(2) (192.168.1.2:8080)
>>       HTTPS -> proxy(2) (192.168.1.2:8080)
>>     - proxy(2) don't have to be "transparent"
>>   - The proxy(2)'s parent proxy must be proxy(1)
>>     using cache_peer
>>   - Both proxy(1) and proxy(2) must record
>>     "client original source address" in access log for security action
>>         !!! It's most important !!!
>>
>> I think that I have to use tproxy(not transparent)
>> to achieve above demands... what do you think ?
>
> Ah, you need the follow_x_forwarded_for feature on Proxy(1).
>
> proxy(2) will always be trying to set X-Forwarded-For header indicating the
> client IP. Which gets passed to proxy(1).
>
> By enabling follow_x_forwarded_for and log_uses_indirect_ip. proxy(1) should
> log the original client IP.
>
> http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
> http://www.squid-cache.org/Doc/config/log_uses_indirect_client/
>
>
> Amos
>
>>
>> Sincerely,
>> --
>> Mikio Kishi
>>
>> On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Mikio Kishi wrote:
>>>>
>>>> Hi, Amos
>>>>
>>>>> HTTPS encrypted traffic cannot be intercepted.
>>>>
>>>> Yes, I know that. but, in this case, not "transparent".
>>>>
>>>>>          (1)                     (2)
>>>>>
>>>>>           |                       |
>>>>>  +------+   |     +------------+    |    +---------+
>>>>>  |WWW   +---+     |            |    +----+ WWW     |
>>>>>  |Client|.2 |   .1| squid      |.1  |  .2|  Server |
>>>>>  +------+   +-----+   + tproxy +----+    |(tcp/443)|
>>>>>           |     | (tcp/8080) |    |    |(tcp/80) |
>>>>>           |     +------------+    |    +---------+
>>>>>     192.168.0.0/24          10.0.0.0/24
>>>>>
>>>>>  (1) 192.168.0.2 ------>  192.168.0.1:8080
>>>>>                                    ^^^^^
>>>>>  (2) 192.168.0.2 ------>  10.0.0.2:443
>>>>>                                  ^^^
>>>>
>>>> Just only thing I'd like to do is "source address spoofing"
>>>> using tproxy.
>>>>
>>>> Does that make sense ?
>>>
>>> No. Squid is perfectly capable of making HTTPS links outbound without
>>> tproxy. The far end only knows that some client connected.
>>>
>>> HTTPS cannot be spoofed, its part of the security involved with the SSL
>>> layer.
>>>
>>> What exactly are you trying to achieve with this?
>>>
>>> Amos
>>> --
>>> Please be using
>>>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>>>  Current Beta Squid 3.1.0.6
>>>
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>  Current Beta Squid 3.1.0.6
>
Received on Wed Apr 22 2009 - 06:58:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 24 2009 - 12:00:03 MDT