Re: [squid-users] HTTPS interception and proxy to origin server clear traffic / FTP Proxy

From: Abdessamad BARAKAT <abdsamad13_at_gmail.com>
Date: Mon, 16 Jul 2012 11:14:26 +0200

2012/7/16 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 16/07/2012 7:54 p.m., Abdessamad BARAKAT wrote:
>>
>> Hi amos,
>>
>> 2012/7/14 Amos Jeffries:
>>
>>> On 14/07/2012 3:22 a.m., Abdessamad BARAKAT wrote:
>>>>
>>>> Hi,
>>>>
>>>> 1) HTTPS Interception
>>>>
>>>> I try to setup https transparent configuration with squid 3.1.20
>>>>
>>>> The traffic was correctly forwarded to the proxy port 3129 via WCCP
>>>> (Cisco ASA GW) , but the proxy doesn't use ssl connection to join the
>>>> final server but a clear http connection with port 80
>>>>
>>>> The flow client --> squid proxy use correctly ssl with the squid's
>>>> certificate
>>>>
>>>> Any idea why the squid don't use a https connection to join the final
>>>> server ?
>>>
>>>
>>> Squid-3.1 is not designed for HTTPS interception. You require features
>>> only
>>> available in the 3.2 series.
>>>
>>>

Amos, what's your advice on this subject :

>> But I can understand why squid can intercept the https connection from
>> the client, and after that doesn't make a https session but a http
>> session to the final server
>>

>>>> 2) FTP Interception
>>>>
>>>> If I understand correctly, squid can handle FTP transparent use with
>>>> browser's use (FTP native client not suppported)
>>>
>>>
>>> There is nothing transparent about that. The browser tells Squid what URL
>>> to
>>> fetch from FTP parts of the Internet. Squid produces an HTTP object for
>>> the
>>> browser.
>>>
>>>
>>>> I have configured only WCCP stuff, nothing about FTP on squid and I
>>>> can see the 3-way handshake was established correctly between the
>>>> client and the proxy, but after that nothing...
>>>
>>>
>>> What proxy? Not Squid, because Squid would be sending HTTP erorr codes,
>>> not
>>> FTP handshake codes.
>>
>> Yes with squid, but I use a http browser (with a url like
>> ftp://ftp.toto.com), the tcp connection was established but after
>> that, nothing
>
>
> This means little. The browser could be passing HTTP request for ftp:// to
> Squid or it could be passing FTP traffic to ftp.toto.com.
>
> Squid *cannot* intercept the FTP traffic port(s).
>
>
>>
>> Squid can't handle ftp connections with a web browser ? I know he
>> can't handle native ftp client
>
>
> When the browser is using FTP protocol there is no difference between it and
> a native FTP client.
>
> When it is sending ftp:// URL to a HTTP proxy it uses HTTP protocol.

So for you It will working ? If I use a browser with " ftp://..."
the wccp redirect correctly the ftp service to the squid proxy but
only the 3 way handshake was made, after that nothing...

If I use in explicit mode the proxy, it's working

The cisco ASA see it like a ftp traffic service and not a http traffic
on the wccp point of view, and I can see the browser made a connection
with the ftp port

I hope it's much clear

>
> Amos
>

thanks again amos
Received on Mon Jul 16 2012 - 09:14:39 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 16 2012 - 12:00:02 MDT