Re: [squid-users] CONNECT method support(for https) using squid3.1.0.6 + tproxy4

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 09 Apr 2009 19:54:34 +1200

Mikio Kishi wrote:
> Hi, Amos
>
>> HTTPS encrypted traffic cannot be intercepted.
>
> Yes, I know that. but, in this case, not "transparent".
>
>> (1) (2)
>>
>> | |
>> +------+ | +------------+ | +---------+
>> |WWW +---+ | | +----+ WWW |
>> |Client|.2 | .1| squid |.1 | .2| Server |
>> +------+ +-----+ + tproxy +----+ |(tcp/443)|
>> | | (tcp/8080) | | |(tcp/80) |
>> | +------------+ | +---------+
>> 192.168.0.0/24 10.0.0.0/24
>>
>> (1) 192.168.0.2 ------> 192.168.0.1:8080
>> ^^^^^
>> (2) 192.168.0.2 ------> 10.0.0.2:443
>> ^^^
>
> Just only thing I'd like to do is "source address spoofing"
> using tproxy.
>
> Does that make sense ?

No. Squid is perfectly capable of making HTTPS links outbound without
tproxy. The far end only knows that some client connected.

HTTPS cannot be spoofed, its part of the security involved with the SSL
layer.

What exactly are you trying to achieve with this?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6
Received on Thu Apr 09 2009 - 06:54:33 MDT

This archive was generated by hypermail 2.2.0 : Sun Apr 12 2009 - 12:00:03 MDT