Re: RE: [squid-users] ssl and transparent proxy problem

From: Alexey Talikov <alexey_talikov@dont-contact.us>
Date: Wed, 24 Apr 2002 13:20:41 +0500

don't forward port 443 to squid
80,8080,8081,810[1-4] to 3128(squid)
443 simple change source ip in netfilter
my users work without problem

24.04.2002 12:00:47, "Ayca Ardic" <aycaa@havelsan.com.tr> wrote:

>
>Mr. Talikov,
>Thanx a lot for your attention.
>
>We have approximately 700 users at our company. Disbaling transparency is
>not a preferable solution for us. I think I have to disallow proxy for ssl.
>
>I have these setting in my squid.conf file. What else should I add, not to
>proxy ssl
>
>acl QUERY urlpath_regex cgi-bin \? xxxbank
>no_cache deny QUERY
>
>acl bank dstdomain .xxxbank.com.tr
>always_direct allow bank
>
>And a few more information about our case:
>
>1. We have a firewall. And all our users IP addresses are translated into a
>single real IP by NAT. (So, even if I don't use transparent proxy, source IP
>address is changed by firewall.)
>
>2. All our salary order is being done with this bank. So all users want to
>use this bank's web site.
>
>3. There is one more bank that I use its online services. It also uses https
>and ssl. But I have no problem with that bank. I called to my bank
>(xxxbank.com.tr). They said that they are using ssl+java authentication.
>
>4. I just now thought that maybe I can direct all xxxbank.com.tr packet
>tables with iptables. Is it possible
>
>Thanx a lot.
>Have a good work.
>
>-----Original Message-----
>From: Alexey Talikov [mailto:alexey_talikov@texlab.com.uz]
>Sent: Friday, April 19, 2002 4:29 PM
>To: aycaa@havelsan.com.tr
>Cc: squid-users@squid-cache.org
>Subject: Re: [squid-users] ssl and transparent proxy problem
>
>
>
>If you set all browsers at proxy
>disable ransparent mode or not use proxy for ssl (in browsers if possible)
>
>The Problem with Transparency
>
>When Squid transparently caches a site, the source IP address of the
>connection changes: the
>request comes from the cache server rather than the client machine. This can
>play havoc with web
>sites that use IP-address authentication (such sites only allow requests
>from a small set of IP
>addresses, rather than authenticating requests with a name and password.)
>
>Since the cache changes the source IP address of the connection, some
>servers may deny legitimate
>users access. In many cases, this will cost users money (they may pay for
>the service, or use the
>information on that site to make money.)
>
>If you know your network inside out, and know exactly who would be accessing
>a site like this,
>there is probably no problem with using transparent caching. If this is the
>case, though, it might
>be easier to simply change all of your users' settings.
>
>
>19.04.2002 17:52:25, "Ayca Ardic" <aycaa@havelsan.com.tr> wrote:
>
>>
>>Hi,
>>
>>I have a transparent proxy for internet connection. It is a Redhat 7.2
>>(kernel 2.4.7) with squid 2.4.Stable6. Our connection is as shown below.
>>Browser <-> Proxy <-> Firewall <-> Internet
>>
>>Proxy server is working fine but I have problem with SSL connections.
>>When I want to connect to some internet banking sites, I can log in to
>site,
>>and connect at 443 but I'm not able to use any commands at the site.
>>
>>If I disable proxy, I can use all the banking services. Also, there is no
>>problem if I manually configure my browser to use proxy and set the
>firewall
>>as my gateway.
>>
>>When I check log files, I saw the following error:
>>2002/04/19 13:41:03| sslReadServer: FD 84: read failure: (104) Connection
>>reset
>>
>>As I see from mailing-list archieves, this question is asked for a few
>>times. But no solution is advised.
>>
>>I'll be glad if someone can advise some URL or document.
>>
>>Thanx for your atteniton.
>>
>
Received on Wed Apr 24 2002 - 02:20:47 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:39 MST