Re: [squid-users] Transparent Proxy with https

From: Jason Taylor <j@dont-contact.us>
Date: Thu, 27 Sep 2007 16:30:55 -0400

Henrik Nordstrom wrote:
> On tor, 2007-09-27 at 14:26 -0400, fname lname wrote:
>
>> Can squid do transparent proxy with https requests yet or is there an
>> work around?
>>
>
> Why do you want to transparently proxy https?
>
> Regards
> Henrik
>
while I don't pretend to know the OP's situation, in ours, it could
definitely be useful.

There are quite a few still-in-use versions of Java the fail to
adequately detect that a proxy is to be used when the browser simply has
"automatically detect proxy settings".
The transparent proxy is useful for catching all the little applets that
ignore this browser setting.
There are also quite a few SSL-based applets that ignore this as well.

A workaround would be to hardcode the proxy setting in every desktop but
this has other drawbacks in our environment. We just finished cleaning
up after a bunch of hardcoded proxy settings done by various past users,
"sys-admins" and a few other proxy efforts. The attitude of the IT head
now is to push for as little client-side configuration as possible for
Java and browsers in the hopes of avoiding a sea of proxy settings, all
different.

At the moment, we have a growing firewall ruleset of authorized https
destinations and I would like to keep this from growing too large since
many of sites at the other end of these SSL connections also do source
address filtering and the external IP addresses of the proxies are
different than the external IP addresses that our workstations get NATed
to when entering the Internet. Of course, not all of this is documented
which makes any external IP address change a lot of fun. Also, the
group that manages firewall configs is separate from the group that
manages the proxy configs.

Personally, I think that our entire network is a shining example of the
road to hell being paved with good intentions, but it does work for us
and has proven very robust over the years.

So being able to handle transparent proxying of https would be a
definite plus for us, at the very least in allowing all "web" traffic to
be managed and controlled by the same group.

Cheers,

/Jason
Received on Thu Sep 27 2007 - 14:30:58 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:03 MDT