Re: [squid-users] Anonymous SSL Tunneling Proxy

From: Henrik Nordstrom <[email protected]>
Date: Sat, 10 May 2003 01:44:45 +0200

On Saturday 10 May 2003 00.57, Jeremy Junginger wrote:
> You see, that's where things get interesting. If you remember
> magusnet (www.magusnet.com/proxy.htm) which is now defunct, you
> used to enter a url such as:
>
> https://www.magusnet.com-_-www.yahoo.com

This is a somewhat different beast. This is a https->http application
level gateway, translating not only the protocol but also the
content. Technically this is not a proxy and if you speak of such
services in term of proxies you will most likely en up in the wrong
path. But in implementation the borders between a https->http
application level gateway and a proxy may be very thin.

Note: The above URL is not syntactically correct. You either have to
reverse the order of the domains, or put the actual requested domain
in the url-path component (after a /)

> All I'm trying to do is tunnel http over ssl.

This is all https:// is about. HTTP tunneled over SSL.

> It sounds like a rather simple concept, but as you can see,
> the devil's in the details.

Exacly.

To find a solution to the problem you must first correctly specify
what the final goal is. Just "I want to tunnel HTTP over SSL" is not
sufficient as specification unless all you want is to turn some http
site into a https site over a certain connection, or SSL encrypt
proxied traffic between two proxies.

Issues which must be covered by such specification before it is
meaningful to discuss the needed technology:

 * What is it actually you want to SSL encrypt.

 * Is it for a defined set of servers, or a generic "proxy" service
for all Internet

 * Should it be a proxy service or a gateway / surrogate server
service?

     In proxy mode the browser needs to be configured to use our
proxy.

     In gateway / surrogate server mode the user simply requests
another URL and have the site translated for them at both protocol
and content levels.

If you want to toy with Squid as a surrogate server, try this:

Specification:

If the browser request https://www.example.com.proxy.my.domain/ then
he should be given the content of http://www.example.com/ encrypted
with https.

   1. Configure squid-2.5 with SSL support and squid.conf as a domain
based accelerator

         https_port ....
         httpd_accel_host www.your.domain
         httpd_accel_uses_host_header on

   2. Create a wildcard DNS A record pointing to Squid so you can make
https:// requests for various servers and have then sent to Squid.

   3. Write a small redirector helper to Squid which takes away the
base DNS name of the above virtual DNS record on forwarded traffic
 
      #!/usr/bin/perl -p
      s%\.proxy\.my\.domain%%;

   
> At any rate, I'm at the same point you are. I don't know how to do
> it, but I'm playing with it and trying to learn. I have seen it
> work, there are companies that make it work, and I'm just not sure
> if I'm barking up the right tree with SQUID, or if this can be done
> with some other proxy/webserver software.

What tool to use actually depends on what you are after. Without a
detailed specification on what it is you want to do we can only
guess, and will likely will guess wrongly. The problem you are
pursuing have many different angles and quite different solutions
with technically speaking very little in common.

> Anyhow, thanks for the reply, and sorry if the email looks a bit
> harsh. I'm just a little concerned that I can't get a YES or NO.

There cant be a YES/NO answer to a not yet fully specified question
where the technology to use and availability varies a lot depending
on the details of the question.

If your question is "can it be done" then the answer is YES. Its only
a matter of how much work you want to put into doing it. How it can
be done is a much harder question and can not be answered with a
YES/NO.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [email protected]
Received on Fri May 09 2003 - 17:44:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:30 MST