internet squid with https and just for domain resolution not for caching or so

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

internet squid with https and just for domain resolution not for caching or so

--Ahmad--
Dear Folks .

i ask here 

if i wan to enable squid into intercpt/transparent or transparent TCP_connect 

i dont want to decrypt the message 

all what i need say client requested google.com

i can from router to send the packet to the proxy server via PBR or so and all what i need is squid intercept this msg and do the name resolution and based on it , it has the tcp_outgoing address as IPV6 address

agian  dont  want any certificate error or so 

possible ?




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: internet squid with https and just for domain resolution not for caching or so

Antony Stone
On Friday 31 August 2018 at 17:44:41, --Ahmad-- wrote:

> Dear Folks .
>
> i ask here
>
> if i wan to enable squid into intercpt/transparent or transparent
> TCP_connect
>
> i dont want to decrypt the message
>
> all what i need say client requested google.com <http://google.com/>

I assume you meant to say https://google.com ?

> i can from router to send the packet to the proxy server via PBR or so and
> all what i need is squid intercept this msg and do the name resolution and
> based on it , it has the tcp_outgoing address as IPV6 address
>
> agian  dont  want any certificate error or so
>
> possible ?

No.

If the client is configured not to use a proxy (and you say you want to use
intercept mode) then the client itslf will already have done the DNS lookup
(otherwise it wouldn't know which IP address to send the request to).

If Squid then intercepts the request, it will already have a destination IP
address, and Squid has no reason to do a DNS lookup.  If it didn't and perhaps
found a different IP address than the client did (which is entirely possible
with CDNs etc) and decided to send the request there instead, things would
break once the reply got back to the client because it would see a reply from
an address it didn't send a request to.

If in fact you are asking how to convert IPv4 requests to IPv6 requests then I
seriously doubt that this can be done using Squid in intercept mode at all
(however I've never wanted to try it).



Antony.

--
"I find the whole business of religion profoundly interesting.  But it does
mystify me that otherwise intelligent people take it seriously."

 - Douglas Adams

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: internet squid with https and just for domain resolution not for caching or so

Alex Rousskov
In reply to this post by --Ahmad--
On 08/31/2018 09:44 AM, --Ahmad-- wrote:

> if i wan to enable squid into intercpt/transparent or transparent
> TCP_connect 
>
> i dont want to decrypt the message 
>
> all what i need say client requested google.com

Extracting intended domain name information is usually possible today by
examining TLS SNI values.

However, the few folks controlling most of the world HTTPS traffic are
working on making domain name information unavailable to (or at least
essentially unusable by) proxies. Thus, I would not expect SNI-based
logic to work long-term.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users