squid http CONNECT

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

squid http CONNECT

Kevin Shell
Hello squid users.

I have configured squid's option SSL_ports to include
smtps(465) imaps(993) pop3s(995) nntps(563)

What requirements are needed for smtps imaps pop3s nntps client programs
to tunnel thru squid proxy?

--
kevin

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid http CONNECT

Alex Rousskov
On 2/16/21 2:29 AM, Kevin Shell wrote:

> What requirements are needed for smtps imaps pop3s nntps client programs
> to tunnel thru squid proxy?

If your Squid is a forward proxy, then those clients have to support
HTTP (and/or HTTPS) forward proxies. In other words, they should
establish a standard HTTP CONNECT tunnel through Squid.

If you are intercepting their traffic, then there are no special
requirements for those clients. You will have to configure Squid to
splice the intercepted connection before getting to unencrypted bytes so
your Squid will be limited to very basic checks at or below the TLS layer.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid http CONNECT

Matus UHLAR - fantomas
>On 2/16/21 2:29 AM, Kevin Shell wrote:
>> What requirements are needed for smtps imaps pop3s nntps client programs
>> to tunnel thru squid proxy?

On 16.02.21 11:28, Alex Rousskov wrote:
>If your Squid is a forward proxy, then those clients have to support
>HTTP (and/or HTTPS) forward proxies. In other words, they should
>establish a standard HTTP CONNECT tunnel through Squid.
>
>If you are intercepting their traffic, then there are no special
>requirements for those clients. You will have to configure Squid to
>splice the intercepted connection before getting to unencrypted bytes so
>your Squid will be limited to very basic checks at or below the TLS layer.

also, squid must allow CONNECT to smtps, imaps, pop3s and nntps ports.

which usually means, they have to be added to ssl_ports ACL.
 

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users