Discussion:
[squid-users] internet squid with https and just for domain resolution not for caching or so
--Ahmad--
2018-08-31 15:44:41 UTC
Permalink
Dear Folks .

i ask here

if i wan to enable squid into intercpt/transparent or transparent TCP_connect

i dont want to decrypt the message

all what i need say client requested google.com <http://google.com/>

i can from router to send the packet to the proxy server via PBR or so and all what i need is squid intercept this msg and do the name resolution and based on it , it has the tcp_outgoing address as IPV6 address

agian dont want any certificate error or so

possible ?
Antony Stone
2018-08-31 16:45:17 UTC
Permalink
Post by --Ahmad--
Dear Folks .
i ask here
if i wan to enable squid into intercpt/transparent or transparent TCP_connect
i dont want to decrypt the message
all what i need say client requested google.com <http://google.com/>
I assume you meant to say https://google.com ?
Post by --Ahmad--
i can from router to send the packet to the proxy server via PBR or so and
all what i need is squid intercept this msg and do the name resolution and
based on it , it has the tcp_outgoing address as IPV6 address
agian dont want any certificate error or so
possible ?
No.

If the client is configured not to use a proxy (and you say you want to use
intercept mode) then the client itslf will already have done the DNS lookup
(otherwise it wouldn't know which IP address to send the request to).

If Squid then intercepts the request, it will already have a destination IP
address, and Squid has no reason to do a DNS lookup. If it didn't and perhaps
found a different IP address than the client did (which is entirely possible
with CDNs etc) and decided to send the request there instead, things would
break once the reply got back to the client because it would see a reply from
an address it didn't send a request to.

If in fact you are asking how to convert IPv4 requests to IPv6 requests then I
seriously doubt that this can be done using Squid in intercept mode at all
(however I've never wanted to try it).



Antony.
--
"I find the whole business of religion profoundly interesting. But it does
mystify me that otherwise intelligent people take it seriously."

- Douglas Adams

Please reply to the list;
please *don't* CC me.
Alex Rousskov
2018-08-31 16:57:44 UTC
Permalink
Post by --Ahmad--
if i wan to enable squid into intercpt/transparent or transparent
TCP_connect 
i dont want to decrypt the message 
all what i need say client requested google.com
Extracting intended domain name information is usually possible today by
examining TLS SNI values.

However, the few folks controlling most of the world HTTPS traffic are
working on making domain name information unavailable to (or at least
essentially unusable by) proxies. Thus, I would not expect SNI-based
logic to work long-term.

Alex.

Loading...