4

Sorry for my terminology I am not proxy expert.

What I need to do is to have a very simple HTTP(S) proxy on one side without any client authentication (this is so that clients don't need to supply username/password to connect to it), while this same proxy needs to redirect everything to the next "real" proxy which does its magic.

Maybe someone can just point me in the right direction - perhaps just a few lines of Squid configuration (just to get an idea what to look for) would also be accepted as the answer.

bozo
  • 155
  • 1
  • 1
  • 4

2 Answers2

5

It could be something like following

acl local_net src 192.168.1.0/24
http_access allow local_net

cache_peer real-magic-proxy.example.net parent 3128 3130 default login=user:password
cache_peer_access real-magic-proxy.example.net allow local_net

Your real proxy must support ICP protocol. It will work with http, but with https, I think, it wouldn't work due to nature of ssl. But you could try ssl bump feature in squid 3.3.x

You can use login=user:password if your parent requires proxy authentication

ALex_hha
  • 7,193
  • 1
  • 25
  • 40
  • Thank you! What are my options for SSL through proxy? My limitation is that I have the "magic" (but authenticated) proxy which does HTTPS, but I cannot go through to it directly, I have to have my "middleman" proxy just for technical reasons. – bozo Jul 22 '13 at 08:29
  • To clarify: I will have just a non-authenticated HTTP(S) proxy defined in browser, which is local. But, this local proxy (on the same computer where the browser is) now needs to talk to a remote proxy, which does require authentication. – bozo Jul 22 '13 at 08:32
2

I think what you're looking for is the cache_peer option in squid to define a parent cache. Then you can setup a transparent proxy, that you don't have to configure or reconfigure the clients. which would look like this:

http_port 3128 transparent

Last but not least, you'll need to redirect all traffic to port 80 on your gateway redirected to the proxy server on the gateway. with iptables it could look like this:

# user 'squid' is allowed to pass http requests
iptables -t nat -A OUTPUT -m tcp -p tcp --dport 80 -m owner --uid-owner squid -j RETURN
#All traffic to port 80 to squid the 
iptables -t nat -A OUTPUT -m tcp -p tcp --dport 80 -j REDIRECT --to-ports 3128
Meiko Watu
  • 364
  • 3
  • 15
  • Thanks. Actually I would setup proxy host:port directly in the browser. The problem I have is that I need to avoid browser authentication to the "magic" proxy (which requires authentication), but setting up an "transparent" proxy which requires no authentication (from the browser) but does provide authentication to the remote proxy peer. – bozo Jul 22 '13 at 08:38