1

I'm thinking on setting a transparent caching proxy for that also handles SSL traffic, but as you may [obviously] know there's the certificate issue that makes it difficult...some devices requiring a wired config change, like the Apple TV or some devices not working altogether like cheap streamers or those that you setup in creative ways with an app hopping back and forth among SSIDs, like Amazon's Echo, Logitech's Harmony, speakers, Roku, etc. Anything not compatible with WPA2 Enterprise, basically.

So, I figured, what if the client seen by the server is not the actual client but in reality is the firewall doing NAT just in front of it, and that in turn is connected to a proxy, transparent or actually setting a regular proxy port 3128-type uplink, with the appropriate certs so there's the trust and no errors, therefore the real client wouldn't even know what's going on but just sees another hop to its destination.

Is this possible at all or just my wishful thinking? With every connection now being served over HTTPS, an HTTP cache is not that useful. I have tried to setup WPAD--if I'm not misspelling it--but my setup just won't allow it, besides, a transparent proxy sandwiched between firewalls, if it were possible, would required almost no setup, no route or NAT changes. Definitely no downtime.

In appliances like pfSense there's this external cache in the Squid package that goes to another server and back; virtualizing the servers and proxy in the same host would make the data processing super fast since it wouldn't touch a NIC. I'm really excited about my idea but before I do I'd really like to get informed since I'd be taking down a hypervisor to host the new servers.

Any advice is welcome and thanks!

Vita
  • 111
  • 1
  • 1
  • 7
  • 1) It's not clear where the second firewall comes in. 2) It's certainly possible to set up a transparent proxy as part of a firewall. 3) If you are trying to proxy TLS (the modern version of SSL), you are going to have to decrypt it somewhere; this will mean that clients will need to accept the root cert generated by your cache. If you are trying to get away without doing that, you are barking up the wrong tree. 4) Not clear what WPA2 has to do with the rest of your question. – Dan Pritts Oct 26 '18 at 20:48
  • Oh, hey thanks for answering. The second firewall would be at the edge, in front of the cache, as for the certs, I have a PKI. However, I'd like to see if by setting the transparent proxy TO the innermost firewall, I could forgo setting anything up at all on the clients as they wouldn't be connected straight to the proxy, their gateway will be. In other words, are clients aware that two or more devices down the line there's a transparent proxy even if there's a proper trust with its (the proxy's) connected peers. My goal is to cache, not decrypt or anything like that. – Vita Oct 26 '18 at 21:18
  • What you describe would work fine for http. You can't cache https without decrypting it; otherwise you won't know what the URL is, just the IP addr/hostname of the endpoint. If the clients already trust your PKI as a root, then I think you can do it without touching them. I don't know the details, but go take a look at the squid documentation: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit – Dan Pritts Nov 01 '18 at 16:20

0 Answers0