setting up apache2 (or squid) to serve as an SSL/TLS proxy for older systems?

Ken Cunningham ken.cunningham.webuse at gmail.com
Tue Jul 28 03:56:09 UTC 2020 

I have finally found and followed a webmin walkthrough on setting up squid on Ubuntu that worked <https://doxfer.webmin.com/Webmin/Squid_Basic_Configuration <https://doxfer.webmin.com/Webmin/Squid_Basic_Configuration>>  and thereby sorted out how to use squid as an http and https proxy server for all the web traffic between the internal network and the outside web, and that now works fine.

However, it seems to just create tunnels and routes existing packets, so the SSL/TLS level remains the same. It doesn’t actually step in the middle (which I guess is a good security feature).

There is a squid feature called "ssl bumping" which seems at least partway to stepping in the middle — I’m not sure if it will actually do the SSL translation I am looking for to a higher TLS level, or whether it just reads the packets and logs them for the employer to keep tabs on employees, but it’s a step in the right direction I think.

So still no success, but progress perhaps.

K




> On Jul 25, 2020, at 9:15 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> 
> On Sat, Jul 25, 2020 at 11:59 AM Ken Cunningham
> <ken.cunningham.webuse at gmail.com <mailto:ken.cunningham.webuse at gmail.com>> wrote:
>> 
>> I have a home network set up like most everyone else:
>> 
>> 192.168.N.N --> Router --> Internet
>> 
>> 
>> When older systems behind the firewall try to access newer SSL/TLS  servers, via macports or safari or other, they can generate errors as they don't support new protocols.
>> 
>> I am wondering if I can use Apache2 or Squid or SOCKS or something else to proxy these outgoing requests through a current machine, using their current SSL/TLS support, and send them back to the client in a format they understand.
>> 
>> When I have tried following web setup procedures for Squid, for example, it doesn't seem to work, but that could be my inexperience with this.
>> 
>> Is this possible, if I were to keep plugging at it?
> 
> You should be able to do it with Squid. I don't know about Apache.
> 
> I've found troubleshooting NAT at your ISP's router can be a pain. My
> most recent Verizon router does not seem to allow me to port forward
> to hosts behind their router. I had to setup an "Internet Host" (or
> "DMZ Host") and forward all inbound traffic to my internet host. Then,
> at my internet host, I could NAT to hosts in my network. (My internet
> host is a pfSense firewall).
> 
> In your case, setup the internet host and put Squid on it.
> 
> Turn on logging at the ISP router. Make sure you see the client
> hitting the router, and the traffic being passed to your internet
> host. Once you know all traffic is being forwarded to your internet
> host, then you can troubleshoot Squid.
> 
> Attached is what the "Internet Host" (or "DMZ Host") looks like under Verizon.
> 
> Jeff
> <Screenshot from 2020-07-25 12-13-51.png>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20200727/66c40faf/attachment.htm>

More information about the macports-users mailing list