[Chilli] Squid transparent proxy on same server

Isidor Zeuner chilli at quidecco.de
Fri Apr 16 23:57:20 UTC 2010


Hi Jason,

> >
> > I have used the "squid on the same box as chilli" scenario with squid
> > listening on virtual IPs on the 10.0.0.0/8 block (because I had to
> > have squid distinguish between different configurations based on these
> > IPs), but I don't see why 127.0.0.1 shouldn't work, too.
> >
> 
> Interesting. My concern is that if I have squid listening on the ethernet
> adapter (or ip range) that the wireless clients are using, then wouldn't
> they be able to bypass chilli and it's authentication altogether by
> assigning the squid server directly within their browser?
> 
> Scenario ... chilli, dhcp, squid is on the one box called
> wireless.mydomain.com. If the authenticated wireless client configures their
> browser to us a proxy on wireless.mydomain.com:3128, then would they be able
> to bypass chilli (and authentication) altogether? That's why my thinking is
> that I would only want squid listening on the localhost and not on the
> ethernet or ip range that wireless clients are using?
> 

Chilli would probably prevent this on its DHCP device, as it puts the
device in promiscuous mode and processes the raw packets before they
reach squid. Still, I would not want to take such a risk by having
to-be-protected services running on the client subnet. Instead, I
created a virtual subnet on a tap device which the clients never
access directly.

> 
> > With debug logging enabled, chilli will diagnostics like "rewriting
> > packet for post-auth proxy..." when using the proxy setting, which
> > might help to test your configuration.
> >
> 
> I will give this a try and see what it reveals.
> 

All the best on this.

Best regards,

Isidor


More information about the Chilli mailing list