Server Software

[Illustrate]How transparent proxy works with http and https

2018.04.19

What is a transparent proxy?

Transparent Proxy is a method of forcing Web access via a proxy server even without setting the proxy in the browser.

It can be implemented with Squid (free software), or BlueCoat(commercial appliance proxy) or i-filter(commercial software proxy) and so on.

As a mechanism, we only arrange a proxy server that set up transparent proxies on the communication path to the Internet.

Below is a comparison of communication between regular proxy and transparent proxy.

If you place the transparent proxy on the "communication route to the Internet", it means you put it on the default route, other protocols such as smtp, pop, imap etc will not be able to communicate with the Internet (since the transparent proxy can handle only the part of protocols, for example http).

So, the transparent proxy server is placed slightly beside the route, and it is common to bend http communication by PBR (policy based routing) function of router and L3 switch. Also, firewalld's port forwarding function converts communication coming from tcp: 80 to a proxy standby port such as 8080.

Please note that this transparent proxy is the same as the communication jack, so if you try to make https communication via a transparent proxy, SSL / TLS warning will be displayed on the browser.

Advantages and disadvantages of transparent proxy

Advantages

· It is not necessary to set the proxy setting in the browser

-> It is very convenient for laptop computers that you use even if you bring it out

Disadvantages

· Warning appears on https

-> In the PBR as a workaround tcp: 443 does not bend, let it communicate directly to the Internet.If you have URL filtering function of UTM such as Palo Alto, you can get log by looking at the CN (Common Name) of digital certificate at the start of https communication, so you can supplement it.

· PBR design required beforehand

-> Which NW device can set PBR? Can you place a proxy server near that? Is there any possibility of affecting special http communication?

コメント

Copied title and URL