Doing transparent proxy, but also using it as normal proxy.
All https addresses don’t work if you specify to use the proxy.
If you don’t specify obviously it works because ssl isnt and cant be forced through via firewall rules.
The requested URL could not be retrieved
While trying to retrieve the URL: http:443
The following error was encountered:
Unable to determine IP address from host name for
The dnsserver returned:
Name Error: The domain name does not exist.
This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.
Your cache administrator is > xxx@xxx.xx.xx> .
Generated Mon, 21 Apr 2008 07:37:43 GMT by thavinci.za.net (squid/3.0.STABLE1)
This message in truth comes from my upstream cache, but it sedning this error back to MT because it seems MT somehow looses the address in the request…
Of course they don’t work. The key word is “secure” in the HTTPS part. If you are trying to force a connection through a proxy AND trying to keep it secure then you won’t succeed.
Remember, in general a proxy is something that acts on behalf of something else. So when using https (or port 443), you really don’t want something else in between you and your secure site (like your bank for instance).
I get what you’re trying to say.
But the fact is that it should go through.
Brief description:
Working as a normal proxy, squid can tunnel SSL requests when are requested by a HTTP user-agent (Netscape Documentation) vía HTTP proxies.
This involved a HTTP method (CONNECT) for establishing the tunnel.
But in a interception proxy know as transparent proxy as well, the proxy becomes the server for the client and becomes the client for the web server. The connection between the two parts who starts the connection is broken and the identity of each is hidden (SSL), so in this special case the transparent proxy doesn’t know how to handle the SSL requests because is not operating as a normal proxy.
Infact Microsoft ISA and squid (the open source product MT uses) allows you to do this.
It is still a secure connection even if you go through a proxy.
The only thing thats not possible is a transparent HTTPS proxy.
Finally, as far as transparently proxing HTTPS (e.g. secure web pages using SSL, TSL, etc.), you can’t do it. Don’t even ask. For the explanation, do a search for ‘man-in-the-middle attack’. Note that you probably don’t really need to transparently proxy HTTPS anyway, since squid can not cache secure pages.
2.4 Proxy Authentication
I literally only enable web proxy set up basic settings no firewall rules and so.
And then i set my browser manually to point to MT as proxy.
I do have a parent proxy and that’s whats giving me the error.
It’s literally saying that the request coming from client, (In this case MT), is invalid as it has no url…
The basic option is, https can’t be cache by MT proxy so you will never goto https sites through proxy here. or the https can’t be cached by proxy for it’s security reason.
All major caching software supports this correctly including squid. (What MT Uses)
In a corporate environment if you have you’re proxy setup say via 2003 server policies, this bug will now ensure NO-ONE in the organization can visit https sites.
So it’s serious. It’s not a matter of caching the content rather than forwarding you’re request.
proxy test package is most probably their migration to squid 3.0 versions from 2.6.
…
Later after a crap load of research and going through the MT File system…
…
Did try do more research and couldn’t come up with any conclusive proof either way…
I did mount the MT file system and do a “strings” to compare binaries and to youre credit didn’t find enough similarities.
Also found this comment on forum to you’re credit…
IP Proxy works only as a proxy and does not cache, of course if you set it to use a parent-proxy, the parent will cache. This is mostly used when you need to enforce rules and filter a network.
Web proxy is squid with the limitations.
web proxy-test is a new caching system created by Mikrotik, according to them this is not based on squid and it’s supposed to be the fastest with many more features.
So if indeed they did do their own software, im really REALLY surprised.
Would also explain the bug.
Found a temporary work around for the https issue.
We now have to rely on Proxy auto configuration scripts to set the SSL proxy in users browsers to the upstream proxy server the MT itself uses. (in turn bypassing MT) and ONLY using MT for simple http.
thavinci, report the problem to support department [support@mikrotik.com], if you expect to see the problem fixed.
Yesterday, I was able to reproduce the same problem you are referring to, we will try to fix it.
v3 proxy is written proxy from the scratch by MikroTik, squid is not used there.
Thanks for updated license link…
wan’t to read through :>
And i didn’t “Fake” it…
Even in latest 3.10 “all_packages” zip file the license file within there is still the “MIKROTIK ROUTEROS V2.0 SOFTWARE ROUTER SYSTEM” license.
Thats where i uploaded my copy from..
So maby it’s time to update the license file in that package ;>
