[KLUG Members] passing https through a "firewall"

[Phillip Hofmeister]

On Thu, 22 Jul 2004 at 03:28:56PM -0400, Bruce Smith wrote:
> > You [obviously] can't proxy https traffic.
> 
> You can proxy it (I do it with squid), you just can't content filter it.


Just to clarify the difference between NAT/Routing and proxying.

NAT/Routing: Performing network address translation and forwarding
traffic for a certain host on your LAN.  This is done in the kernel
space w/o any content filtering.  Any protocol which utilizes an
outbound TCP connection can "proxy" using NAT and routing.

Proxying (real definition): Proxying involves intercepting traffic as it
passes through a router and redirecting it to a proxy server.  This is
called "blind" proxying because the clients have no say with whether or
not they utilize the proxy service.  Alternatively a client can be
configured to use the proxy service w/o having it forced at the router.
IE and other web clients have settings to do this.  In general, proxying
can involve a few things above routing/NAT:

1. Proxying occurs in the userspace (not the kernel space).
2. Proxying allows content filtering.
3. Proxying allows for detailed logging of user request (Time, Date,
Site visited, possibly even data posted, etc.).
4. The proxy server may cache the request and the content that was
received by it so it doesn't need to fetch the same request again if
asked in the near future.
5. A proxy service basically acts like a "man in the middle" more than
just a mere router.

Hopefully this clarifies the difference between proxying and routing.

-- 
Phillip Hofmeister