[squid-users] Behind enemy lines (squid behind proxy)
Amos Jeffries
squid3 at treenet.co.nz
Thu Nov 6 03:48:53 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/11/2014 2:33 p.m., doc.holliday at usa.com wrote:
> I've searched through the internets and tried various things... to
> no avail. Hopefully someone here can point me in the right
> direction. I am sitting behind a proxy, which accepts http/https.
> Everything else is blocked. If I instruct my browser to use this
> proxy, everything works dandy. Both http and https. The problem is,
> I have a few apps that don't have an option to set proxy. So, my
> idea was to set up squid on the local machine that would
> transparently redirect http/https to the proxy. Eg something like
> this: [ local_box: app (http or https) ---> squid ] -----> [
> the_proxy ] -----> ... -----> [ internets ] I have no control
> of the proxy, nor do I know what goes on after it.
<snip>
> And so after endless searching and searching and trying various
> things I came here. Could please help me figure out why it is not
> working?
HTTPS is supposed to offer end-to-end security. Squid attempts to
simulate that behaviour even when bumping. So by default bumped
traffic will be re-encrypted and sent directly to the origin server as
per DNS records.
What you have configured forces that not to happen then sends the
de-crypted traffic to the peer proxy as HTTP. The peer is rejecting
the un-encrypted protocol containing https:// URLs with a 503 for
whatever reason.
If the other peer is another Squid then chances are still fairly high
that it has been built without OpenSSL support and so literally cannot
open the TLS connection to deliver the https:// request to the origin.
Generating new CONNECT tunnels over peer proxies has not yet been
coded for Squid. Nobody seems willing sponsor its development, despite
all these problems bumping is now causing.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUWu+lAAoJELJo5wb/XPRjBfQH/iXUPYRkq16T4cuSsrex2OIH
8XldBtMkzAYl4HjtiFHeK0uT5lV/BHvelP9hfKSs5zFa4Y1JjQeLYV3rLTXWIWME
VSsk7Q/PDUCMdEShenCDPFaSCHr8pSU8Ey7wCgco86yMm5SMEtjCxP0pmaauuUvq
PNH8CceJUWgVQFtVuRZq57MueNX0xSIxIzVdiOn22ajST4ZQoWthoHvsTybbup/l
4iBXp7wygwCOFmVs6/WFw7CA/e7yuxj6oWhL3q4vg4pFP23zA7uknERf4h6QVkQw
Ms3/QfXJDVvnRhya3jbqm1Eme/vIC4LDYKO1a++YBxHg8b4yxtN+D6oqF2Vlz1k=
=oPE/
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list