[squid-users] SQUID3 HTTPs forward proxy and sha256/512 authentication

Tue Feb 3 21:35:20 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

04.02.2015 3:30, Anton Radkevich пишет:
> Guys,
>
> I just need an HTTPS proxy that can handle both http and https
connections for authorised clients only. I tried to configure something
like it's described here
http://www.mail-archive.com/squid-users@squid-cache.org/msg93592.html
> Forward HTTPs proxy with digest_pw_auth for example.
>
> But I am getting the same error clientNegotiateSSL: Error negotiating
SSL connection on FD 6: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request (1/-1) if I try to open a
website (http or https) with proxy enabled on browser settings: protocol
https, server proxy-squid.com <http://proxy-squid.com>, port 3129,
test:test (user/password)
Hmmmmm. This means you try to put HTTP requests over HTTPS port. You
need different Squid ports for HTTP and HTTPS. I'm afraid, you cannot
pass both protocols over one port.

>
> If I understood correctly from our communication its not possible to
configure squid like it described above. Or ther
>
> browser(proxy settings: protocol - https, server -proxy-squid.com
<http://proxy-squid.com>, port -3129, test:test (user/password))
<------> Squid Server (https_port 3129 with certificate)<--------HTTP or
HTTPS connection-------> Destination
>
> Description of the connection flow:
> 1. a client set proxy settings of his browser settings: https,
server:port, user:password
> 2. a clients credentials were verified by squid server,  browser asks
the proxy to establish a virtual tunnel between itself and remote server
> 3. when a client enter https://example.com or http://example.com then
browser sends encrypted data through the squid proxy
>
> Anton
>
>
> 2015-02-03 23:45 GMT+03:00 Eliezer Croitoru <eliezer at ngtech.co.il
<mailto:eliezer at ngtech.co.il>>:
>
>     Hey Anton,
>
>     If you use https_port with ssl certificate it will be for one of
two options:
>     - interception of ssl traffic
>     - reverse proxy with ssl
>
>     For both cases the connection between the server and the client in
the end will be encrypted while non of them is in a forward proxy mode
and there for will not provide and cannot provide what you need\want.
>
>     Eliezer
>
>
>     On 03/02/2015 22:41, Anton Radkevich wrote:
>
>         Hey Eliezer,
>
>         Thank you for your explanation, just want to clarify.
>
>         Does it mean that if I configure squid to listen https_port on
port 3129
>         with ssl certificate, connection from a client to squid server
by port 3129
>         will be NOT encrypted?
>
>         Anton
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0T8YAAoJENNXIZxhPexGdE4H/0/zBOkDtAp0+CaDHXdSUDqu
z96bEorW7rLEXusohVXImuevgSWnyxvpUmsJiN/0zu26MzDHQ4jc0XD1qmM7YZ5y
YQ1gFnHdemLLN1fwxWqsLepXPKsZkEuM8oon8kvXxNn6xwCpN7COyeXCGA7e0+FO
p3qcF0SC8vIge0NDFzf8uhh8utV/5RaTBKUNz5tsNxy861Qp+YliMltDYUgIGcwD
wwEHvSJhtedkQ69D1BDZSMKAILipQfDp4CZt4R02TrkGG4OZMK7c02NO9CCbJsLp
p4LERF66bClc/p667P+XFZpGOKmMbOEOivLFVgzGhVC56CwQitCHKjUHMbVi+hg=
=uxsh
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/5f455ec9/attachment.html>