[squid-users] question about encrypted connection between https client and Squid
yvoinov at gmail.com
Sun Mar 1 17:51:39 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
01.03.15 23:45, Julianne Bielski пишет:
> Normally my infrastructure looks like:
> client -- HTTP CONNECT (not encrypted) ---> proxy client ------
> TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy client ---
> HTTPS application payload ---------------> reverse proxy
> Now I need it to look like:
> client -------- HTTPS application payload ----> proxy ---- HTTPS
> application payload ----> reverse proxy
No problem. This will work - and with only one encryption on every
stage. Proxy can pass both - CONNECT with tunneling to reverse proxy,
or bumped HTTPS connection.
In my installation this scheme is works with most Web-sites uses
reverse proxies. I use transparent interception SSL-bump enabled Squid.
> From: Yuri Voinov <yvoinov at gmail.com> To:
> squid-users at lists.squid-cache.org Date: 03/01/2015 12:26 PM
> Subject: Re: [squid-users] question about encrypted connection
> between https client and Squid Sent by: "squid-users"
> <squid-users-bounces at lists.squid-cache.org>
> 01.03.15 23:18, Julianne Bielski пишет:
>> I have an https client (not a browser) that normally connects to
>> a reverse proxy. When it needs to go through a forward proxy, it
>> requests a CONNECT tunnel. I now have a requirement to also be
>> able to encrypt the connection between my client and the forward
>> proxy, and I think this is possible using Squid and the
>> https_port directive (??)
>> My question is, will my https client now have to decrypt twice?
>> Once for the connection with the forward proxy and once for the
>> connection with the reverse proxy?
> Re-encryption will performs only in case SSL-bumped connections.
> But now I still can't imagine your infrastructure and how it must
>> Also, must my https client still send a CONNECT message to
>> Squid, or does it just connect to Squid's https_port at the TCP
>> level, perform the SSL handshake, and then open a TCP connection
>> to the reverse proxy?
> Still want to take a look on your infrastructure scheme.
>> J. Bielski
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the squid-users