[squid-users] question about encrypted connection between https client and Squid

Julianne Bielski bielsk at us.ibm.com
Sun Mar 1 18:07:51 UTC 2015


That's good to know.

With a transparent interception SSL-bump enabled Squid, I suppose I do not
have to explicitly
configure anything in my https client, and that Squid must listen on the
port my client is trying to
connect to (443) and that my squid.conf file must look something like this:

http_port 443 ssl-bump cert=/usr/local/squid3/etc/site_priv+pub.pem

where cert points to the location of a certificate designed to look like
the certificate of the actual destination server (my reverse proxy).

In this case there is no http and no HTTP CONNECT required?




From:	Yuri Voinov <yvoinov at gmail.com>
To:	Julianne Bielski/Raleigh/IBM at IBMUS
Cc:	squid-users at lists.squid-cache.org, squid-users
            <squid-users-bounces at lists.squid-cache.org>
Date:	03/01/2015 12:52 PM
Subject:	Re: [squid-users] question about encrypted connection between
            https client and Squid



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



01.03.15 23:45, Julianne Bielski пишет:
> Normally my infrastructure looks like:
>
>
> client  -- HTTP CONNECT (not encrypted)  ---> proxy client ------
> TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy client ---
> HTTPS application payload ---------------> reverse proxy
>
> Now I need it to look like:
>
> client -------- HTTPS application payload ----> proxy  ---- HTTPS
> application payload  ----> reverse proxy

No problem. This will work - and with only one encryption on every
stage. Proxy can pass both - CONNECT with tunneling to reverse proxy,
or bumped HTTPS connection.

In my installation this scheme is works with most Web-sites uses
reverse proxies. I use transparent interception SSL-bump enabled Squid.


>
>
>
>
>
> From:		 Yuri Voinov <yvoinov at gmail.com> To:
> squid-users at lists.squid-cache.org Date:		 03/01/2015 12:26 PM
> Subject:		 Re: [squid-users] question about encrypted connection
> between https client and Squid Sent by:		 "squid-users"
> <squid-users-bounces at lists.squid-cache.org>
>
>
>
>
> 01.03.15 23:18, Julianne Bielski пишет:
>
>> I have an https client (not a browser) that normally connects to
>> a reverse proxy. When it needs to go through a forward proxy, it
>> requests a CONNECT tunnel. I now have a requirement to also be
>> able to encrypt the connection between my client and the forward
>> proxy, and I think this is possible using Squid and the
>> https_port directive (??)
> Yep.
>
>> My question is, will my https client now have to decrypt twice?
>> Once for the connection with the forward proxy and once for the
>> connection with the reverse proxy?
>
> Re-encryption will performs only in case SSL-bumped connections.
>
> But now I still can't imagine your infrastructure and how it must
> work.
>
>> Also, must my https client still send a CONNECT message to
>> Squid, or does it just connect to Squid's https_port at the TCP
>> level, perform the SSL handshake, and then open a TCP connection
>> to the reverse proxy?
>
> Still want to take a look on your infrastructure scheme.
>
>
>> Thanks,
>
>> J. Bielski
>
>
>
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU81GrAAoJENNXIZxhPexGPwkIAJrQAngPDCkylOCIb/IqYlkp
JmCW/lr2JFcH48Zr954hi7six/uduwfNeTtZsd2Cz8JVW3pqQSIrleuF0B7/7C5H
K+mDN6fQ3yQv9EjWTP1cRRdr+/OXQyWOPLoACUCz52SRvwAt1SnY9malavmnJPHS
Aoj+vGTKSM4IasULA0Vnjm3gRjN6BWrUqoXZm1ODygflGXSJnqdm+8t9RhZIHcsl
E1p9Q/hB1IJPrZU67YtgLHgg0MkOcQQzcJ/jzlPnlfOAFt0MPy8mC03YkcV4888a
KHKXElzUbCDziSbG+L5Fz2zuLlQXoDc0ZqHSSB8iNYuB5UWpSZLXWXJ55yiDUBI=
=xwxI
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150301/7a2f23c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150301/7a2f23c9/attachment-0001.gif>


More information about the squid-users mailing list