[squid-users] question about encrypted connection between https client and Squid

Yuri Voinov yvoinov at gmail.com
Sun Mar 1 18:17:22 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



02.03.15 0:07, Julianne Bielski пишет:
> That's good to know.
> 
> With a transparent interception SSL-bump enabled Squid, I suppose I
> do not have to explicitly configure anything in my https client,
> and that Squid must listen on the port my client is trying to 
> connect to (443) and that my squid.conf file must look something
> like this:
> 
> http_port 443 ssl-bump
> cert=/usr/local/squid3/etc/site_priv+pub.pem
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key

443->3129 port mappind does with NAT.

> 
> where cert points to the location of a certificate designed to look
> like the certificate of the actual destination server (my reverse
> proxy).
With config snippet above. No, cert must be self-signed and different
from reverse proxy.

> 
> In this case there is no http and no HTTP CONNECT required?
Normally you never use CONNECT method over HTTP ports. This is
prohibited by squid basic security requirements.

This is must be in squid.conf:

# Deny requests to unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

due to security reasons.

In general, ever non-HTTPS enabled squid can forward CONNECT over 443
to server (in forwarding mode).

To do that in transparent mode it must be configured with https_port
intercept keywords.

To know more about explicit bump look at this:

http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

> 
> 
> 
> 
> From:	Yuri Voinov <yvoinov at gmail.com> To:	Julianne
> Bielski/Raleigh/IBM at IBMUS Cc:	squid-users at lists.squid-cache.org,
> squid-users <squid-users-bounces at lists.squid-cache.org> Date:
> 03/01/2015 12:52 PM Subject:	Re: [squid-users] question about
> encrypted connection between https client and Squid
> 
> 
> 
> 
> 
> 01.03.15 23:45, Julianne Bielski пишет:
>> Normally my infrastructure looks like:
> 
> 
>> client  -- HTTP CONNECT (not encrypted)  ---> proxy client
>> ------ TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy
>> client --- HTTPS application payload ---------------> reverse
>> proxy
> 
>> Now I need it to look like:
> 
>> client -------- HTTPS application payload ----> proxy  ----
>> HTTPS application payload  ----> reverse proxy
> 
> No problem. This will work - and with only one encryption on every 
> stage. Proxy can pass both - CONNECT with tunneling to reverse
> proxy, or bumped HTTPS connection.
> 
> In my installation this scheme is works with most Web-sites uses 
> reverse proxies. I use transparent interception SSL-bump enabled
> Squid.
> 
> 
> 
> 
> 
> 
> 
>> From:		 Yuri Voinov <yvoinov at gmail.com> To: 
>> squid-users at lists.squid-cache.org Date:		 03/01/2015 12:26 PM 
>> Subject:		 Re: [squid-users] question about encrypted connection 
>> between https client and Squid Sent by:		 "squid-users" 
>> <squid-users-bounces at lists.squid-cache.org>
> 
> 
> 
> 
>> 01.03.15 23:18, Julianne Bielski пишет:
> 
>>> I have an https client (not a browser) that normally connects
>>> to a reverse proxy. When it needs to go through a forward
>>> proxy, it requests a CONNECT tunnel. I now have a requirement
>>> to also be able to encrypt the connection between my client and
>>> the forward proxy, and I think this is possible using Squid and
>>> the https_port directive (??)
>> Yep.
> 
>>> My question is, will my https client now have to decrypt
>>> twice? Once for the connection with the forward proxy and once
>>> for the connection with the reverse proxy?
> 
>> Re-encryption will performs only in case SSL-bumped connections.
> 
>> But now I still can't imagine your infrastructure and how it
>> must work.
> 
>>> Also, must my https client still send a CONNECT message to 
>>> Squid, or does it just connect to Squid's https_port at the
>>> TCP level, perform the SSL handshake, and then open a TCP
>>> connection to the reverse proxy?
> 
>> Still want to take a look on your infrastructure scheme.
> 
> 
>>> Thanks,
> 
>>> J. Bielski
> 
> 
> 
>>> _______________________________________________ squid-users 
>>> mailing list squid-users at lists.squid-cache.org 
>>> http://lists.squid-cache.org/listinfo/squid-users
> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU81eyAAoJENNXIZxhPexGO58IALLAtQZtg95Dh+82MaccSCho
cVq2Bt5sOTdnDMB/fbYlor5aNrFPvANWoNg8mrsOqssg5S4CXR2RcyNzj97LrHUI
SI3cnpk52xQXZZg88DMl303sijHp/vSH6qFtLKdWKCP/kcNqGOo9J9VYrKlnD8xL
Q7p8xwf/x9jA3u3OyOknp7PokB3NLv9A8+G30unkgZw0JUGdF6to8meS9oH8neRH
mF46EkzXcx5AdITLDHpY6ktRR1+H0rNZ2xnFBE3ESUot2dokf9ohoDS2jDrrRieR
d/CwqpBoy7Ukb1TWJYD67+aezBFUerS7m7j0+AWs/fQaLUKQUHyoOf9AKPWolkI=
=gp1a
-----END PGP SIGNATURE-----


More information about the squid-users mailing list