[squid-users] question about encrypted connection between https client and Squid

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 2 01:24:32 UTC 2015

Hold up there guys. yuri is answering a question that was not asked.

On 2/03/2015 6:24 a.m., Yuri Voinov wrote:
> 01.03.15 23:18, Julianne Bielski пишет:
>> I have an https client (not a browser) that normally connects to
>> a reverse proxy. When it needs to go through a forward proxy, it 
>> requests a CONNECT tunnel. I now have a requirement to also be
>> able to encrypt the connection between my client and the forward
>> proxy, and I think this is possible using Squid and the
>> https_port directive (??)
> Yep.


>> My question is, will my https client now have to decrypt twice?

That depends on how much you trust the proxy.

If you trust it fully, then you only have to encrypt the client->proxy
connection. The client sends traffic inside that encrypted connection
as if it were normal HTTP to a proxy.

To cause the outbound connection to be encrypted the client sends URL
https:// scheme. The proxy will separately encrypt the outbound
connection. When the proxy is built with SSL/TLS support this works
regardless of whether the client is connecting via HTTP or TLS to the

If you *DONT* trust the proxy at all then use CONNECT tunnel with
second layer of TLS. You also have to use DANE/TLSA to validate the
server certificate using inside the CONNECT tunnel at the client end
since regular trusted-CA validation does not protect agaist proxies
bumping the CONNECT anyway.

>> Once for the connection with the forward proxy and once for the 
>> connection with the reverse proxy?
> Re-encryption will performs only in case SSL-bumped connections.


A forward proxy receiving an https:// scheme URL will always ensure
outbound DIRECT connections are encrypted between the proxy and origin

A cache_peer connection can be un-encrypted, but they must be
explicitly configured by the admin. The peer will receive the https://
URL and try to encrypt its outbound under the same conditions.


More information about the squid-users mailing list