[squid-users] question about encrypted connection between https client and Squid

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 2 01:38:43 UTC 2015

On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote:
> Hey Yuri,
> On 01/03/2015 20:17, Yuri Voinov wrote:
>> Normally you never use CONNECT method over HTTP ports. This is
>> prohibited by squid basic security requirements.
> The above statement is true only if the proxy admin prohibit this.
> A CONNECT method can be allowed and can be used for any purpose what so
> ever the admin of the server sees right.
> There are basic default settings which allows the usage of a CONNECT
> method only to access specific "ssl safe ports".
> The "right" way (if these one) to access squid using an encrypted
> channel would be throw either a tunnel or another proxy which can
> forward the request into squid.

There *is* a Right Way.

It is this:

1) using this in squid.conf:
     https_port 3129 cert=/path/to/proxy.pem

2) client connects to 3129 using TCP, then performs TLS handshake.

3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.

Thats is *all*.

It is very simple. It works well with SSL-enabled Squid.

It avoids both the page-long list of NAT/TPROXY interception problems
and the other half-page list of SSL-bump hijacking related prblems.


More information about the squid-users mailing list