[squid-users] question about encrypted connection between https client and Squid
squid3 at treenet.co.nz
Mon Mar 2 01:38:43 UTC 2015
On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote:
> Hey Yuri,
> On 01/03/2015 20:17, Yuri Voinov wrote:
>> Normally you never use CONNECT method over HTTP ports. This is
>> prohibited by squid basic security requirements.
> The above statement is true only if the proxy admin prohibit this.
> A CONNECT method can be allowed and can be used for any purpose what so
> ever the admin of the server sees right.
> There are basic default settings which allows the usage of a CONNECT
> method only to access specific "ssl safe ports".
> The "right" way (if these one) to access squid using an encrypted
> channel would be throw either a tunnel or another proxy which can
> forward the request into squid.
There *is* a Right Way.
It is this:
1) using this in squid.conf:
https_port 3129 cert=/path/to/proxy.pem
2) client connects to 3129 using TCP, then performs TLS handshake.
3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.
Thats is *all*.
It is very simple. It works well with SSL-enabled Squid.
It avoids both the page-long list of NAT/TPROXY interception problems
and the other half-page list of SSL-bump hijacking related prblems.
More information about the squid-users