[squid-users] question about encrypted connection between https client and Squid

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 2 12:39:55 UTC 2015

On 3/03/2015 1:15 a.m., Julianne Bielski wrote:
> Amos,
> Per:
> There *is* a Right Way.
> It is this:
> 1) using this in squid.conf:
>      https_port 3129 cert=/path/to/proxy.pem
> 2) client connects to 3129 using TCP, then performs TLS handshake.
> 3) client sends requests inside the encrypted connection as if they were
> HTTP to a proxy but using https:// URL scheme.
> If my client (it's not a browser) is an https client ultimately attempting
> to send its payload to a reverse proxy listening on 443, does this mean
> that I will have an encrypted payload inside of another encrypted payload?

No. You have one encryption layer, the TLS between the client and proxy.

The https:// scheme tells the proxy what to do with the requests,
including that the need to be kept secure on the outbound connection.

> Also, if I configure my client to send traffic to Squid at port 3129,
> then doesn't this mean I'm using Squid explicitly and not transparently?

That depends on what the other word in the phrase "transparent ..." is.

* Squid always performs "transparent HTTP" as much as it can with the
configuration you give it.

* Its up to you if the network performs "transparent autoconfiguration"
to deliver the proxy IP:port details to the client.

If by "transparently" you mean "transparent interception" then yes, its
not that. The Right Way to use a proxy is explicitly.


More information about the squid-users mailing list