[squid-users] question about encrypted connection between https client and Squid
squid3 at treenet.co.nz
Mon Mar 2 12:39:55 UTC 2015
On 3/03/2015 1:15 a.m., Julianne Bielski wrote:
> There *is* a Right Way.
> It is this:
> 1) using this in squid.conf:
> https_port 3129 cert=/path/to/proxy.pem
> 2) client connects to 3129 using TCP, then performs TLS handshake.
> 3) client sends requests inside the encrypted connection as if they were
> HTTP to a proxy but using https:// URL scheme.
> If my client (it's not a browser) is an https client ultimately attempting
> to send its payload to a reverse proxy listening on 443, does this mean
> that I will have an encrypted payload inside of another encrypted payload?
No. You have one encryption layer, the TLS between the client and proxy.
The https:// scheme tells the proxy what to do with the requests,
including that the need to be kept secure on the outbound connection.
> Also, if I configure my client to send traffic to Squid at port 3129,
> then doesn't this mean I'm using Squid explicitly and not transparently?
That depends on what the other word in the phrase "transparent ..." is.
* Squid always performs "transparent HTTP" as much as it can with the
configuration you give it.
* Its up to you if the network performs "transparent autoconfiguration"
to deliver the proxy IP:port details to the client.
If by "transparently" you mean "transparent interception" then yes, its
not that. The Right Way to use a proxy is explicitly.
More information about the squid-users