[squid-users] SSL MITM with unencrypted parent proxy
Amos Jeffries
squid3 at treenet.co.nz
Tue May 5 05:33:53 UTC 2015
On 5/05/2015 4:08 p.m., Chris Bennett wrote:
> Hi there,
>
> I'm experimenting with WAN acceleration & block caching (wanproxy.org
> for those interested). This works great for HTTP:
>
> client <-> squid1 <-> wanproxy <-> VPN <-> wanproxy <-> squid2 <-> inet
>
> With SSL, I suspect the data between squid and squid2 (in a
> child/parent configuration) will be encrypted with a new tunnel (I
> haven't tested it yet). If that is the case, is there anyway to
> configure squid1 and squid2 to communicate in cleartext for the
> child/parent communication?
Squid will not permit HTTPS decrypted requests over un-encrypted
channels. If it does thats a bug we need to fix ASAP.
However, explicit proxies can receive TLS connections. The two proxies
will happily use those connections for any type of traffic, including
ones like https:// with special security requirements.
* Configure the squid2 with an https_port for receiving regular proxy
traffic (but over TLS/SSL).
* Configure the squid1 cache_peer parent line with "ssl" option (and any
supporting options that may be required or desired).
Note that for proper security these cache_peer links can be setup with
self-signed certificates, doing both server and client certificate
authentication. Which is the proper usage TLS was designed for and
cannot be MITM'd.
Amos
More information about the squid-users
mailing list