[squid-users] HTTPS through http proxy

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 6 14:05:26 UTC 2016 

On 6/12/2016 7:30 p.m., Blaxton wrote:
> Thank you Amos,
> version of squid is : squid-3.3.8-26.el7_2.4.x86_64
> Is this statement true:squid is not aware or traffic that is made with connect command ?

"aware of the traffic" is too vague to answer yes or no. Squid is
"aware" that there are bytes going through (ie how many). But it does
not normally look at them to see what they are made of.


> since connect command make a tunnel within squid ?

That assumes that the CONNECT message arrived into Squid. Unless you can
see some things happening in some logs or tracers (ie. system ones) then
you dont know if that stage of the transaction even got reached.

The only thing that is sure is that no tunnel has ended.


> passing below argument to JVM:-Dhttps.proxyHost=webcache.example.com -Dhttps.proxyPort=8080cause application connect to https://webcache.exammple.comhowever I have not created any certificate.

Do not understand what you said.

clients usually dont need certificates to do HTTPS these days (thats
bad, but what we have to work with for now). So that should not matter.


Also, "connect to https://webcache.exammple.com" could mean

1) connecting to webcache.exammple.com with TCP, then
  negotiating TLS

OR it could mean

2) connecting to the proxy, and
  initiating a "CONNECT webcache.exammple.com:443" tunnel, then
  negotiating TLS through that

.. then there is the matter of whats going on inside the TLS:

 i) HTTP/1 (aka "HTTPS")
 ii) WebSockets
 iii) SPDY
 iv) HTTP/2 (aka, "h2", aka "HTTPS")
 v) something unknown.

I don't know what that java tool is or what its doing.


Alex already advised; Use a tool with well known capabilities and
behaviour to do initial testing.

That will save you the time of providing a complete documentation and
behavioural lesson about the java tool you are using. Just so we can say
what its doing right or wrong.


> May I assume squid is built with ssl enabled and both https and http proxybeing provided on one port ?

No, you cant assume.

There are two Transports (TCP or TLS) and two Transfer message syntaxes
(origin or proxy). Squid listening ports can only listen on one
Transport protocol + Transfer syntax pair at a time.

* Port 80 has TCP transport and origin syntax.
* Port 443 has TLS transport and origin syntax.
* Port 3128 has TCP transport + proxy syntax.
* There is no port commonly associated with TLS transport + proxy syntax.


The TCP receiver is called http_port.
The TLS receiver is called https_port. Notice the 's' difference.


CONNECT messages are part of the proxy syntax.

The origin syntax is split into "modes" (accel, intercept, tproxy)
depending on how traffic managed to reach the proxy - which determines
how it can be handled.

So whether the assumption is true or not depends on what you mean by
'https' and by 'proxy being provided'.


Does that clarify enough for you to answer the question yourself?


> either above statement is true, or maybe Java has a bug.
> Thanks for help, I will check on squidtool.
> Thanks
> 

see also Alex response, he listed some others you might be familiar
enough with to use for testing. Along with what you need to test.

[ sorry for the long mail, I'm a bit bored waiting for compiles to
finish :-) ]

Amos

More information about the squid-users mailing list