[squid-users] convert http requests to https on proxy setup.

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 3 04:21:39 UTC 2016 

On 3/02/2016 1:20 p.m., Antony Stone wrote:
> On Wednesday 03 February 2016 at 01:17:16, user wrote:
> 
>> My understanding of the url rewrite program is that the proxy will redirect
>> the URL and the client will make a new request
> 
> OK rewrite-url="..."
>                 Rewrite the URL to the one supplied in 'rewrite-url='.
>                 The new URL is fetched directly by Squid and returned to
>                 the client as the response to its request.
> 


Abut be aware that the action violates both HTTP and HTTPS
specifications. In particular it violates the protocol behaviour
guarantees of both, and security requirements of HTTPS. Leaving the
server and client with out-of-sync information about their communication
state.



>> On Tuesday, February 2, 2016 4:10 PM, Antony Stone wrote:
>>
>> On Wednesday 03 February 2016 at 01:04:37, user wrote:
>>> When client sends a http request (say. http://www.abc123.com, I would
>>> like my squid proxy to make this request into https
>>> (https://www.abc123.com)
>>>

Please consider the consequences carefully. By doing that you are taking
onto your own shoulders full responsibility for the security and privacy
breaches which *will* happen as a result.

If you think that http:// and https:// URLs are the same, then you are
dangerously mistaken. Even when they produce the same objects the server
internal state is associating the https:// URL with a lot of sensitive
data. Some of which may be transmitted either in the content payload
itself, or in the metadata under the guarantee that https:// is
_secured_ end-to-end (which is subtly different from 'encrypted').

By providing this gateway you are opening the entire 'secured' server
context to trivial surveillance, hijacking, and corruption/modification
by any HTTP (port 80) MITM. Which completely defeats the entire purpose
of https:// (port 443) service existing for that domain.


Rather than raising the domain HTTP access to being as secure as HTTPS,
it does the opposite - lowers the entire traffic to being *worse*
security than HTTP plain-text.

Amos

More information about the squid-users mailing list