[squid-users] Trusted CA Certificate with ssl_bump

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 21 11:36:09 UTC 2016


On 21/11/2016 11:44 p.m., Patrick Chemla wrote:
> Hi Alex, and all others
> 
> No I have set it for multiple domains, and it works really fine. Again
> many thanks.
> 
> But I have a new demand:
> 
> Within one of the sites, where squid handles the https connexion then
> communicate with internal VM through http, there is one (at least, maybe
> we will find others), I don't kmow why, but the dev want them http only.
> 
> When I come to the menu to this page, the app returns a http:// link to
> squid. Squid encrypts and send a https:// to the browser.,

No. Squid does nothing to the response payload.

What you are seeing as a "problem" is a natural side effect of telling
the origin server it is being contacted over plain-text HTTP.


> but then when
> the user hit the link, somme of the components of the page should stay
> http://, and there the browser detects a https page with http components
> embeded, and block them.
> 
> Is there a way to tell squid to let http some link?
> 

Squid is not doing anything to page links.


> My domain is domain.tld:
> 
> the browser ask for https://domain.tld
> 
> squid decrypt, recognize this domain, according to acl goes to the VM1,
> in http:// mode, not crypted.
> 
> The site on VM1, return a page in http:// mode, with all links as http
> too,  and squid send it back crypted to the browser with all links
> embeded in https://

No. You have misunderstood what is going on:

- the browser contacts domain.tld on port 443 using TLS. sends a request
for domain.tld with some path.

- squid receives on port 443 and terminates/decrypts the TLS. finding
the HTTP messge inside requesting domain.tld with some path.

- squid contacts the VM1 and requests domain.tld with some path.

- the server produces some response+payload (HTTP payload is always
opaque data N bytes long).

- squid delivers the response message+payload back to browser over the
TLS connection.

That is *all* that happens.

> 
> I want a special link on the page http://domain.tld/special/ to stay http.
> 
> How I can instruct squid to leave it as it is, but all others?

Squid is already not touching it.

Squid by design does only the *transfer* (HTTP, HTTPS, etc) part of
transferring objects around. It intentionally does not to change what
those objects are.


The browser has been coded or configured to place unusual and painful
restrictions on what its user can do with it.

 - the browser could stop being so restrictive in the things it allows
its user to do. This kind of mix-match of URLs is common on the Internet.

 - the origin server could be "fixed" to use relative URLs instead of
absolute. Either relative-path or relative-scheme are easily done.

 - you might use ICAP/eCAP service(s) to transcode the response objects
internal strings. But that is very difficult to get right, so there will
always be some problems ocuring.


Amos



More information about the squid-users mailing list