[squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

j m acctforjunk at yahoo.com
Thu May 25 12:00:46 UTC 2017

Thought I'd try getting this to work in Chrome too.  NOTHING I try makes it work in Chrome.  Isn't running this from the Windows command line supposed to work?
chrome --proxy-server=https://mydomain:myport
When I do this, it runs Chrome, but it's still not going through the proxy despite Firefox on the same computer working just fine!

      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: j m <acctforjunk at yahoo.com>; "squid-users at lists.squid-cache.org" <squid-users at lists.squid-cache.org> 
 Sent: Wednesday, May 24, 2017 5:15 PM
 Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?
On 25/05/17 09:01, j m wrote:
> Some more info:  I tried this on Firefox 53 and got more feedback, but 
> still doesn't work.  Per the recommendation on bugzilla (bug 378637), 
> I put https://myaddress:myport <https://myaddress:myport/> into 
> firefox and it gives me a "Your connection is not secure".  So I add 
> the exception, and it then displays the squid message "ERROR The 
> requested URL could not be retrieved", as expected.
> So I add the proxy to Firefox (in Advanced, Network, Settings) as the 
> HTTP Proxy....doesn't work, "The proxy server is refusing 
> connections".  I then put https:// in front of the address, then it's 
> "Server not found".  I then add it as SSL Proxy.  It appears to be 
> working, but really it's simply not using the proxy at all because I 
> stopped squid and it made no difference.

The settings you enter via the Browser GUI are exclusively for setting 
up plain-text proxy connections.

"SSL Proxy" in the Browser GUI means the proxy to send any SSL/TLS 
traffic *through* (using CONNECT tunnel).

> The link you reference on getting Firefox to work with this refers to 
> Firefox 33, so by now I'd think I could directly add the proxy to the 
> normal place in Firefox options?

Unfortunately that would be far too sensible.  It only took ~20 years to 
get them to accept any kind of TLS/SSL security on the Browser<->proxy 
connection in the first place.

I really wish that was a joke, but I've long ago given up on expecting 
sanity from Browser people. For the topic in question, the argument 
behind not adding a simple tick-box to that somewhat hidden GUI popup to 
enable TLS/SSL to a proxy ... is unwaveringly that "changing the UI 
would cause a lot of end users some confusion and pain" or words to that 
affect - and yet I've lost count of how many graphical redesigns have 
happened to the things those end-users are directly seeing and using on 
a daily basis. But one semi-hidden tick box, oh no!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170525/19a0ca5a/attachment.html>

More information about the squid-users mailing list