[squid-users] HTTPS proxy setup questions
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 13 01:53:04 UTC 2018
On 13/12/18 12:50 pm, Subhish Pillai wrote:
> Thanks Alex, that was very helpful.
>
> Based on your explanation, I just want to use squid as a blind TCP
> tunnel carrying the HTTPS connection from client to app server.
>
> In that case, I don't need to use ssl_bump feature and the ssl_crtd
> program for certificate management, is that correct?
>
Going by the description you gave of the client configuration, it should be.
> Would this config file work to setup the TCP tunnel --
...
> ## Allow server side certificate errors such as untrusted certificates,
> otherwise the connection is closed for such errors
> sslproxy_cert_error allow all
>
> ## Accept certificates that fail verification (should only be needed if
> using 'sslproxy_cert_error allow all')
> sslproxy_flags DONT_VERIFY_PEER
>
These sslproxy_* options only apply when Squid is actively performing
TLS to upstream servers. They have no place in the "blind tunnel" situation.
(They also are deprecated in Squid-4, replaced by the
tls_outgoing_options directive
<http://www.squid-cache.org/Doc/config/tls_outgoing_options/>).
If the client software is sending CONNECT requests containing the HTTPS
traffic, then there is absolutely nothing your config needs to do than
let them send those requests to the proxy (as the default config does).
You do not even need Squid to be built with TLS/SSL support. That is the
meaning of "blind" in this setup.
Amos
More information about the squid-users
mailing list