[squid-users] cannot access squid with https_port: 403

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 3 14:20:26 UTC 2019


On 4/09/19 1:21 am, fansari wrote:
> I have tested this and it is working.
> 
> This is what I said: when I use this http_port directive then it works.
> 
> So what is still unclear to me is: what is this https_port directive for? I
> understood from one of you answers I found to someone else that this will
> lead to something like double stacked TLS encryption. Is this correct?

It is for;
 a) receiving port 443 traffic from a NAT system,
or
 b) receiving TLS explicit proxy traffic.


> 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/https-port-td4682718.html
> 
> The most important question is: using just the http_port directive - will
> the connection between client and squid still be https (TLS  encrypted)?

The answer you are looking for is both Yes and No.

Traffic to that port must always start with an un-encrypted request. In
the case of HTTP it starts with an unencrypted CONNECT request. The TLS
is embedded within the resulting tunnel.

The traffic which was going to be encrypted stays encrypted. But there
is a non-encrypted portion ahead of it at the transport protocol level.


> This is important to understand for me because we need https because our
> nodejs application will not work with http connections.
> 

If it can rely on a Browser to do the CONNECT tunnel part, then it
should be fine.

Otherwise, if it does everything above TCP itself and can only start
with the TLS handshake. Then you are going to need to use one of the
https_port setups.

Amos


More information about the squid-users mailing list