[squid-users] Caching https data

Darwin O'Connor doconnor at transsee.ca
Thu Jul 30 20:12:52 UTC 2020

On 2020-07-30 12:08 p.m., Alex Rousskov wrote:

> On 7/30/20 5:11 AM, Amos Jeffries wrote:
>> On 30/07/20 10:34 am, Darwin O'Connor wrote:
>>> I run a transit prediction web app <https://www.transsee.ca/>. It
>>> connects to a variety of web APIs to collect the real time data it
>>> needs. The apps activities are split among many processes. They
>>> currently uses libcurl to connect to squid for caching (often for as
>>> little as 10-30 seconds) and benefits of connection sharing, but some of
>>> the APIs use https, so in that case the data passes through squid
>>> without the benefits of caching or connection sharing.
>>> I would like to configure squid to connect to these servers securely and
>>> pass it unencrypted to clients. Security isn't really an issue since
>>> this step is all within the one server. I'll have to configure libcurl
>>> to allow unencrypted data.
>> There are several approaches you can take;
>> 1) configure libcurl and/or the apps to send https:// URLs to Squid in
>> regular HTTP requests. Leaving Squid to handle all the HTTPS portion.
> In 2017, curl did not support "GET https" requests:
> https://curl.haxx.se/mail/lib-2017-12/0019.html
> AFAICT from the curl v7.68 man page, curl still does not support "GET
> https" requests: The https scheme in the request URI implies CONNECT
> through the proxy (including through the HTTPS proxy discussed below).
> Perhaps there is an API trick to force libcurl into sending "GET https"
> requests to proxies. If not, you would have to use SslBump (item 3 on
> Amos' list).

Reading further into the thread you linked I found the suggestion to use 
the request-target option of curl. By setting the url to the proxy 
location and the request-target to the actual url it is working exactly 
the way I want. API trick for the win.

More information about the squid-users mailing list