[squid-users] Caching https data
Darwin O'Connor
doconnor at transsee.ca
Thu Jul 30 20:12:52 UTC 2020
On 2020-07-30 12:08 p.m., Alex Rousskov wrote:
> On 7/30/20 5:11 AM, Amos Jeffries wrote:
>> On 30/07/20 10:34 am, Darwin O'Connor wrote:
>>> I run a transit prediction web app <https://www.transsee.ca/>. It
>>> connects to a variety of web APIs to collect the real time data it
>>> needs. The apps activities are split among many processes. They
>>> currently uses libcurl to connect to squid for caching (often for as
>>> little as 10-30 seconds) and benefits of connection sharing, but some of
>>> the APIs use https, so in that case the data passes through squid
>>> without the benefits of caching or connection sharing.
>>>
>>> I would like to configure squid to connect to these servers securely and
>>> pass it unencrypted to clients. Security isn't really an issue since
>>> this step is all within the one server. I'll have to configure libcurl
>>> to allow unencrypted data.
>
>> There are several approaches you can take;
>>
>> 1) configure libcurl and/or the apps to send https:// URLs to Squid in
>> regular HTTP requests. Leaving Squid to handle all the HTTPS portion.
> In 2017, curl did not support "GET https" requests:
> https://curl.haxx.se/mail/lib-2017-12/0019.html
>
> AFAICT from the curl v7.68 man page, curl still does not support "GET
> https" requests: The https scheme in the request URI implies CONNECT
> through the proxy (including through the HTTPS proxy discussed below).
>
> Perhaps there is an API trick to force libcurl into sending "GET https"
> requests to proxies. If not, you would have to use SslBump (item 3 on
> Amos' list).
Reading further into the thread you linked I found the suggestion to use
the request-target option of curl. By setting the url to the proxy
location and the request-target to the actual url it is working exactly
the way I want. API trick for the win.
More information about the squid-users
mailing list