[squid-users] Encrypt CONNECT Header

Alex Rousskov rousskov at measurement-factory.com
Tue May 5 15:33:25 UTC 2020


On 5/5/20 10:18 AM, Ryan Le wrote:
> Is there plans to support explicit forward proxy over HTTPS to the proxy
> with ssl-bump?

There have been a few requests for TLS-inside-TLS support, but I am not
aware of any actual sponsors or features on the road map. It is a
complicated project, even though each of its two components already
works today.


> We would like to use https_port ssl-bump without using the
> intercept or tproxy option. Clients will use PAC with a HTTPS directive
> rather than a PROXY directive. The goal is to also encrypted the CONNECT
> header which exposes the domain in plain text while it traverses to the
> proxy.

Yes, it is a valid use case (that few people understand).


> Felipe: you don't need to use ssl-bump with explicit https proxy.

Popular browsers barely support HTTPS proxies and refuse to delegate TLS
handling to them. Thus, a connection to a secure origin server will be
encrypted by the browser and sent over an encrypted channel through the
HTTPS proxy -- TLS-inside-TLS. If you want to look inside that browser
connection, you have to remove both TLS layers. To remove the outer
layer, you need an https_port in a forward proxy configuration. To
remove the inner layer, you need SslBump. The combination is not yet
supported.


> Matus: people will still be able to see SNI SSL header.

... but not the origin server SNI. Only the proxy SNI is exposed in this
use case, and that exposure is usually not a problem.


Cheers,

Alex.


More information about the squid-users mailing list