[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method
Alex Rousskov
rousskov at measurement-factory.com
Tue May 19 14:46:39 UTC 2020
>> On 18/05/20 10:15 am, David Touzeau wrote:
>>> Hi we want to use squid as * * * Secure Proxy * * * using https_port
>>> We have tested major browsers and it seems working good.
>>>
>>> To make it work, we need to deploy the proxy certificate on all browsers
>>> to make the secure connection running.
I hope that deployment is not necessary -- an HTTPS proxy should be
using a certificate issued for its domain name and signed by a
well-known CA already trusted by browsers. An HTTPS proxy is not faking
anything. If browsers do require CA certificate import in this
environment, it is their limitation.
On 5/19/20 9:24 AM, Matus UHLAR - fantomas wrote:
> David, note that requiring browsers to connect to your proxy over encrypted
> (https) connection, and then decrypting tunnels to real server will lower
> the clients' security
A proper SslBump implementation for HTTPS proxy will not be "decrypting
tunnels to real server". The security of such an implementation will be
the same as of SslBump supported today (plus the additional protections
offered by securing the browser-proxy communication).
Cheers,
Alex.
More information about the squid-users
mailing list