[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method
David Touzeau
david at articatech.com
Wed May 20 07:51:32 UTC 2020
Thanks for the answer details
How to be a sponsor ? ( cost ) of such feature
Could you think it can be planned for 5.x ?
I think it should be a "future" "standard" in the same way of DNS over SSL
Le 19/05/2020 à 16:46, Alex Rousskov a écrit :
>>> On 18/05/20 10:15 am, David Touzeau wrote:
>>>> Hi we want to use squid as * * * Secure Proxy * * * using https_port
>>>> We have tested major browsers and it seems working good.
>>>>
>>>> To make it work, we need to deploy the proxy certificate on all browsers
>>>> to make the secure connection running.
> I hope that deployment is not necessary -- an HTTPS proxy should be
> using a certificate issued for its domain name and signed by a
> well-known CA already trusted by browsers. An HTTPS proxy is not faking
> anything. If browsers do require CA certificate import in this
> environment, it is their limitation.
>
>
> On 5/19/20 9:24 AM, Matus UHLAR - fantomas wrote:
>> David, note that requiring browsers to connect to your proxy over encrypted
>> (https) connection, and then decrypting tunnels to real server will lower
>> the clients' security
> A proper SslBump implementation for HTTPS proxy will not be "decrypting
> tunnels to real server". The security of such an implementation will be
> the same as of SslBump supported today (plus the additional protections
> offered by securing the browser-proxy communication).
>
> Cheers,
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200520/2b324e49/attachment.html>
More information about the squid-users
mailing list