[squid-users] Sending CONNECT method requests over HTTPS

Alex Rousskov rousskov at measurement-factory.com
Wed May 20 13:42:12 UTC 2020 

On 5/20/20 6:07 AM, Matus UHLAR - fantomas wrote:
> On 20.05.20 05:07, Ronan Lucio wrote:
>> I read a similar thread a couple of weeks ago, but my scenario has
>> some differences.
>> Anyway, my need is sending CONNECT method requests over HTTPS as well.

> already possible.

I assume that, here and below, "over HTTPS" means "to an HTTPS proxy".

Yes, any HTTP request, including CONNECT can be sent to an HTTPS proxy.


>> 1) To send CONNECT method requests over HTTPS I'm supposed to use
>> https_port.

> no. It's very common to use HTTP proxy over HTTP, and the CONNECT requests
> creates communication between client and server

The question is difficult to interpret correctly. Here are arguably
better questions (with answers):

Q: If I want to use an HTTPS proxy, what Squid port should I configure?
A: You must use an https_port directive.

Q: Does https_port support CONNECT requests?
A: Yes. Squid https_port supports all HTTP requests supported by
   http_port, including CONNECT.

Q: How does Squid, in an HTTPS proxy mode, handle a CONNECT request?
A: Squid handles it as it would handle a CONNECT request
   received over an http_port (by default) -- by establishing a TCP
   tunnel to the origin server and shoveling bytes back and force.
   The client-Squid portion of that tunnel would be protected by
   TLS in this case, of course -- that is always true for an HTTPS
   proxy. SslBump features are not supported in HTTPS mode (yet).


>> May I use it on the same way as http_port (without intercept, proxy,
>> or accelerate)?

> yes.

Q: Can https_port be used without an explicit mode (i.e., without
   an intercept, tproxy, accel, or ssl-bump parameter)?
A: Yes. The https_port directive supports the default (i.e. forward
   proxy) mode.

Q: What happens when https_port is used without an explicit mode?
A: Traffic on such https_port is treated as if Squid was an HTTPS proxy.


>> 2) If I need to apply ACL rules to restrict some destinations, I'm
>> supposed to use bump_ssl.
> 
> without bumping, you can only see the destination host:port and possible
> hostname sent in the SNI request and contents of the SSL certificate.

Again, it is difficult to interpret this question correctly. Here are a
few versions with correct answers:

Q: Can I use ssl_bump with an HTTPS proxy?
A: No, that is not supported yet.

Q: What ACLs can I use in an HTTPS proxy mode?
A: All ACLs that do not require inspecting packets inside
   TLS connections from client to origin. Please note that
   a single client-origin TLS connection involves two
   TCP connections. That inspection is what SslBump does (among
   other things). This answer is (too) complex. Unfortunately,
   there is currently no documentation that, for every ACL,
   details precisely what information sources are required for
   that ACL to work. Some ACLs use multiple information sources,
   depending on Squid configuration and/or transaction state,
   complicating the matters further.

Q: Is TLS origin SNI available to Squid ACLs in HTTPS proxy mode?
A: No, not today. SslBump features are not yet supported in that mode.

Q: Are URL paths of HTTP requests inside CONNECT tunnels
   available to Squid ACLS in HTTPS proxy mode?
A: No, not today. SslBump features are not yet supported in that mode.


HTH,

Alex.

More information about the squid-users mailing list