[squid-users] handling different two way ssl-request via a proxy system
Abdelouahed Haitoute
ahaitoute at rinis.nl
Tue Apr 14 19:12:44 UTC 2015
Hello Amos,
Thank you for your reply.
> Problem A)
> requirements #1 and #2 above are mutually exclusive.
>
> Obeying #1 involves sending traffic from Squid to the parent proxy for
> action.
>
> Obeying #2 involves opening direct TLS connections from Squid to the
> origin servers.
Is it possible to send the TLS connection as a HTTP CONNECT tunnel via through the parent proxy? (http://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling <http://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling>)
Abdelouahed
> Op 14 apr. 2015, om 18:20 heeft Amos Jeffries <squid3 at treenet.co.nz> het volgende geschreven:
>
> On 14/04/2015 11:57 p.m., Abdelouahed Haitoute wrote:
>>
>
>> There are two thing I haven’t realized in the development
>> environment, because I don’t know how:
>> 1. Making the Squid 3.1.10 to use a proxy system, because that’s our
>> policy to communicate to the outside world. In apache we use the
>> following directive: “ProxyRemote https http://192.168.68.102:3128
>> <http://192.168.68.102:3128/>"
>
> In squid.conf:
>
> cache_peer 192.168.68.102 parent 3128 0
>
>
>>
>> 2. Making the configuration variable as much as possible. So the
>> Squid 3.1.10 handles all different http client requests to different
>> https servers and send them as a https two-way ssl. Currently it
>> only handles request for https.example.com
>> <http://https.example.com/>.
>
>
> Use the sslproxy_* directives instead of cache_peer.
>
>
> However you have two problems:
>
> Problem A)
> requirements #1 and #2 above are mutually exclusive.
>
> Obeying #1 involves sending traffic from Squid to the parent proxy for
> action.
>
> Obeying #2 involves opening direct TLS connections from Squid to the
> origin servers.
>
>
> Problem B)
> Translating between http:// and https:// is explicitly forbidden in
> both HTTP and HTTPS protocol security requirements.
>
> Squid does not permit that highly dangerous action to be taken. However
> there are several other possibilities depending on what you actually
> need done.
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150414/8686a5db/attachment-0001.html>
More information about the squid-users
mailing list