[squid-users] question about encrypted connection between https client and Squid

Yuri Voinov yvoinov at gmail.com
Sun Mar 1 17:51:39 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



01.03.15 23:45, Julianne Bielski пишет:
> Normally my infrastructure looks like:
> 
> 
> client  -- HTTP CONNECT (not encrypted)  ---> proxy client ------
> TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy client ---
> HTTPS application payload ---------------> reverse proxy
> 
> Now I need it to look like:
> 
> client -------- HTTPS application payload ----> proxy  ---- HTTPS 
> application payload  ----> reverse proxy

No problem. This will work - and with only one encryption on every
stage. Proxy can pass both - CONNECT with tunneling to reverse proxy,
or bumped HTTPS connection.

In my installation this scheme is works with most Web-sites uses
reverse proxies. I use transparent interception SSL-bump enabled Squid.


> 
> 
> 
> 
> 
> From:	Yuri Voinov <yvoinov at gmail.com> To:
> squid-users at lists.squid-cache.org Date:	03/01/2015 12:26 PM 
> Subject:	Re: [squid-users] question about encrypted connection
> between https client and Squid Sent by:	"squid-users"
> <squid-users-bounces at lists.squid-cache.org>
> 
> 
> 
> 
> 01.03.15 23:18, Julianne Bielski пишет:
> 
>> I have an https client (not a browser) that normally connects to
>> a reverse proxy. When it needs to go through a forward proxy, it 
>> requests a CONNECT tunnel. I now have a requirement to also be
>> able to encrypt the connection between my client and the forward
>> proxy, and I think this is possible using Squid and the
>> https_port directive (??)
> Yep.
> 
>> My question is, will my https client now have to decrypt twice? 
>> Once for the connection with the forward proxy and once for the 
>> connection with the reverse proxy?
> 
> Re-encryption will performs only in case SSL-bumped connections.
> 
> But now I still can't imagine your infrastructure and how it must
> work.
> 
>> Also, must my https client still send a CONNECT message to
>> Squid, or does it just connect to Squid's https_port at the TCP
>> level, perform the SSL handshake, and then open a TCP connection
>> to the reverse proxy?
> 
> Still want to take a look on your infrastructure scheme.
> 
> 
>> Thanks,
> 
>> J. Bielski
> 
> 
> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU81GrAAoJENNXIZxhPexGPwkIAJrQAngPDCkylOCIb/IqYlkp
JmCW/lr2JFcH48Zr954hi7six/uduwfNeTtZsd2Cz8JVW3pqQSIrleuF0B7/7C5H
K+mDN6fQ3yQv9EjWTP1cRRdr+/OXQyWOPLoACUCz52SRvwAt1SnY9malavmnJPHS
Aoj+vGTKSM4IasULA0Vnjm3gRjN6BWrUqoXZm1ODygflGXSJnqdm+8t9RhZIHcsl
E1p9Q/hB1IJPrZU67YtgLHgg0MkOcQQzcJ/jzlPnlfOAFt0MPy8mC03YkcV4888a
KHKXElzUbCDziSbG+L5Fz2zuLlQXoDc0ZqHSSB8iNYuB5UWpSZLXWXJ55yiDUBI=
=xwxI
-----END PGP SIGNATURE-----

More information about the squid-users mailing list