[squid-users] question about encrypted connection between https client and Squid

Eliezer Croitoru eliezer at ngtech.co.il
Sun Mar 1 20:55:45 UTC 2015


Hey Yuri,

On 01/03/2015 20:17, Yuri Voinov wrote:
> Normally you never use CONNECT method over HTTP ports. This is
> prohibited by squid basic security requirements.

The above statement is true only if the proxy admin prohibit this.
A CONNECT method can be allowed and can be used for any purpose what so 
ever the admin of the server sees right.
There are basic default settings which allows the usage of a CONNECT 
method only to access specific "ssl safe ports".

The "right" way (if these one) to access squid using an encrypted 
channel would be throw either a tunnel or another proxy which can 
forward the request into squid.
If the client supports encrypted proxy connection you can try to use 
squid 3.5.2 and a combination of haproxy in-front.
On the haproxy use a ssl based listening port while between haproxy to 
the squid service you would need to use an unencrypted channel.
Then you can use haproxy PROXY protocol to let squid know what is the 
client src IP address.

All The Bests,
Eliezer

* I did not tested this feature yet but it is on my todo list, for now 
3.5.2 seems very stable.


More information about the squid-users mailing list