[squid-users] question about encrypted connection between https client and Squid
Julianne Bielski
bielsk at us.ibm.com
Mon Mar 2 12:15:18 UTC 2015
Amos,
Per:
There *is* a Right Way.
It is this:
1) using this in squid.conf:
https_port 3129 cert=/path/to/proxy.pem
2) client connects to 3129 using TCP, then performs TLS handshake.
3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.
If my client (it's not a browser) is an https client ultimately attempting
to send its payload to a reverse proxy listening on 443, does this mean
that I will have an encrypted payload inside of another encrypted payload?
Also, if I configure my client to send traffic to Squid at port 3129,
then doesn't this mean I'm using Squid explicitly and not transparently?
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Date: 03/01/2015 08:39 PM
Subject: Re: [squid-users] question about encrypted connection between
https client and Squid
Sent by: "squid-users" <squid-users-bounces at lists.squid-cache.org>
On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote:
> Hey Yuri,
>
> On 01/03/2015 20:17, Yuri Voinov wrote:
>> Normally you never use CONNECT method over HTTP ports. This is
>> prohibited by squid basic security requirements.
>
> The above statement is true only if the proxy admin prohibit this.
> A CONNECT method can be allowed and can be used for any purpose what so
> ever the admin of the server sees right.
> There are basic default settings which allows the usage of a CONNECT
> method only to access specific "ssl safe ports".
>
> The "right" way (if these one) to access squid using an encrypted
> channel would be throw either a tunnel or another proxy which can
> forward the request into squid.
There *is* a Right Way.
It is this:
1) using this in squid.conf:
https_port 3129 cert=/path/to/proxy.pem
2) client connects to 3129 using TCP, then performs TLS handshake.
3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.
Thats is *all*.
It is very simple. It works well with SSL-enabled Squid.
It avoids both the page-long list of NAT/TPROXY interception problems
and the other half-page list of SSL-bump hijacking related prblems.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150302/e5f18f48/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150302/e5f18f48/attachment.gif>
More information about the squid-users
mailing list