[squid-users] SSL MITM with unencrypted parent proxy

Amos Jeffries squid3 at treenet.co.nz
Tue May 5 05:33:53 UTC 2015


On 5/05/2015 4:08 p.m., Chris Bennett wrote:
> Hi there,
> 
> I'm experimenting with WAN acceleration & block caching (wanproxy.org
> for those interested).  This works great for HTTP:
> 
> client <-> squid1 <-> wanproxy <-> VPN <-> wanproxy <-> squid2 <-> inet
> 
> With SSL, I suspect the data between squid and squid2 (in a
> child/parent configuration) will be encrypted with a new tunnel (I
> haven't tested it yet).  If that is the case, is there anyway to
> configure squid1 and squid2 to communicate in cleartext for the
> child/parent communication?

Squid will not permit HTTPS decrypted requests over un-encrypted
channels. If it does thats a bug we need to fix ASAP.

However, explicit proxies can receive TLS connections. The two proxies
will happily use those connections for any type of traffic, including
ones like https:// with special security requirements.

* Configure the squid2 with an https_port for receiving regular proxy
traffic (but over TLS/SSL).

* Configure the squid1 cache_peer parent line with "ssl" option (and any
supporting options that may be required or desired).


Note that for proper security these cache_peer links can be setup with
self-signed certificates, doing both server and client certificate
authentication. Which is the proper usage TLS was designed for and
cannot be MITM'd.

Amos



More information about the squid-users mailing list