[squid-users] SSL MITM with unencrypted parent proxy
Amos Jeffries
squid3 at treenet.co.nz
Tue May 5 12:09:07 UTC 2015
On 5/05/2015 11:19 p.m., Chris Bennett wrote:
> Hi Amos,
>
> Thanks for the quick reply.
>
>> However, explicit proxies can receive TLS connections. The two proxies
>> will happily use those connections for any type of traffic, including
>> ones like https:// with special security requirements.
>>
>> * Configure the squid2 with an https_port for receiving regular proxy
>> traffic (but over TLS/SSL).
>>
>> * Configure the squid1 cache_peer parent line with "ssl" option (and any
>> supporting options that may be required or desired).
>
> I don't think this would allow me to use wanproxy at any point on both
> sides of the configuration though, or am I misunderstood?
If you want wanproxy to be a party to the transactions you need it
configured for TLS in its equivalent of what I said for squid2.
The TLS explicit proxy connection then goes squid1->wanproxy and
wanproxy becomes responsible for ensuring TLS end-2-end security.
PS. we just got one big step closer to supporting CONNECT over next-hop
proxies with some redesign in squid-4 today. But its still a ways off.
Amos
More information about the squid-users
mailing list