[squid-users] Squid https_port

Alex Rousskov rousskov at measurement-factory.com
Fri Sep 14 21:25:28 UTC 2018


On 09/14/2018 12:11 PM, John Refwe wrote:
  
> I have a couple of questions about the squid https_port.
>  
> 1) Does it only exist for transparent connections?

No, it does not. It also supports encrypted connections between the
client and Squid. In that scenario, Squid can be called an HTTPS proxy.
Many modern browsers and other clients (e.g., curl) support HTTPS proxies.


> I know if I want to have a transparent proxy that can accept requests
> TLS requests, I need to have the port be a https_port rather than a
> http_port, but is that what it was created for?

IIRC, it was created for the HTTPS proxy support. Inspection of
intercepted TLS connections came much later.


> 2) How come the https_port does not support receiving proxy protocol?

If it does not, then nobody added that support. There is nothing in the
PROXY protocol itself that would make it impossible to support on the
https_port AFAICT.


> I thought that HAProxy supports sending it before instantiating a TLS connection?

I do not know what HAProxy does or whether it supports talking to HTTPS
proxies at all, but the whole idea behind HTTPS proxying is to
protect/encrypt client-proxy communication. I would expect HAProxy to
send the PROXY header _inside_ the TLS connection to the HTTPS proxy,
not outside it!

Alex.


More information about the squid-users mailing list