[squid-users] Caching https data

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 30 09:11:02 UTC 2020


On 30/07/20 10:34 am, Darwin O'Connor wrote:
> I run a transit prediction web app <https://www.transsee.ca/>. It
> connects to a variety of web APIs to collect the real time data it
> needs. The apps activities are split among many processes. They
> currently uses libcurl to connect to squid for caching (often for as
> little as 10-30 seconds) and benefits of connection sharing, but some of
> the APIs use https, so in that case the data passes through squid
> without the benefits of caching or connection sharing.
> 
> I would like to configure squid to connect to these servers securely and
> pass it unencrypted to clients. Security isn't really an issue since
> this step is all within the one server. I'll have to configure libcurl
> to allow unencrypted data.
> 

There are several approaches you can take;

1) configure libcurl and/or the apps to send https:// URLs to Squid in
regular HTTP requests. Leaving Squid to handle all the HTTPS portion.
  <>


2) configure libcurl and/or the apps to send https:// URLs to a Squid
secure listening port (https_port) in regular HTTP requests. Leaving
Squid to handle all the HTTPS portion with servers. I'm not sure about
libcurl, but some clients allow this when they prohibit (1) because it
is somewhat more secure.

<https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>


3) SSL-Bump to decrypt the CONNECT tunnels clients tend to prefer when
using an HTTP proxy.
  <https://wiki.squid-cache.org/Features/SslPeekAndSplice>


Current Squid (v4 or later) support (1) and (2) with either GnuTLS or
OpenSSL. (3) requires OpenSSL.

Once decrypted the https:// URLs are subject to normal HTTP caching rules.


Amos


More information about the squid-users mailing list