[squid-users] Sending CONNECT method requests over HTTPS

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed May 20 10:07:47 UTC 2020


On 20.05.20 05:07, Ronan Lucio wrote:
>I read a similar thread a couple of weeks ago, but my scenario has
>some differences.
>Anyway, my need is sending CONNECT method requests over HTTPS as well.

already possible.

>If read the docs and just would like to confirm with you if I got it right:
>
>1)
>To send CONNECT method requests over HTTPS I'm supposed to use https_port.

no. It's very common to use HTTP proxy over HTTP, and the CONNECT requests
creates communication between client and server

>May I use it on the same way as http_port (without intercept, proxy,
>or accelerate)?

yes.

>2)
>If I need to apply ACL rules to restrict some destinations, I'm
>supposed to use bump_ssl.

without bumping, you can only see the destination host:port and possible
hostname sent in the SNI request and contents of the SSL certificate.

for anything else (like the https path) you must bump the connection:
decrypt the SSL tunnel, behave as the server to the client (providing it
with certificate client trusts) and behave as client to the server
(which makes e.g. SSL authentication impossible).

Note that doing this can compromise clients' security and can cause legal
issues.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.


More information about the squid-users mailing list