[squid-users] Rewriting HTTP to HTTPS for generic package proxy
Amos Jeffries
squid3 at treenet.co.nz
Wed Jul 10 09:41:37 UTC 2024
On 10/07/24 10:25, Fiehe, Christoph wrote:
> Hallo,
>
> I hope that somebody has an idea, what I am doing wrong. I try to build a generic package proxy with Squid and need the feature to rewrite (not redirect) a HTTP request to a package repository transparently to a HTTPS-based package source.
The "Wrong" starts with the very idea you have that re-writing a URL
scheme is even useful.
While it mas *seem* like an okay idea, what you are actually doing is
exposing the HTTPS secured Response message to transmission over
insecure connections from Squid to client. That is prohibited by HTTPS
which assumes/requires encryption negotiated between the origin client
and the origin server.
The best you can do for a regular proxy. Is *redirect* the http://
requests with a 302 message telling the client to use https:// instead.
...
http_access deny !to_archive_mirrors
acl HTTP proto HTTP
deny_info 302:https://%>rd%rp HTTP
http_access deny HTTP
http_access allow src_networks
...
HTH
Amos
More information about the squid-users
mailing list