[squid-users] connect with http and https protocols

Renzo Marengo buckroger2011 at gmail.com
Wed Apr 30 12:39:44 UTC 2025 

>> When you enter "https://www.example.com:8888/test.php" to your browser,
it
>>asks proxy server to "CONNECT www.example.com:8888" and browser handles
the
>>SSL negotiation and further communication itself.

what you are saying It's very interesting, infact previously I understood
CONNECT method was invoked both by http and by https protocols.
You are saying CONNECT method is invoked only if protocol is https, while
if you type http://site:port, no CONNECT method is invoked.
Right ?


Il giorno mar 29 apr 2025 alle ore 16:36 Matus UHLAR - fantomas <
uhlar at fantomas.sk> ha scritto:

> On 29.04.25 08:54, Renzo Marengo wrote:
> >When client uses CONNECT directive I understand that proxy establishes
> >tunnel to destination host on specified port
> >
> >e.g.
> >http://www.example.com:8888/test.php
> >https://www.example.com:8888/test.php
> >
> >1. I don't understand if this occurs both in presence of http and https
> >requests, The request (using CONNECT method) can be http or https ?
>
>
> When you enter "http://www.example.com:8888/test.php" into your browser,
> your browser asks proxy server for "http://www.example.com:8888/test.php"
> - it delegates fetching the content to proxy.
>
> When you enter "https://www.example.com:8888/test.php" to your browser,
> it
> asks proxy server to "CONNET www.example.com:8888" and browser handles
> the
> SSL negotiation and further communication itself.
>
> This way, you can tunnel different protocols through the proxy, not just
> HTTP (squid must be able to allow it, the destination ports are usually
> restricted via "https_port" acl).
>
> >2.  if In both cases CONNECT method is invoked but how I can discover
> >protocol (http, https) looking for inside access.log ?
> >A.B.C.D TCP_TUNNEL/200 7085 CONNECT mtalk.google.com:5228 - HIER_DIRECT/
> >142.251.18.188
> >
> >I see only info about destination host and port but no http/https protocol
> >is referenced.
>
>
> In this case, client A.B.C.D asked the proxy to "CONNECT
> mtalk.google.com:5228" and the proxy fullfilled the request.
> In case of CONNECT requests, the proxy has no idea what data flow through
> the server. Afaik mtalk.google.com:5228 is used for google/firebase cloud
> messaging.
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>     One OS to rule them all, One OS to find them,
> One OS to bring them all and into darkness bind them
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250430/6d072675/attachment.htm>

More information about the squid-users mailing list