RE: [squid-users] fedora, squid, cisco, transparent proxy and https/ssl

From: Damian-Grint Philip <[email protected]>
Date: Thu, 20 Jan 2005 09:23:32 -0000

On a related not, this can even be a problem with non-transparent
proxying - buggy IE autoproxy cache behaviour can give you similar
symptoms.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;271361 which
documents a registry key for disabling autoproxy caching:

"You may have to use this registry key if you connect by using a proxy
server that is handling secure and non-secure requests on the same
server. One example of this behavior is the SQUID Proxy Server software.
Because Internet Explorer typically caches port information, it may not
send a secure request over the correct port number when it tries to send
secure and non-secure responses to the same server, but on different
port numbers."

-----Original Message-----
From: Elsen Marc [mailto:elsen@imec.be]
Sent: 20 January 2005 06:45
To: Flip Johnson; squid-users@squid-cache.org
Subject: RE: [squid-users] fedora, squid, cisco, transparent proxy and
https/ssl

 
>
> Hi Everyone,
>
> We have squid 2.5 setup and working beautifully as a
> transparent proxy. Our
> cisco firewall/router redirects the traffic outbound on port
> 80 to the squid
> box and it in turn is filtered and sent on it's merry way.
>
> Our problem lies with the https traffic, which we are not
> rerouting at the
> cisco box because we realize that squid can't and shouldn't
> proxy that type
> of traffic. The problem is, on and off we seem to have
> reliability with our
> ssl connections. It appears to be an issue when a site
> redirects from an
> insecure to secure page, such as when you are checking out at
> an ecommerce
> site.
>

  Transparant proxying has drawbacks as mentioned in :

 
http://www.squid-cache.org/mail-archive/squid-users/200501/0012.html

 Besides the points mentioned in there; there is another subttle issues
to
 mention :
 Some sites may enforce extra steps in authenticating users over
 secure 'links' (ssl); in the way that a connection is switched during
 a 'logon' sequence from http to https (for instance); then the remote
 webserver may check, whether all connections come from the same ip and
 reject users if they don't.

 Now in your case subsequent http -> https connections may not come
 from the same ip and hence the e-commerce site may refuse a login.

 Check whether this works when the browser is configured to use
 squid directly through proxy config mechanisms.

 M.

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________
Received on Thu Jan 20 2005 - 02:23:39 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST