RE: [squid-users] Outbound http -> https gateway

From: Henrik Nordstrom <[email protected]>
Date: Tue, 06 Feb 2007 01:40:57 +0100

mån 2007-02-05 klockan 19:09 -0500 skrev Steve Kapp:
> I am interested in b), having squid setup/teardown SSL connections to the
> appropriate server so that the LAN traffic remains unencrypted. In the case
> of b), will squid simply encapsulate the data and ignore the contents after
> the SSL connection to the server has been established, or does it rely upon
> the contents of the packet (i.e. is it well-formed HTTP)?

In 'b' the client has to send the https:// request using HTTP to the
proxy, just as it does for http://.

GET https://www.example.com/path/to/file HTTP/1.1
[headers]

It does not work for clients using the CONNECT method asking for a SSL
tunnel over the proxy.

'b' and 'c' is pretty much the same thing. 'b' is clients knowing they
should not run the SSL themselves and delegating this to the proxy. 'c'
is emulating this by rewriting http:// URLs into https:// at the proxy.

> Any sample configurations available for b)?

None needed at the proxy for 'b'. It's "just" about degrading the client
to not have any SSL capabilities and instead rely on the proxy to
perform the SSL encryption..

As I said earlier it's also possible to extend Squid with the capability
to decrypt CONNECT SSL proxy requests allowing inspection of https
traffic. Contact me privately if you want a quote on implementing this
feature.

Regards
Henrik

Received on Mon Feb 05 2007 - 17:41:03 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST