Re: [squid-users] squid-2.6.STABLE19 https proxying

From: Henrik Nordstrom <[email protected]>
Date: Tue, 01 Apr 2008 11:09:46 +0200

tis 2008-04-01 klockan 15:15 +0900 skrev ssoo@siliconfile.com:
> Squid-2.6.STABLE19 have sslproxy* directives.
> Can it support forward proxying http?

Not really no. This feature allows Squid to gateway requests to http.
I.e. if Squid receives an request for https:// over HTTP, or if you use
an url rewriter to rewrite requests from http to https while it's
forwarded by Squid.

But there is a hidden define which enables a proof of concept for https
decryption of proxied requests making Squid send them to your first
https_port. And https_port also supports transparent interception just
like http_port. But it's no more than a proof of concept and there is
many shortcomings making it not suitable for production use

 - Always the same certificate presented no matter what site the user
requested, which means a lot of security warnings in the client on each
new site requested.
 - No control over server certificate validation. It's either accept
anything, or reject almost anything..

> Below is part of squid FAQ:
> "Unsupported Request Method and Protocol" for ''https'' URLs.
>
> The information here is current for version 2.3

This section isn't valid any more.. but is about a browser bug where
some browsers forgot to enable SSL when using a proxy and switching from
http to https on the same requested site... (iirc there was also similar
issues with some browsers forgetting to enabling SSL when using proxy
authentication). It's even a duplicate of another FAQ section where this
is explained better.. removed.

Regards
Henrik
Received on Tue Apr 01 2008 - 03:10:03 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:03 MDT