Re: [squid-users] squid http -> https translation

From: Wiktor Warmus <wiktor.warmus_at_ccig.pl>
Date: Wed, 23 Sep 2009 09:16:54 +0200

Dnia 2009-09-20, nie o godzinie 23:46 +1200, Amos Jeffries pisze:
> > Hi,
> > according to the post:
> >
> > http://www.squid-cache.org/mail-archive/squid-users/200506/0071.html
> >
> > On 03.06 14:22, Gruskovnjak Oliver wrote:
> >>> Is it possible to make squid act as a "translater" ?
> >>> The setup should look like that:
> >>>
> >>> There is a server and a client both can change their state to server
> >>> or client.
> >
> >>> The traffic should look like this:
> >>>
> >>> Client -- HTTP -- Squid -- HTTPS -- Server
> >
> >> - squid-2.5 needs ssl patch do do this.
> >> squid-3.0 can do this but it's not released yet.
> >
> >>> Server -- HTTPS --Squid --HTTP -- Client
> >
> >> pardon, you don't wnt the server to connect to the client, do you?
> >> Why do you want to use SSL? And why can't you use SSL directly from
> >> client to server?
> >
> >>> To the server there shoudl be a HTTP to HTTPS translation and from
> > the
> >>> server to the client a HTTPS to HTTP translation.
> >>>
> >>> Is it possible to do this with squid ?
> >
> > I would like to re-ask the same question.
> > I am trying to run IE via wine on Linux
>
> Eew.

I wouldn't do this, if it wasn't necessary. One site, that is required
in some company is written in the way, that only IE 5.5 or 6.0 is able
to print it properly.

>
> > and it's unable to connect to
> > the sites via https, so I thought about some kind of https-to-http
> > translation and found the link above with alike issue.
>
>
>
> And the answer is nearly the same. 2.5 needs a patch. All the currently
> supported Squid can do this without trouble in several ways.
>
> * Squid in normal operation can let the browser open a tunnel and
> shovel HTTPS bits directly between the browser and website.
>
> * Squid can also open https:// URLs if the client browser is happy to
> be talking unsecured HTTP and let the secure bit only happen between
> Squid and the website. (There are no actual web browsers I know of that
> do this, only simplistic web libraries and tools).
>
> * Squid reverse-proxy can translate from public facing HTTPS to a
> private HTTP-only server if it is given the authoritative SSL
> certificate and keys for the domain being serviced.
>
>

The second scenerio is the most convinent, but I don't know if IE is
able to work in such a configuration, but I'll try. If it fails, I'll
try the third one.
The first is out of the question, since IE via wine (with the native
engine, not gecko) is unable to connect via secure channel.

If I will have some questions or problems with squid's configuration I
will just ask You :-)

> You need to configure IE to use the Squid as a proxy.
>
>
> NP: If you are trying to make IE secure, using HTTPS will not help. The
> flaws in IE are in the way it handles HTML. There is no way to do so
> short of re-coding IE without all its bugs AND re-coding the OS it runs
> on without its bugs as well.

As I said, I am trying to use IE since it necessary. It's only perpous
will be connecting to the one (rather secure) site.

Wiktor
Received on Wed Sep 23 2009 - 07:17:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 23 2009 - 12:00:03 MDT