Re: [squid-users] RE: HTTPS and Squid

From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo_at_gmail.com>
Date: Sat, 8 May 2010 14:32:55 -0430

Doing man-in-the-middle through squid? yeew, that's usually
problematic..... some sites, specially the ones using "client
certificates" (startcom, for example) will not work as expected (I
think).

On Sat, May 8, 2010 at 12:31 AM, Jafaruddin Lie
<jafaruddin.lie_at_gmail.com> wrote:
> Adding to what Jose said, it means that even if you put a sniffer on your
> proxy server to check the HTTPS traffic, you wouldn't get anything but
> gooble-dee-gook.
> What you want, Josh, if I am reading you correctly, is SSL termination on
> the squid server.
> So, the squid server will terminate the SSL connection from your client,
> then create another SSL connection to the destination server.
> This would involve creating certificates that you would need to install on
> your client (depending on the scenario you want, actually), so any
> particular reason why you need it done this way?
> On Sat, May 8, 2010 at 2:19 PM, Jose Ildefonso Camargo Tolosa
> <ildefonso.camargo_at_gmail.com> wrote:
>>
>> Hi!
>>
>> On Fri, May 7, 2010 at 2:14 PM, Baird, Josh <jbaird_at_follett.com> wrote:
>> > Ok, perhaps I misunderstood how CONNECT works.
>> >
>> > When Squid CONNECT's to a remote webserver via HTTPS, the tunnel is
>> > created between the user and the remote server.. so is all data sent
>> > over HTTPS (from the remote server to the client using the squid proxy)?
>>
>> When a client request a https page, it does a CONNECT method, and
>> thus: squid opens the connection to the remote ip:port and start
>> passing thru the data to the client's connection. �That's all.
>>
>> If a client request a "normal" web page (http), all communication is
>> unencrypted, from client to proxy and from proxy to remote server, and
>> the server download things, and then send them to the client.
>>
>> >
>> > Thanks,
>> >
>> > Josh
>> >
>> > -----Original Message-----
>> > From: Baird, Josh
>> > Sent: Friday, May 07, 2010 1:17 PM
>> > To: 'squid-users_at_squid-cache.org'
>> > Subject: HTTPS and Squid
>> >
>> > Typically, all of our proxy clients connect to our Squid servers via
>> > HTTP (TCP/80). �If they request a HTTPS site, Squid will CONNECT to the
>> > site and tunnel the data back to the client via HTTP.
>> >
>> > I have a scenario now where the entire stream needs to be HTTPS:
>> >
>> > <User>----(HTTPS)----<Squid>-----(HTTPS)----<Destination Server on
>> > Internet>
>> >
>> > How would I support this in Squid? �Would I need to add a "https_port"
>> > and install a SSL certificate on the proxy server? �Would the proxy
>> > server then decrypt data from the <User> and rencrypt it using
>> > <Destination Server's> SSL certificate on the way out to the Internet?
>> >
>> > Thanks,
>> >
>> > Josh
>> >
>> >
>
>
>
> --
> Registered Linux user no. 384430
>
Received on Sat May 08 2010 - 19:03:04 MDT

This archive was generated by hypermail 2.2.0 : Sun May 09 2010 - 12:00:04 MDT