I am interested in b), having squid setup/teardown SSL connections to the appropriate server so that the LAN traffic remains unencrypted. In the case of b), will squid simply encapsulate the data and ignore the contents after the SSL connection to the server has been established, or does it rely upon the contents of the packet (i.e. is it well-formed HTTP)? Any sample configurations available for b)? Regards, Steve -----Original Message----- From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] Sent: Monday, February 05, 2007 5:51 PM To: skapp@xxxxxxxxxx Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Outbound http -> https gateway mån 2007-02-05 klockan 16:47 -0500 skrev Steve Kapp: > We need an HTTP->HTTPS translator so that internal network traffic may stay > unencrypted, a requirement from some of our customers. I have seen this > question asked previously about squid in the archives, and the answer seems > to be 2.5+ssl patch offers this feature, as does 3.0. > > Does 2.6 also support this feature? Yes. > Also, does anyone have a sample config file that supports this setup? There is three ways of using this depending on what your functionality requirements are: a) With Squid acting as an accelerator/reverse proxy for a defined list of sites, upgrading these sites to https. You then use the ssl option to cache_peer to wrap the request in SSL. b) By using a HTTP client sending https:// URLs to Squid. Squid will then maintain the SSL on behalf of the client. c) Using a url rewriter helper to rewrite selected http:// URLs into https:// per your own specifications, making Squid process the request as a https:// request even if the client requested http:// It's also possible to extend Squid with the capability to decrypt CONNECT SSL proxy requests allowing inspection of https traffic. Contact me privately if you want a quote on implementing this feature. Regards Henrik
