Search squid archive

Re: HTTPS on a port other than 81

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/22/07, Adrian Chadd <adrian@xxxxxxxxxxxxxxx> wrote:
On Thu, Feb 22, 2007, Krzysztof Pawlak wrote:
> I have a problem with caching the following:

HTTPS content is inherently uncacheable.

> https://student.qantmcollege.edu.au:2096/
>
> If Firefox doesn't use proxy for the mentioned url, everything is
> fine. But if I activate proxy I have the following:

Unless you need to pass all traffic through a proxy  (e.g. for policy
reasons), there really isn't much reason to activate proxy for HTTPS,
it may be better to set Firefox to not use a proxy for HTTPS content.


Its because there's an ACL which limits which destination ports you can
speak HTTP to. THere's another ACL for HTTPS.

Check out the acl's to do with Safe_ports and the http_access lines which
use an ACL that references "method CONNECT" for the SSL safe ports.

The risk of enabling additional destination ports in the Safe_ports
ACL is that if you are forcing all the traffic through a proxy for
policy enforcement reasons, allowing additional destination ports
makes it much easier to use CONNECT tunneling for unapproved and
dangerous protocols.

There are other (commercial only, TMK) proxies which will inspect the
conversation after the connect to ensure it looks like real SSL/TLS,
and a handful which will actually do MITM decryption and re-encryption
so they can inspect the protocol inside TLS.

Kevin

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux