-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 01.03.15 23:45, Julianne Bielski пишет: > Normally my infrastructure looks like: > > > client -- HTTP CONNECT (not encrypted) ---> proxy client ------ > TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy client --- > HTTPS application payload ---------------> reverse proxy > > Now I need it to look like: > > client -------- HTTPS application payload ----> proxy ---- HTTPS > application payload ----> reverse proxy No problem. This will work - and with only one encryption on every stage. Proxy can pass both - CONNECT with tunneling to reverse proxy, or bumped HTTPS connection. In my installation this scheme is works with most Web-sites uses reverse proxies. I use transparent interception SSL-bump enabled Squid. > > > > > > From: Yuri Voinov <yvoinov@xxxxxxxxx> To: > squid-users@xxxxxxxxxxxxxxxxxxxxx Date: 03/01/2015 12:26 PM > Subject: Re: question about encrypted connection > between https client and Squid Sent by: "squid-users" > <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> > > > > > 01.03.15 23:18, Julianne Bielski пишет: > >> I have an https client (not a browser) that normally connects to >> a reverse proxy. When it needs to go through a forward proxy, it >> requests a CONNECT tunnel. I now have a requirement to also be >> able to encrypt the connection between my client and the forward >> proxy, and I think this is possible using Squid and the >> https_port directive (??) > Yep. > >> My question is, will my https client now have to decrypt twice? >> Once for the connection with the forward proxy and once for the >> connection with the reverse proxy? > > Re-encryption will performs only in case SSL-bumped connections. > > But now I still can't imagine your infrastructure and how it must > work. > >> Also, must my https client still send a CONNECT message to >> Squid, or does it just connect to Squid's https_port at the TCP >> level, perform the SSL handshake, and then open a TCP connection >> to the reverse proxy? > > Still want to take a look on your infrastructure scheme. > > >> Thanks, > >> J. Bielski > > > >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ squid-users mailing > list squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU81GrAAoJENNXIZxhPexGPwkIAJrQAngPDCkylOCIb/IqYlkp JmCW/lr2JFcH48Zr954hi7six/uduwfNeTtZsd2Cz8JVW3pqQSIrleuF0B7/7C5H K+mDN6fQ3yQv9EjWTP1cRRdr+/OXQyWOPLoACUCz52SRvwAt1SnY9malavmnJPHS Aoj+vGTKSM4IasULA0Vnjm3gRjN6BWrUqoXZm1ODygflGXSJnqdm+8t9RhZIHcsl E1p9Q/hB1IJPrZU67YtgLHgg0MkOcQQzcJ/jzlPnlfOAFt0MPy8mC03YkcV4888a KHKXElzUbCDziSbG+L5Fz2zuLlQXoDc0ZqHSSB8iNYuB5UWpSZLXWXJ55yiDUBI= =xwxI -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
