That's good to know.
With a transparent interception SSL-bump enabled Squid, I suppose I do not have to explicitly
configure anything in my https client, and that Squid must listen on the port my client is trying to
connect to (443) and that my squid.conf file must look something like this:
http_port 443 ssl-bump cert=/usr/local/squid3/etc/site_priv+pub.pem
where cert points to the location of a certificate designed to look like the certificate of the actual destination server (my reverse proxy).
In this case there is no http and no HTTP CONNECT required?
Yuri Voinov ---03/01/2015 12:52:26 PM--------BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
From: Yuri Voinov <yvoinov@xxxxxxxxx>
To: Julianne Bielski/Raleigh/IBM@IBMUS
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx, squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
Date: 03/01/2015 12:52 PM
Subject: Re: [squid-users] question about encrypted connection between https client and Squid
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
01.03.15 23:45, Julianne Bielski пишет:
> Normally my infrastructure looks like:
>
>
> client -- HTTP CONNECT (not encrypted) ---> proxy client ------
> TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy client ---
> HTTPS application payload ---------------> reverse proxy
>
> Now I need it to look like:
>
> client -------- HTTPS application payload ----> proxy ---- HTTPS
> application payload ----> reverse proxy
No problem. This will work - and with only one encryption on every
stage. Proxy can pass both - CONNECT with tunneling to reverse proxy,
or bumped HTTPS connection.
In my installation this scheme is works with most Web-sites uses
reverse proxies. I use transparent interception SSL-bump enabled Squid.
>
>
>
>
>
> From: Yuri Voinov <yvoinov@xxxxxxxxx> To:
> squid-users@xxxxxxxxxxxxxxxxxxxxx Date: 03/01/2015 12:26 PM
> Subject: Re: [squid-users] question about encrypted connection
> between https client and Squid Sent by: "squid-users"
> <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
>
>
>
>
> 01.03.15 23:18, Julianne Bielski пишет:
>
>> I have an https client (not a browser) that normally connects to
>> a reverse proxy. When it needs to go through a forward proxy, it
>> requests a CONNECT tunnel. I now have a requirement to also be
>> able to encrypt the connection between my client and the forward
>> proxy, and I think this is possible using Squid and the
>> https_port directive (??)
> Yep.
>
>> My question is, will my https client now have to decrypt twice?
>> Once for the connection with the forward proxy and once for the
>> connection with the reverse proxy?
>
> Re-encryption will performs only in case SSL-bumped connections.
>
> But now I still can't imagine your infrastructure and how it must
> work.
>
>> Also, must my https client still send a CONNECT message to
>> Squid, or does it just connect to Squid's https_port at the TCP
>> level, perform the SSL handshake, and then open a TCP connection
>> to the reverse proxy?
>
> Still want to take a look on your infrastructure scheme.
>
>
>> Thanks,
>
>> J. Bielski
>
>
>
>> _______________________________________________ squid-users
>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________ squid-users mailing
> list squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU81GrAAoJENNXIZxhPexGPwkIAJrQAngPDCkylOCIb/IqYlkp
JmCW/lr2JFcH48Zr954hi7six/uduwfNeTtZsd2Cz8JVW3pqQSIrleuF0B7/7C5H
K+mDN6fQ3yQv9EjWTP1cRRdr+/OXQyWOPLoACUCz52SRvwAt1SnY9malavmnJPHS
Aoj+vGTKSM4IasULA0Vnjm3gRjN6BWrUqoXZm1ODygflGXSJnqdm+8t9RhZIHcsl
E1p9Q/hB1IJPrZU67YtgLHgg0MkOcQQzcJ/jzlPnlfOAFt0MPy8mC03YkcV4888a
KHKXElzUbCDziSbG+L5Fz2zuLlQXoDc0ZqHSSB8iNYuB5UWpSZLXWXJ55yiDUBI=
=xwxI
-----END PGP SIGNATURE-----
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users