-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 02.03.15 0:07, Julianne Bielski пишет: > That's good to know. > > With a transparent interception SSL-bump enabled Squid, I suppose I > do not have to explicitly configure anything in my https client, > and that Squid must listen on the port my client is trying to > connect to (443) and that my squid.conf file must look something > like this: > > http_port 443 ssl-bump > cert=/usr/local/squid3/etc/site_priv+pub.pem http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key 443->3129 port mappind does with NAT. > > where cert points to the location of a certificate designed to look > like the certificate of the actual destination server (my reverse > proxy). With config snippet above. No, cert must be self-signed and different from reverse proxy. > > In this case there is no http and no HTTP CONNECT required? Normally you never use CONNECT method over HTTP ports. This is prohibited by squid basic security requirements. This is must be in squid.conf: # Deny requests to unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports due to security reasons. In general, ever non-HTTPS enabled squid can forward CONNECT over 443 to server (in forwarding mode). To do that in transparent mode it must be configured with https_port intercept keywords. To know more about explicit bump look at this: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit > > > > > From: Yuri Voinov <yvoinov@xxxxxxxxx> To: Julianne > Bielski/Raleigh/IBM@IBMUS Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx, > squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> Date: > 03/01/2015 12:52 PM Subject: Re: question about > encrypted connection between https client and Squid > > > > > > 01.03.15 23:45, Julianne Bielski пишет: >> Normally my infrastructure looks like: > > >> client -- HTTP CONNECT (not encrypted) ---> proxy client >> ------ TCP tunnel ---> proxy --- TCP tunnel ---> reverse proxy >> client --- HTTPS application payload ---------------> reverse >> proxy > >> Now I need it to look like: > >> client -------- HTTPS application payload ----> proxy ---- >> HTTPS application payload ----> reverse proxy > > No problem. This will work - and with only one encryption on every > stage. Proxy can pass both - CONNECT with tunneling to reverse > proxy, or bumped HTTPS connection. > > In my installation this scheme is works with most Web-sites uses > reverse proxies. I use transparent interception SSL-bump enabled > Squid. > > > > > > > >> From: Yuri Voinov <yvoinov@xxxxxxxxx> To: >> squid-users@xxxxxxxxxxxxxxxxxxxxx Date: 03/01/2015 12:26 PM >> Subject: Re: question about encrypted connection >> between https client and Squid Sent by: "squid-users" >> <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> > > > > >> 01.03.15 23:18, Julianne Bielski пишет: > >>> I have an https client (not a browser) that normally connects >>> to a reverse proxy. When it needs to go through a forward >>> proxy, it requests a CONNECT tunnel. I now have a requirement >>> to also be able to encrypt the connection between my client and >>> the forward proxy, and I think this is possible using Squid and >>> the https_port directive (??) >> Yep. > >>> My question is, will my https client now have to decrypt >>> twice? Once for the connection with the forward proxy and once >>> for the connection with the reverse proxy? > >> Re-encryption will performs only in case SSL-bumped connections. > >> But now I still can't imagine your infrastructure and how it >> must work. > >>> Also, must my https client still send a CONNECT message to >>> Squid, or does it just connect to Squid's https_port at the >>> TCP level, perform the SSL handshake, and then open a TCP >>> connection to the reverse proxy? > >> Still want to take a look on your infrastructure scheme. > > >>> Thanks, > >>> J. Bielski > > > >>> _______________________________________________ squid-users >>> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users > >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU81eyAAoJENNXIZxhPexGO58IALLAtQZtg95Dh+82MaccSCho cVq2Bt5sOTdnDMB/fbYlor5aNrFPvANWoNg8mrsOqssg5S4CXR2RcyNzj97LrHUI SI3cnpk52xQXZZg88DMl303sijHp/vSH6qFtLKdWKCP/kcNqGOo9J9VYrKlnD8xL Q7p8xwf/x9jA3u3OyOknp7PokB3NLv9A8+G30unkgZw0JUGdF6to8meS9oH8neRH mF46EkzXcx5AdITLDHpY6ktRR1+H0rNZ2xnFBE3ESUot2dokf9ohoDS2jDrrRieR d/CwqpBoy7Ukb1TWJYD67+aezBFUerS7m7j0+AWs/fQaLUKQUHyoOf9AKPWolkI= =gp1a -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users