Search squid archive

Re: question about encrypted connection between https client and Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amos,

Per:
There *is* a Right Way.

It is this:

1) using this in squid.conf:
    https_port 3129 cert=/path/to/proxy.pem

2) client connects to 3129 using TCP, then performs TLS handshake.

3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.



If my client (it's not a browser) is an https client ultimately attempting to send its payload to a reverse proxy listening on 443, does this mean

that I will have an encrypted payload inside of another encrypted payload? Also, if I configure my client to send traffic to Squid at port 3129,
then doesn't this mean I'm using Squid explicitly and not transparently?


Inactive hide details for Amos Jeffries ---03/01/2015 08:39:01 PM---On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote: > Hey Yuri,Amos Jeffries ---03/01/2015 08:39:01 PM---On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote: > Hey Yuri,

From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Date: 03/01/2015 08:39 PM
Subject: Re: question about encrypted connection between https client and Squid
Sent by: "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>





On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote:
> Hey Yuri,
>
> On 01/03/2015 20:17, Yuri Voinov wrote:
>> Normally you never use CONNECT method over HTTP ports. This is
>> prohibited by squid basic security requirements.
>
> The above statement is true only if the proxy admin prohibit this.
> A CONNECT method can be allowed and can be used for any purpose what so
> ever the admin of the server sees right.
> There are basic default settings which allows the usage of a CONNECT
> method only to access specific "ssl safe ports".
>
> The "right" way (if these one) to access squid using an encrypted
> channel would be throw either a tunnel or another proxy which can
> forward the request into squid.

There *is* a Right Way.

It is this:

1) using this in squid.conf:
    https_port 3129 cert=/path/to/proxy.pem

2) client connects to 3129 using TCP, then performs TLS handshake.

3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.

Thats is *all*.

It is very simple. It works well with SSL-enabled Squid.

It avoids both the page-long list of NAT/TPROXY interception problems
and the other half-page list of SSL-bump hijacking related prblems.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

GIF image

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux