On 3/03/2015 1:15 a.m., Julianne Bielski wrote: > > Amos, > > Per: > There *is* a Right Way. > > It is this: > > 1) using this in squid.conf: > https_port 3129 cert=/path/to/proxy.pem > > 2) client connects to 3129 using TCP, then performs TLS handshake. > > 3) client sends requests inside the encrypted connection as if they were > HTTP to a proxy but using https:// URL scheme. > > > If my client (it's not a browser) is an https client ultimately attempting > to send its payload to a reverse proxy listening on 443, does this mean > that I will have an encrypted payload inside of another encrypted payload? No. You have one encryption layer, the TLS between the client and proxy. The https:// scheme tells the proxy what to do with the requests, including that the need to be kept secure on the outbound connection. > Also, if I configure my client to send traffic to Squid at port 3129, > then doesn't this mean I'm using Squid explicitly and not transparently? That depends on what the other word in the phrase "transparent ..." is. * Squid always performs "transparent HTTP" as much as it can with the configuration you give it. * Its up to you if the network performs "transparent autoconfiguration" to deliver the proxy IP:port details to the client. If by "transparently" you mean "transparent interception" then yes, its not that. The Right Way to use a proxy is explicitly. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
