On 3/02/2016 1:20 p.m., Antony Stone wrote: > On Wednesday 03 February 2016 at 01:17:16, user wrote: > >> My understanding of the url rewrite program is that the proxy will redirect >> the URL and the client will make a new request > > OK rewrite-url="..." > Rewrite the URL to the one supplied in 'rewrite-url='. > The new URL is fetched directly by Squid and returned to > the client as the response to its request. > Abut be aware that the action violates both HTTP and HTTPS specifications. In particular it violates the protocol behaviour guarantees of both, and security requirements of HTTPS. Leaving the server and client with out-of-sync information about their communication state. >> On Tuesday, February 2, 2016 4:10 PM, Antony Stone wrote: >> >> On Wednesday 03 February 2016 at 01:04:37, user wrote: >>> When client sends a http request (say. http://www.abc123.com, I would >>> like my squid proxy to make this request into https >>> (https://www.abc123.com) >>> Please consider the consequences carefully. By doing that you are taking onto your own shoulders full responsibility for the security and privacy breaches which *will* happen as a result. If you think that http:// and https:// URLs are the same, then you are dangerously mistaken. Even when they produce the same objects the server internal state is associating the https:// URL with a lot of sensitive data. Some of which may be transmitted either in the content payload itself, or in the metadata under the guarantee that https:// is _secured_ end-to-end (which is subtly different from 'encrypted'). By providing this gateway you are opening the entire 'secured' server context to trivial surveillance, hijacking, and corruption/modification by any HTTP (port 80) MITM. Which completely defeats the entire purpose of https:// (port 443) service existing for that domain. Rather than raising the domain HTTP access to being as secure as HTTPS, it does the opposite - lowers the entire traffic to being *worse* security than HTTP plain-text. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
