This configuration here covers the use case described by the OP:
https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/
If everything works well, you'll notice you won't support HTTP proxy at all, but users can reach both HTTP and HTTPS target websites via your HTTPS proxy.
# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 32109/sshd
tcp6 0 0 :::80 :::* LISTEN 26627/apache2
tcp6 0 0 :::3443 :::* LISTEN 7303/(squid-1)
tcp6 0 0 :::22 :::* LISTEN 32109/sshd
The user connects to the proxy ONLY via HTTPS Proxy on port 3443
All traffic between the OP and the proxy is encrypted using TLS.
A) If the user enters http://target.example.com, between the proxy and the target you'll see HTTP.
B) If the user enters https://target.example.com, between the proxy and the target you'll see HTTPS.
If you sniff the traffic between the client and the proxy, you'll see TLS.
Tested with:
$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v
Mozilla Firefox 48.0
Firefox set up to use PAC: Preferences > Advanced > Network > Settings: "Automatic Proxy Configuration": http://squid.example.com/proxy.pac
The downside here of course is the limited amount of clients supporting HTTPS Proxy settings.
Dio
On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Just to rewind this conversation to the actual problem ...
On 24/08/2016 11:42 p.m., Samuraiii wrote:
> On 24.8.2016 13:18, Antony Stone wrote:
>> Unfortunately it's not Squid that's the challenge - it's the browser.
>>
>> If you're using Firefox and/or Chrome, you should be okay.
>>
>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>>
>> Antony.
>>
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails
>
<snip>
>
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/ As Dio mentioned the cleintca= (or rather clientca=) is forfullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
authenticating clients ceritficates. Don't use that unless you are
requiring client certs in TLS.
The rest of your config looks reasonable to me. I suspect you have found
a bug introduced during all the SSL-Bump code changes. Please make a
bugzilla report and include your exact Squid version (found with the
'squid -v' command), the https_port line(s) and the exact error message
produced on startup.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--------
Diogenes S. de Jesus
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
