Re: [squid-users] question about encrypted connection between https client and Squid

[Julianne Bielski]

Amos,

Per:
There *is* a Right Way.

It is this:

1) using this in squid.conf:
     https_port 3129 cert=/path/to/proxy.pem

2) client connects to 3129 using TCP, then performs TLS handshake.

3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.


If my client (it's not a browser) is an https client ultimately attempting
to send its payload to a reverse proxy listening on 443, does this mean
that I will have an encrypted payload inside of another encrypted payload?
Also, if I configure my client to send traffic to Squid at port 3129,
then doesn't this mean I'm using Squid explicitly and not transparently?




From:   Amos Jeffries <squ...@treenet.co.nz>
To:     squid-users@lists.squid-cache.org
Date:   03/01/2015 08:39 PM
Subject:        Re: [squid-users] question about encrypted connection between
            https client and Squid
Sent by:        "squid-users" <squid-users-boun...@lists.squid-cache.org>



On 2/03/2015 9:55 a.m., Eliezer Croitoru wrote:
> Hey Yuri,
>
> On 01/03/2015 20:17, Yuri Voinov wrote:
>> Normally you never use CONNECT method over HTTP ports. This is
>> prohibited by squid basic security requirements.
>
> The above statement is true only if the proxy admin prohibit this.
> A CONNECT method can be allowed and can be used for any purpose what so
> ever the admin of the server sees right.
> There are basic default settings which allows the usage of a CONNECT
> method only to access specific "ssl safe ports".
>
> The "right" way (if these one) to access squid using an encrypted
> channel would be throw either a tunnel or another proxy which can
> forward the request into squid.

There *is* a Right Way.

It is this:

1) using this in squid.conf:
     https_port 3129 cert=/path/to/proxy.pem

2) client connects to 3129 using TCP, then performs TLS handshake.

3) client sends requests inside the encrypted connection as if they were
HTTP to a proxy but using https:// URL scheme.

Thats is *all*.

It is very simple. It works well with SSL-enabled Squid.

It avoids both the page-long list of NAT/TPROXY interception problems
and the other half-page list of SSL-bump hijacking related prblems.

Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users