Chaining of SSL proxies

From: Armistead, Jason <>
Date: Mon, 03 Nov 1997 05:02:00 -0500


We're having some problem with regards to https / SSL pages that are
outside our Intranet.

We have Squid configured to use an upstream proxy (Netscape), and want
to be able to access SSL pages. This is fine on our intranet, we just
point the users browser to Squid, and it works (via the CONNECT method).
 However, when it comes time to connect to an external SSL site (say
Qantas' frequent flyer program, or some areas of,
Squid can't do it because our proxy can't get outside the firewall. In
some cases we have two Squid's connected in a series-linked (son-parent)
chain, then on to the Netscape proxy and then on to the firewall. This
works great for HTTP and FTP, but falls down for SSL for the same

So, is there any way of

1) Chaining proxies when using SSL, so that the firewall-enabled one is
the one that goes outside our Intranet.


2) Making the browser use a different proxy depending on where the
request is going i.e. based on the domain name.


3) Making the downstream Squids just pass on the request to the next
"higher" proxy, and let the last proxy before the firewall (Netscape)
handle SSL with the outside world.

Examples of any method which works in this scenario would be
appreciated. I have a feeling that automatic Javascript proxy selection
(PAC files) may be the only way, however I don't know the first thing
about how they work.


Jason Armistead
Received on Sun Nov 02 1997 - 23:14:47 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:25 MST