Re: Chaining of SSL proxies

ARMISTEJ@oeca.otis.com writes:

>Hi
>
>We're having some problem with regards to https / SSL pages that are
>outside our Intranet.
>
>We have Squid configured to use an upstream proxy (Netscape), and want
>to be able to access SSL pages. This is fine on our intranet, we just
>point the users browser to Squid, and it works (via the CONNECT method).
> However, when it comes time to connect to an external SSL site (say
>Qantas' frequent flyer program, or some areas of www.microsoft.com),
>Squid can't do it because our proxy can't get outside the firewall. In
>some cases we have two Squid's connected in a series-linked (son-parent)
>chain, then on to the Netscape proxy and then on to the firewall. This
>works great for HTTP and FTP, but falls down for SSL for the same
>reason.
>
>So, is there any way of
>
>1) Chaining proxies when using SSL, so that the firewall-enabled one is
>the one that goes outside our Intranet.
>
>AND/OR
>
>2) Making the browser use a different proxy depending on where the
>request is going i.e. based on the domain name.
>
>AND/OR
>
>3) Making the downstream Squids just pass on the request to the next
>"higher" proxy, and let the last proxy before the firewall (Netscape)
>handle SSL with the outside world.
>
>Examples of any method which works in this scenario would be
>appreciated. I have a feeling that automatic Javascript proxy selection
>(PAC files) may be the only way, however I don't know the first thing
>about how they work.

Squid currently has poor support for routing SSL requests. You might
not be able to make Squid forward the request as you need without
hacking the source code.

Your best bet would probably be Javascript...

Duane W.
Received on Mon Nov 03 1997 - 08:40:15 MST