Re: [SQU] transparent proxy of https needed (I have RTFM'd)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 25 Feb 2001 07:57:42 +0100

Ian wrote:

> Perhaps you didn't read the entirety of my post. I understand
> that it is impossible to proxy SSL, however, squid _can_ handle
> https traffic, right? It does this by doing the equivalent of
> masquerading, and thus providing a non-cached, direct connection
> to the requested url on the client's behalf. This is what I have
> gathered from my research, if I am incorrect with this statemen
> I do apologise.

Squid can tunnel SSL when requested by a HTTP user-agent, as per defined
in Netscape's documentation on how to tunnel SSL (or other
connection-oriented non-HTTP protocol streams) via HTTP proxies.

This involves a HTTP method (CONNECT) for establishing the tunnel.

This is NOT the same as NAT (or masquerade which is one subset of NAT).
This is done at the application level, while NAT is performed at packet
level.

> I wish to "proxy"/NAT/masquerade/<insert correct term> https
> requests transparently. Squid handles https traffic when the
> browser sets it proxy explicitly to squid, so why can't this
> work if use squid transparently?

Because Squid does NOT support transparent TCP tunnels out of nothing.
Squid only understands HTTP. It has a (quite gross, but not as gross as
the packet redirection in the first place) hack for being able to
transparently proxy HTTP which fits quite nicely as it is only some
minor modifications to the data flow, the base protocol is still HTTP.

Doing the same for https connections requires a new listening port to be
created where to locally accept those connections and feed them into the
proxy engine in Squid as if they had been received as CONNECT requests
on the http_port, and naturally no information besides the
source/destination IP addresses/ports can be reconstructed.

So yes, it is possible to code a transparent proxy/tunnel for https
traffic, but no, Squid does not support this as the functionality is
quite far from being a HTTP proxy.

You are welcome to try to implement it in Squid if you so like (should
be about one page of code) and for a fee I might even do it for you, but
this is not an option I will spend my own resources on.

--
Henrik Nordstrom
Squid Hakcer
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Feb 25 2001 - 05:24:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:11 MST