Re: [SQU] Transparent vs. non-transparent proxy

From: Colin Campbell <>
Date: Fri, 2 Mar 2001 12:42:39 +1000 (EST)


On Thu, 1 Mar 2001, Taylor, ForrestX wrote:

> I asked this question earlier, but I did not get an answer.
> Why can I not use transparent proxy for https???

Here's how a browser handles https with a proxy.

If you look at your browser (Netscape in my example) config you'll see
that the https proxy is exactly the same as your http proxy and probably
even your ftp proxy.

- user types: https://www.some.where/path
- browser connects to proxy (eg squid port 3128) and says

        CONNECT www.some.where:443

  All this goes in plain text.

- proxy makes tcp connection to port 443 on server www.some.where
- server starts SSL negotiations with browser
- proxy now just ferries packets back and forth
- inside the encrypted stream the browser sends

        GET /path

  and a whole lot of other HTTP headers.

The proxy cannot see anything in the stream because it's all encrypted.

Without a proxy configured in the browser:

- user types https://www.some.where/path
- browser connects to www.some.where port 443
- encryption negotiation takes place
- stream is encrypted

Since squid cannot cache the content (the outgoing URL is hidden in the
encrypted stream) there's no point putting the functionality into
squid. All that squid could do would be forward packets, slowing down the


To unsubscribe, see
Received on Thu Mar 01 2001 - 19:45:57 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:28 MST