Re: [squid-users] HTTPS CONNECT issue from Joe Cooper on 2002-01-09 (squid-users)

From: Joe Cooper <joe@dont-contact.us>
Date: Wed, 09 Jan 2002 06:54:21 -0600

Francis Turner wrote:

> Probably a dumb newbie question... although I did search the archives
> and stumbled on this thread :
> http://www.squid-cache.org/mail-archive/squid-users/200110/0178.html
>
> I'm trying to see if squid will transparently redirect HTTPS CONNECTS
> that it receives to a second (checkpoint) proxy/firewall. I think the
> answer is no it just does the CONNECT direct to the internet server and
> there is no way to change it.
>
> Just to be clear the network looks like this
> user - squid - chkpoint FW/proxy - Internet
>
> using the cache_peer parent option and the transparent proxy enabling
> options HTTP is successfully retrieved through the FW and cached. What I
> would like to do is received my users https://securehost requests and
> direct them to the checkpoint FW. But from observation what happens is
> that squid tries to setup the direct conect to the secure server
> instead, which doesn't work as the FW drops the traffic.
>
> Unfortunately the firewall is not under my control which so it is
> impossible for me to modify its behaviour to pass port 443 directly, so
> I think I will just have to add a static config for my users that tells
> them to use the checkpoint for SSL. Is this correct? (Yes I will
> investigate PAC but I'd rather everything was completely transparent so
> that user's browsers work automatically without any configuration)

Umm...You can't transparently redirect https to Squid under any
circumstances. Squid doesn't know what to do with a transparently
directed secured request.

In a transparent web cache configuration, you will leave the https port
(443) alone, allowing it to pass through untouched (so the server acts
as a very simple router for that traffic). If the Checkpoint can
operate transparently on port 443, then you shouldn't have any problems
with this. And if it can't, Squid still doesn't alter the situation at
all--you will still have to address the issue of proxying SSL explicitly
at the Checkpoint, not at the Squid machine.

-- 
Joe Cooper <joe@swelltech.com>
http://www.swelltech.com
Web Caching Appliances and Support

Received on Wed Jan 09 2002 - 05:53:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:41 MST