RE: [squid-users] Re: Encrypted traffic with proxy server? from Rick Whitley on 2004-07-15 (squid-users)

From: Rick Whitley <rickwh@dont-contact.us>
Date: Thu, 15 Jul 2004 09:50:20 -0500

Does your configuration use proxy_auth and is the initial communication
encrypted? (dialogbox). Is there a place I can go to see examples of
this?

rick...
Rom.5:8

>>> Chris Perreault <Chris.Perreault@Wiremold.com> 7/14/2004 9:56:54 AM
>>>

We've set up a reverse proxy with the --enable-ssl option. Our back
end
webservers are http on port 80. Squid only accepts traffic from port
443.
The browsers are connecting to the proxy (run in accelerator/reverse
proxy
mode) All traffic between internet users and the proxy are ssl. From
the
proxy to our web servers are not ssl.

A proxy is not the same as a reverse proxy, although it is close. One
solution would be to have 2 squid boxes in a server room, where the
only
sniffing that could be done would have to be done within the server
room.
Configure one has a reverse proxy, sending all traffic to the normal
proxy.

Student PC --> ssl connection--> squid as reverse proxy in server room
-->
port 80 -->squid as proxy in server room --> internet webservers

Chris Perreault

-----Original Message-----
From: Adam Aube [mailto:aaube01@baker.edu]
Sent: Wednesday, July 14, 2004 10:31 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Encrypted traffic with proxy server?

Rick Whitley wrote:

> We would like to encrypt all network traffic on the segment our proxy

> server is on. Will a proxy server work with enctypted traffic. If I
am
> asking this wrong please forgive me. We would like to remove the
> ability for users on this segment to sniff packetts.

Squid supports encrypted connections to clients (use the --enable-ssl
configure option), but to date no known browser supports encrypted
connections to proxy servers.

You could use something like Stunnel (www.stunnel.org) on the client
to
connect to the proxy, then have the browser use 127.0.0.1 as the proxy
server.

This is just a suggestion - I have not tried this exact setup, so I
can't
say for sure if it will work.

Adam
Received on Thu Jul 15 2004 - 08:50:58 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT