RE: [squid-users] fedora, squid, cisco, transparent proxy and https/ssl

From: Elsen Marc <elsen@dont-contact.us>
Date: Thu, 20 Jan 2005 07:44:48 +0100

 
>
> Hi Everyone,
>
> We have squid 2.5 setup and working beautifully as a
> transparent proxy. Our
> cisco firewall/router redirects the traffic outbound on port
> 80 to the squid
> box and it in turn is filtered and sent on it's merry way.
>
> Our problem lies with the https traffic, which we are not
> rerouting at the
> cisco box because we realize that squid can't and shouldn't
> proxy that type
> of traffic. The problem is, on and off we seem to have
> reliability with our
> ssl connections. It appears to be an issue when a site
> redirects from an
> insecure to secure page, such as when you are checking out at
> an ecommerce
> site.
>

  Transparant proxying has drawbacks as mentioned in :

       http://www.squid-cache.org/mail-archive/squid-users/200501/0012.html

 Besides the points mentioned in there; there is another subttle issues to
 mention :
 Some sites may enforce extra steps in authenticating users over
 secure 'links' (ssl); in the way that a connection is switched during
 a 'logon' sequence from http to https (for instance); then the remote
 webserver may check, whether all connections come from the same ip and
 reject users if they don't.

 Now in your case subsequent http -> https connections may not come
 from the same ip and hence the e-commerce site may refuse a login.

 Check whether this works when the browser is configured to use
 squid directly through proxy config mechanisms.

 M.
Received on Wed Jan 19 2005 - 23:46:06 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST