RE: [squid-users] Outbound http -> https gateway

I am interested in b), having squid setup/teardown SSL connections to the
appropriate server so that the LAN traffic remains unencrypted. In the case
of b), will squid simply encapsulate the data and ignore the contents after
the SSL connection to the server has been established, or does it rely upon
the contents of the packet (i.e. is it well-formed HTTP)?

Any sample configurations available for b)?

Regards,

   Steve

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Sent: Monday, February 05, 2007 5:51 PM
To: skapp@nfocal.com
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Outbound http -> https gateway

mån 2007-02-05 klockan 16:47 -0500 skrev Steve Kapp:
> We need an HTTP->HTTPS translator so that internal network traffic may
stay
> unencrypted, a requirement from some of our customers. I have seen this
> question asked previously about squid in the archives, and the answer
seems
> to be 2.5+ssl patch offers this feature, as does 3.0.
>
> Does 2.6 also support this feature?

Yes.

> Also, does anyone have a sample config file that supports this setup?

There is three ways of using this depending on what your functionality
requirements are:

a) With Squid acting as an accelerator/reverse proxy for a defined list
of sites, upgrading these sites to https. You then use the ssl option to
cache_peer to wrap the request in SSL.

b) By using a HTTP client sending https:// URLs to Squid. Squid will
then maintain the SSL on behalf of the client.

c) Using a url rewriter helper to rewrite selected http:// URLs into
https:// per your own specifications, making Squid process the request
as a https:// request even if the client requested http://

It's also possible to extend Squid with the capability to decrypt
CONNECT SSL proxy requests allowing inspection of https traffic. Contact
me privately if you want a quote on implementing this feature.

Regards
Henrik
Received on Mon Feb 05 2007 - 17:09:58 MST