Re: [squid-users] squid https

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 3 Sep 2008 17:28:02 +1200 (NZST)

> Amos Jeffries yazm?s,:
>>> Indunil Jayasooriya yazmış:
>>>
>>>>> Could you send me your squid.conf file from the version of squid 2.6
>>>>> ,
>>>>> please ?
>>>>>
>>>>>
>>>>>
>>>> this is the file on openbsd 3.4
>>>>
>>>>
>>>>
>>> Hi again ;
>>>
>>> This your configuration and i can not see any https configuration in
>>> it.
>>> This is a standart config. I just want to use
>>>
>>
>>
>>> redirected https and
>>>
>>
>> Not really possible without SSLBump (which means any Squid earlier than
>> 3.1/HEAD).
>>
>> Some have hacked up a simulation of HTTPS interception using
>> reverse-proxy
>> mode and https_port, but that breaks a lot of things in the network and
>> causes much grief to all users.
>>
>> If you want happy users, do away with the interception altogether.
>>
>>
>>> [redirected] ftp
>>>
>>
>> Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy.
>> There is another proxy called 'Froxy' which can be used for that.
>>
>> Amos
>>
>>
>>
>>
>>
> Hi Amos ,
>
> If i use server_ip and squid_port with my browser, i mean without
> redirecting 80,443, or 21, all of them works properly. Squid can do this
> perfectly. I do not understand why does not work after redirecting them ?
>

Because when your browser is configured to use a proxy. It sends
completely different protocol requests.

It wraps the FTP up in HTTP headers for Squid to understand whats going
on. For HTTPS it does not perform any encryption, or if Squid is
configured to allow it, it uses a single encryption key belonging to Squid
for all requests.

When configured to connect directly to the internet, the browser sends FTP
protocol requests across multiple ports simultaneously in a mixture of
binary and ASCII. And securely encrypts all traffic to HTTPS servers with
unique encryption keys for each destination.

Squid is not designed to intercept the FTP tangle. And the HTTPS
encryption is specifically designed to prevent quiet interception. Nobody
wants anyone playing with their private encrypted details without them
knowing.

Amos
Received on Wed Sep 03 2008 - 05:28:05 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 03 2008 - 12:00:02 MDT