Re: [squid-users] icap and https from Amos Jeffries on 2011-03-01 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 01 Mar 2011 22:23:06 +1300

On 01/03/11 21:49, arielf wrote:
> Hello,
>
> I am trying to use Squid as proxy so that traffic goes through an icap
> service I built and continues to intended site. I will have several clients
> (browsers) that are accessing several server sites.
> I need help configuring https correctly :(
>
> I tried testing out my configuration using a broswer from ip: 9.148.16.192
> I used firefox foxyproxy plugin to direct http traffic to 9.148.26.247:3128
> and https to 3129 (machine/ports where my squid is listening, checked this
> with netstat)
>
> I started testing two sites, one http and another https:
> 1. http://mydomain.com/MyCRM/index.php
> 2. https://9.148.26.247:8443/ - this site runs on tomcat that I
> configured with mykey.jks
>
> when I start I get all OK messages:
> 2011/03/01 08:23:40| Accepting HTTP connections at [::]:3128, FD 15.
> 2011/03/01 08:23:40| Accepting HTTPS connections at [::]:3129, FD 16.
> 2011/03/01 08:23:40| HTCP Disabled.
> 2011/03/01 08:23:40| Configuring Parent 9.148.16.192/3129/0
>
> when I try site 1 (http) all seems to work fine.
> however when I try site 2, I get an error:
> 2011/03/01 08:37:54| clientNegotiateSSL: Error negotiating SSL connection on
> FD 12: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
> request (1/-1)
>
> where am I going wrong??

The wrong step is in using https_port to receive traffic from the
browser. Those ports are for receiving a SSL/TLS encrypted connection.
None of the popular browsers support such encryption on the link between
themselves and proxies.

The browser wraps https:// inside a plain-text HTTP method called
CONNECT and sends it to the Squid port. The encrypted part goes through
a tunnel the CONNECT creates.

This error message about negotiating is due to https_port failing to
decrypt the non-encrypted CONNECT.

In order to break into the CONNECT requests you will need the ssl-bump
mode enabled on the normal http_port. Then send both HTTP and HTTPS
traffic to the same proxy port via regular browser proxy settings.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Tue Mar 01 2011 - 09:23:11 MST

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 12:00:06 MST