On 12/04/2012 10:08 p.m., Ahmed Talha Khan wrote:
> Also
> Will "tranparent" work on https_port? The bowser makes a connection of
> 443 which i redirect to squid. So will it let the webpages open? They
> are not opening for me
On Squid 3.0 and 2.x yes (3.1+ use "intercept" now) . All it does is
tell Squid to lookup the local kernel NAT tables for client IP
information instead of trusting the TCP packet, and that the request
should have some other special origin server specific processing applied.
The problem with https_port intercept has always been, and remains in
the current Squid, that the SSL certificate sent to the client does not
match the domain the client is contacting. They get a TLS security alert
message on every new connection attempt. The dynamic cert generation
feature in 3.2 helps, but intercepted HTTPS still mostly lacks the
domain name details the generator needs to produce a valid cert
(requires SSL SNI feature, which is *legally* risky for most of us dev
to implement no techincal problem).
Amos
Received on Fri Apr 13 2012 - 07:03:09 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 13 2012 - 12:00:04 MDT