Re: [squid-users] Using squid as transparent proxy causes problem with pages on https from Ahmed Talha Khan on 2012-04-13 (squid-users)

From: Ahmed Talha Khan <auny87_at_gmail.com>
Date: Fri, 13 Apr 2012 15:50:48 +0500

Hey Amos,
I made headway with the the problem :).. I think the looping is
happening because squid is proxying the https port traffic onto http
port on the way out.

clientt----https=443---------->squid---------http=80----->origin server

I can see the external connection being setup-ed on port 80 whereas it
should have been on port 443. That is why the server keeps sending me
back the same url to re-direct to.. This is my theory...What do you
think about it? Also how i can make squid to output the original port
443 traffic on port 443 when connecting to the external servers...i
could see something you mentioned to another guy here

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-1-endless-loop-IIS-webserver-td4465329.html

This example was a reverse proxy example and might not work for
me...Any suggestions? I think we are about to crack it !!:)

-talha

On Fri, Apr 13, 2012 at 12:17 PM, Ahmed Talha Khan <auny87_at_gmail.com> wrote:
> What about the looping in the browser? Y getting re-directed to the
> same URL again? I have posted this as a seperate question on the
> forum? How is it possible, in what configuration to access https pages
> while running squid? You may want to answer on the 2nd
> question..Thanks
>
> -talha
>
> On Fri, Apr 13, 2012 at 12:03 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 12/04/2012 10:08 p.m., Ahmed Talha Khan wrote:
>>>
>>> Also
>>> Will "tranparent" work on https_port? The bowser makes a connection of
>>> 443 which i redirect to squid. So will it let the webpages open? They
>>> are not opening for me
>>
>>
>> On Squid 3.0 and 2.x yes (3.1+ use "intercept" now) . All it does is tell
>> Squid to lookup the local kernel NAT tables for client IP information
>> instead of trusting the TCP packet, and that the request should have some
>> other special origin server specific processing applied.
>>
>> The problem with https_port intercept has always been, and remains in the
>> current Squid, that the SSL certificate sent to the client does not match
>> the domain the client is contacting. They get a TLS security alert message
>> on every new connection attempt. The dynamic cert generation feature in 3.2
>> helps, but intercepted HTTPS still mostly lacks the domain name details the
>> generator needs to produce a valid cert (requires SSL SNI feature, which is
>> *legally* risky for most of us dev to implement no techincal problem).
>>
>> Amos
>>
>
>
>
> --
> Regards,
> -Ahmed Talha Khan

-- 
Regards,
-Ahmed Talha Khan

Received on Fri Apr 13 2012 - 10:50:57 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 14 2012 - 12:00:03 MDT