Re: [squid-users] Full https in transparent mode

From: Romain <romain_at_biscotte.net>
Date: Fri, 22 Jun 2012 10:34:48 +0200

On Thu, 2012-06-21 at 12:43 +1200, Amos Jeffries wrote:
> On 21.06.2012 11:14, Romain wrote:
> > Hi,
> >
> > I'm using squid-3.1.19 and i would like to setup a https l7 split in
> > transparent mode. The configuration seems relatively easy and there
> > is no problem to catch the https request with iptables and forward it
> > to
> > the squid. (https_port 3130 intercept cert=... key=...)
> >
> > But after that squid try to retrieve the page in http not in https...
> > Is it possible to keep the protocol throughout the request ?
>
> It would seem so... but that forces a single certificate to be shared
> by every domain in existence. Your clients will pop up invalid
> certificate warnings on almost every single HTTP request.
>
> You require the dynamic certificate generation feature of Squid-3.2 to
> avoid those popups.
>
> This patch is also needs to be applied to the current 3.2 snapshot, it
> should be in tomorrows one.
> http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11599.patch

There is no problem to share a single certificate, the problem is that
squid try to to retrieve the page in http not in https mode.

Regards
Romain

>
> Amos
>

-- 
Romain <romain_at_biscotte.net>
Received on Fri Jun 22 2012 - 08:34:54 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 22 2012 - 12:00:03 MDT