Re: [squid-users] Full https in transparent mode

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 22 Jun 2012 21:33:11 +1200

On 22/06/2012 8:34 p.m., Romain wrote:
> On Thu, 2012-06-21 at 12:43 +1200, Amos Jeffries wrote:
>> On 21.06.2012 11:14, Romain wrote:
>>> Hi,
>>>
>>> I'm using squid-3.1.19 and i would like to setup a https l7 split in
>>> transparent mode. The configuration seems relatively easy and there
>>> is no problem to catch the https request with iptables and forward it
>>> to
>>> the squid. (https_port 3130 intercept cert=... key=...)
>>>
>>> But after that squid try to retrieve the page in http not in https...
>>> Is it possible to keep the protocol throughout the request ?
>> It would seem so... but that forces a single certificate to be shared
>> by every domain in existence. Your clients will pop up invalid
>> certificate warnings on almost every single HTTP request.
>>
>> You require the dynamic certificate generation feature of Squid-3.2 to
>> avoid those popups.
>>
>> This patch is also needs to be applied to the current 3.2 snapshot, it
>> should be in tomorrows one.
>> http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11599.patch
> There is no problem to share a single certificate, the problem is that
> squid try to to retrieve the page in http not in https mode.

Which is resolved as part of that patch rev 11599 on squid-3.2.
I am still in the process of sorting out a port to 3.1 series.

Amos
Received on Fri Jun 22 2012 - 09:33:27 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 22 2012 - 12:00:03 MDT