Re: [squid-users] Optional ssl force on Squid3

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 23 Jun 2012 23:04:10 +1200

On 23/06/2012 7:02 p.m., aimdev wrote:
> Hi I want to do the following....
>
> User accesses web via squid3, using http
> Squid checks to see if the server is capable of handling the request as ssl
> .
> If true, Squid changes the url to https.
> If false, Squid passes the url unchanged.
> Is this possible with squid3, if not can any one offer a solution?

How do you expect to convert all the worlds web servers to suddenly
having security TLS/SSL certificates? Then there are all the sites which
are FTP or other protocols which do not even support TLS at the protocol
level. Both due to the web servers not supporting TLS at their end, and
because http:// and https:// have *very* different security
requirements, bridging objects from secured area on the web server out
into the non-secured protocol is a bad idea.

Things are only bad for the particular scenario you described though.

Squid only requires --enable-ssl to be built into it to receive and
process HTTP requests asking for https:// URLs. It's hard to find a
browser that does this though. Changing the URL to magically use a
secure protocol to the external server is still not an option though.

It is possible if you own the website, to setup SSL on the web server
and have Squid reverse-proxy it in http:// while sending requests to it
over TLS/SSL. This is simply a reverse proxy where the cache_peer is
setup with ssl options.

It is also possible with some "stunnel" trickery to ensure that
communications between your clients and your proxy are TLS/SSL
protected. But notice how those are both "your ..." end of things. There
is no way to force somebody elses servers to accept or perform HTTPS
when they do not already support it. At which point *they* will be the
ones generating the appropriate https:// URLs, not your proxy.

Amos
Received on Sat Jun 23 2012 - 11:04:23 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 23 2012 - 12:00:03 MDT