Re: [squid-users] HTTPS forward proxy?

From: David Deller <david.deller_at_tripcraft.com>
Date: Thu, 23 Jan 2014 15:31:32 -0500

On Jan 23, 2014, at 1:19 PM, Alex Rousskov <rousskov_at_measurement-factory.com> wrote:

> On 2014-01-22 11:44, David Deller wrote:
>>>> Here's another request, this time with HTTPS:
>>>> $ curl --proxy https://my-proxy-server.example:3129 \
>>>> --proxy-anyauth --proxy-user redacted:redacted -w '\n' \
>>>> http://urlecho.appspot.com/echo?body=OK
>>>> curl: (56) Recv failure: Connection reset by peer
>>>> Nothing in `access.log` after this one, but in `cache.log`:
>>>> 2014/01/20 20:46:15| clientNegotiateSSL: Error negotiating SSL
>>>> connection on FD 10: error:1407609C:SSL
>>>> routines:SSL23_GET_CLIENT_HELLO:http request (1/-1)
>>>
>>> See the serverfault response. curl is connecting to the proxy using
>>> plain-text instead of SSL.
>
> Official curl does not support SSL connections to HTTP proxies. Factory
> has an experimental curl patch adding such support, including client SSL
> certificate authentication IIRC. If all you need is a single
> SSL-to-proxy client, that will work for you (please contact me off list
> if interested). If you need SSL-to-proxy support in popular browsers and
> other clients, a single patched curl will not help, of course.

Thanks for confirming this for me. I was only using curl in this case to troubleshoot my Squid server and see if I had configured it correctly. Now I at least know not to waste more time on it :)

What I really need is a Ruby HTTP library that can connect to Squid using SSL. Ruby can use libcurl (via ‘curb’), but I don’t think I can deploy a patched version of curl to my web host. I have tried several libraries and none of them so far have worked with my Squid server on its https_port.

Well, let me back up a little. If there was another way to authenticate securely to Squid, that would also be acceptable. As I mentioned before, I don’t think I’m comfortable with Digest (certainly not Basic). The only other options I see are NTLM and Negotiate, which both seem to be Microsoft-specific. Am I missing anything there?

>> I did notice this and wondered if it might be a problem with curl
>> itself. So I also tried similar tests with Google Chrome and a Ruby
>> HTTP library called excon, both of which specifically mention support
>> of HTTPS proxies. I also tried a few other HTTP libraries that have
>> HTTP proxy support but don’t specifically mention HTTPS. Since I saw
>> the same failing result with all of them, I went back to trying to
>> troubleshoot Squid as the likely source of the problem.
>
> In many cases, "HTTPS proxy support" simply means tunneling SSL
> connections through HTTP proxies by sending HTTP CONNECT requests to
> those HTTP proxies first. That is not SSL-to-proxy mode that you are
> looking for.

Very enlightening; that hadn’t occurred to me.

Here are the docs about Chrome’s ‘secure web proxy’ support: http://www.chromium.org/developers/design-documents/secure-web-proxy

That page specifically mentions Squid’s https_port, suggesting it should work with this Chrome feature, although from the phrasing of it (‘appears to’), the person who wrote that may not have actually tested it to find out.

Indeed, I tried replicating the same set of tests that I did with curl, with Google Chrome, and had the same unsuccessful results.

David
Received on Thu Jan 23 2014 - 20:31:41 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 24 2014 - 12:00:06 MST