Re: [squid-users] ssl port 443

I am following up on Merton's email. We have Squid working as a reverse
proxy in our environment and would like to add SSL for secure
authentication of the users. The regular HTTP traffic is not encrypted.

I couldn't find much help on configuring Squid with SSL beside the
reference about https_port directive. Could anyone provide an example of
using the SSL directives in Squid?

We are using Squid 2.5 stable10 on RedHat El 3.0.

Thanks,

Dimitar
----------------------------------------

Merton Campbell Crockett <m.c.crockett@adelphia.net>
04/12/2006 10:18 AM

To
Dwayne Hottinger <dhottinger@harrisonburg.k12.va.us>
cc
"squid-users@squid-cache.org" <squid-users@squid-cache.org>
Subject
Re: [squid-users] ssl port 443

On 12 Apr 2006, at 06:49 , Dwayne Hottinger wrote:

> Sirs,
>
>
> I would like to have all internet requests go through my proxy
> server. My
> firewall now redirects all port 80 requests to my proxy server, I
> would like to
> have port 443 requests go their also, because my filtering software
> resides on
> the proxy server, and to get around the filter, all one has to do
> is use https:
> and they are no longer subject to the rules. I read through the
> faq on https:
> and it doesnt look like this is what I want. I added a rule to my
> firewall to
> redirect port 443 traffic to my proxy server and it doesnt seem to
> work
> (timeouts), plus I have nothing in either cache.log or access.log
> to indicate
> that https: traffic is connecting. Do I have to do another build
> of squid and
> --enable-https: or is this only for reverse proxy for my internal
> servers? Or
> can I add an acl to address https traffic and if so, what? I am
> running Squid
> Cache: Version 2.5.STABLE6
> configure options: --enable-storeio=diskd,ufs --enable-
> smartfilter. Redhat
> linux 8 kernel 2.4.19.

Dwayne:

This is not going to work. The only time that anything will be
visible is during the initial establishment of the SSL connection
between the client (browser) and the server. After the SSL
connection is established, the HTTP request from the client and the
HTTP response from the server are encrypted. You won't be able to
apply your filtering rules.

I am not part of the Squid development team and haven't used the
HTTPS features. This feature only makes sense when Squid is being
used as a front-end to a server where the SSL connection is being
established between the client and the Squid proxy server with
communications between the Squid proxy server and the HTTP server
being performed without encryption.

I'm sure that the Squid development team will correct me if I am wrong.

Merton Campbell Crockett
m.c.crockett@adelphia.net
Received on Wed Apr 12 2006 - 10:27:53 MDT