Re: Https and secure ports

From: Dancer <dancer@dont-contact.us>
Date: Fri, 30 Jan 1998 02:58:38 +1000

https is proxied through the normal method.

If you want to connect to https://somewhere.secure.com:443/ the request is passed to squid on the _regular_ http port (3128).
On port 3128, the browser requests:

CONNECT somewhere.secure.com:443 HTTP/1.0

(may vary slightly according to protocol version)

and gets:
HTTP/1.0 200 CONNECTED

(or somesuch)

It then has the equivalent of a standard TCP pipe to say anything it wants to the remote server, and vice-versa. Just as if it had telnetted there directly.

Squid cannot proxy any item fetched by SSL/https, as it would violate the security model of SSL/https (ie: A 'man-in-the-middle' [Eve, in crypto parlance] would have to decrypt everything going both ways in order to cache anything. (Or at the very least have the _ability_ to do so))

The https proxying model built into HTTP (called 'SSL tunneling') makes a dumb data-path with squid just shovelling bytes both ways. It neither knows nor cares about the content. You can use it to connect to any port on any server, if you so desire, unless the ACL's prohibit it. (if they don't you can have a bash at M-Trek through the company firewall using SSL tunnelling to give you a telnet connection out))

D

Johannes Magnusson wrote:

> Hi folks,
>
> why isn't squid listening for incoming client CONNECT request on an secure port, like 443 or 563? Are ssl CONNECT requests a kind of an tabu in within squid or is an secure connection not initiated from the client https_proxy variable? My corporate squid proxys running RH linux 4.2 and 5.0 don't seem to listen to these ports at all. My only comforting thought is that allmost every secure site uses dynamic pages with an url that contains a "?" or "cgi-bin" so I configured my clients not to send the https_port requests to the standard http_proxy port 3128.
>
> I hope somebody can humour me with some answers 8-)
>
> Greetings Joe
>
> --
>
> Johannes Magnusson
> Netfang: johanma@rhi.hi.is

--
Did you read the documentation AND the FAQ?
If not, I'll probably still answer your question, but my patience will
be limited, and you take the risk of sarcasm and ridicule.
Received on Thu Jan 29 1998 - 08:59:53 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:34 MST