Hi,
before this message is dismissed as yet another "why can't I proxy https?" post, I would like to say that this is an informed question, that I am unable to find the answer to in the docs, faqs, or mail archives.
I have set up a transparent proxy on our gateway, and am using ipchains to redirect outgoing port 80 requests to 3128 on the localhost (squid). This is working fine for all http traffic. All other traffic (including https) is currently masqueraded, and that works fine.
I wish to transparently "proxy" 443 (https) traffic also - even though I know squid will simply retrieve the https url via a DIRECT request. The reason I want to do this, and not masquerade is this:
internal -> gateway -> isp1 -> internet
-> isp2 ->
we have two squid configurations, one for isp1 and one for isp2. By default, all http traffic travels through isp1. However, if this goes down, we use our second squid configuration and point all traffic through isp2. There are differences between both squid configurations, as each isp provides a different set of parent caches.
Now, when isp1 fails, and we move our configuration to isp2, all http traffic is succesful. https, however, still fails because masquerading is still configured to go out isp1. If we could transparently "proxy" https, then we can redirect all web (http, https) traffic out through either isp with a single "flick of a switch".
I tried to transparently proxy https by simply redirecting 443 traffic to 3128 on localhost, just like what we do with http traffic. This does not work - browsers are unable to view https sites, and squid does not log any requests for the sites. Setting the gateway as a proxy in the browser, however, enables viewing https sites through squid. It would be great if we could transparently proxy https traffic, so we can easily redirect all web traffic out through either isp1 or isp2 in "one go", without having to reconfigure masquerading as well.
I find this situation odd, and I have looked through the manuals, faq, and mailing lists in search for an answer. While many people have asked this question, the reply i constantly find is "why do you want to?", or "just use masquerading". I hope I have presented a plausible reason as to why I want to transparently "proxy" https traffic.
any help or advice would be greatly appreciated,
rgds,
Ian.
-- Ian Cumming, ian@semisphere.org "The number of Unix installations has grown to 10, with more expected." -- The Unix Programmer's Manual, 2nd Edition, June, 1972 -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Feb 23 2001 - 23:04:54 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:10 MST