Squid https_port

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid https_port

johnr
Hi (sorry resending this because the original sent as an html email),
 
I have a couple of questions about the squid https_port.
 
1) Does it only exist for transparent connections? I know if I want to have a transparent proxy that can accept requests TLS requests, I need to have the port be a https_port rather than a http_port, but is that what it was created for?
 
2) How come the https_port does not support receiving proxy protocol? Perhaps I'm misunderstanding a bit here, but I thought that HAProxy supports sending it before instantiating a TLS connection?
 
Thank you so much for the help and I'm sorry if I'm misunderstanding and these questions don't make sense.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid https_port

Alex Rousskov
On 09/14/2018 12:11 PM, John Refwe wrote:
  
> I have a couple of questions about the squid https_port.
>  
> 1) Does it only exist for transparent connections?

No, it does not. It also supports encrypted connections between the
client and Squid. In that scenario, Squid can be called an HTTPS proxy.
Many modern browsers and other clients (e.g., curl) support HTTPS proxies.


> I know if I want to have a transparent proxy that can accept requests
> TLS requests, I need to have the port be a https_port rather than a
> http_port, but is that what it was created for?

IIRC, it was created for the HTTPS proxy support. Inspection of
intercepted TLS connections came much later.


> 2) How come the https_port does not support receiving proxy protocol?

If it does not, then nobody added that support. There is nothing in the
PROXY protocol itself that would make it impossible to support on the
https_port AFAICT.


> I thought that HAProxy supports sending it before instantiating a TLS connection?

I do not know what HAProxy does or whether it supports talking to HTTPS
proxies at all, but the whole idea behind HTTPS proxying is to
protect/encrypt client-proxy communication. I would expect HAProxy to
send the PROXY header _inside_ the TLS connection to the HTTPS proxy,
not outside it!

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

fi.se ssl bump error

johnr
In reply to this post by johnr
Hi,
 
I'm encountering a ssl bump error when going to https://www.finansinspektionen.se/
 
The error is similar in nature to http://squid-web-proxy-cache.1019090.n4.nabble.com/Message-with-SSL-bump-with-a-specific-site-td4686867.html
 
I took a packet capture and it didn't explain anything beyond what is discussed in the above thread. I could readily reproduce it with both squid 3.5 and squid 4.0. Interestingly, when I did an openssl s_client to the domain and then did pasted: 
GET / HTTP/1.1
Host: www.finansinspektionen.se
Connection: keep-alive
 
Things seemed to work. So, it doesn't immediately seem to be an openssl issue?
 
Is anyone able to reproduce this / maybe provide a little bit of insight as to what might be happening?
 
Thank you very much,
 
John

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: fi.se ssl bump error

Amos Jeffries
Administrator
On 30/11/18 12:16 pm, John Refwe wrote:
> Hi,
>  
> I'm encountering a ssl bump error when going
> to https://www.finansinspektionen.se/
>  
> The error is similar in nature
> to http://squid-web-proxy-cache.1019090.n4.nabble.com/Message-with-SSL-bump-with-a-specific-site-td4686867.html

TLS is complex protocol. "Similar to" is not enough to be accurate.

Did you do what I suggested in that thread to closer identify what was
actually happening?

>  
> I took a packet capture and it didn't explain anything beyond what is
> discussed in the above thread. I could readily reproduce it with both
> squid 3.5 and squid 4.0. Interestingly, when I did an openssl s_client
> to the domain and then did pasted: 
> GET / HTTP/1.1
> Host: www.finansinspektionen.se
> Connection: keep-alive
>  
> Things seemed to work. So, it doesn't immediately seem to be an openssl
> issue?
>  

The test only shows that the default parameters your OpenSSL library
wants to use will work.

The parameters of the handshake outgoing from Squid is mediated by
settings the client uses and anything you have forced limits on through
squid.conf settings.


> Is anyone able to reproduce this / maybe provide a little bit of insight
> as to what might be happening?
>  

Not from those clues.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users