https_port

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

https_port

Adiel Plasencia Herrera

  Hello,

They would help me with a configuration of my squid that I want to implement.

My proxy passes all traffic to a parent proxy and I want clients to connect to my proxy via https.

Can you help me how to implement the connection to my proxy via https?

To better explain what I want attached 2 pictures. The image with 1.jpg name shows my proxy configuration with type HTTp that connects well to internet.

What I want is for the connection to my proxy to be by the form of the 2.jpg image that uses the HTTPS type.

Or if it is possible then leave the 2 forms.


This is my current configuration:
 
 
 
acl trabajadores src 10.5.7.3 10.5.7.5

acl SSL_ports port 443
acl Safe_ports port 3128    # proxy server
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow trabajadores
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all


http_port 3128


cache_peer 10.5.7.2   parent  3128 0  no-query default login=PASS
forwarded_for on

#hierarchy_stoplist cgi-bin ?

cache_swap_low 90
cache_swap_high 95

#update_headers on
cache_mem 128 MB
#cache_access_log
cache_dir ufs /var/spool/squid3 512 16 256

access_log daemon:/var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log daemon:/var/log/squid3/store.log


refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320



cache_mgr [hidden email]
#visible_hostname proxy.example.com
#unique_hostname proxy.example.com


nonhierarchical_direct off

dns_nameservers 10.5.7.2
coredump_dir /var/spool/squid3

max_filedescriptors 3200

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

1.jpg (45K) Download Attachment
2.jpg (48K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: https_port

Amos Jeffries
Administrator
On 08/06/17 03:28, Adiel Plasencia Herrera wrote:

>
> Hello,
>
> They would help me with a configuration of my squid that I want to
> implement.
>
> My proxy passes all traffic to a parent proxy and I want clients to
> connect to my proxy via https.
>
> Can you help me how to implement the connection to my proxy via https?
>
> To better explain what I want attached 2 pictures. The image with
> 1.jpg name shows my proxy configuration with type HTTp that connects
> well to internet.
>
> What I want is for the connection to my proxy to be by the form of the
> 2.jpg image that uses the HTTPS type.
>
> Or if it is possible then leave the 2 forms.

What operating system are you using, and what applications are you
wanting to use this proxy connection?

The normal configuration is simply to add an https_port line with cert=
parameter to your squid.conf. More details on that below.


>
>
> This is my current configuration:
> acl trabajadores src 10.5.7.3 10.5.7.5
>
<snip>
>
> http_access allow trabajadores
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

You custom http_access rules ("allow trabajadores") should be down here
after the basic security checks.

> http_access deny all
>
>
> http_port 3128

The above port is for receiving plain-text connections to the proxy.
Most software supports this, with a few exceptions (usually Java apps).


To accept TLS connections to the proxy (not HTTPS *over* the proxy),
what you do is add an https_port line here. That https_port line needs a
cert= parameter containing the proxy server certificate. You may need
other TLS/SSL parameters to fine tune what the TLS does, but just start
with getting that basic setup to work.
  <http://www.squid-cache.org/Doc/config/https_port/>

For example:
   https_port 3129 cert=/etc/squid/proxy.pem

(the proxy.pem file here contains both the public server cert and
private server key for that cert).

Many GUI applications (most notably browsers) do not support this type
of connection to a proxy (or not well if they do). Which is where the
Q's about your OS and applications come in. You may need to setup
environment variables or PAC files to get the applications to work.


Note that this is *very* different situation to intercepting port 443
traffic. Much more different than port 3128 vs. intercepted port 80.
HTTPS traffic goes through these TLS proxy connections with
double-layered encryption, so this setup does *not* magically make the
proxy able to see inside HTTPS if that is what you are really after.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...