You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2012-03-21 02:29:40
- walterjwhite
- Member
- Registered: 2011-05-01
- Posts: 207
Squid - HTTPS
Hi all,
I would like to configure squid to do a few things.
1. can I proxy SSL, and if I do, how does that work, will the clients see HTTP instead, or another URL altogether?
2. if I proxy SSL, can I have squid validate the certificate and DNS records?
I would like SSL traffic to pass through squid so that some of that content can be cached to further reduce Internet traffic. Secondly, I want to make it easier for anyone on my network to be able to securely browse the Internet without needing to do additional client-side configuration.
Walter
Offline
#2 2012-03-21 06:48:29
- Gcool
- Member
- Registered: 2011-08-16
- Posts: 1,456
Re: Squid - HTTPS
So if I understand correctly; you would basically like squid to convert any http request a user makes to https (if available)?
As far as I know, this is not possible in squid (globally at least, you can set rules for individual destinations though). This is also not really the function of a proxy. There are fairly lowlevel solutions to provide this on the client (https everywhere browser plugin), but this is not what you're looking for I take it.
Burninate!
Offline
#3 2012-03-21 12:29:36
- walterjwhite
- Member
- Registered: 2011-05-01
- Posts: 207
Re: Squid - HTTPS
No, I was not clear, let me try again.
I would like handle all SSL, so if a user goes to a secure site I can cache the content as well as validate the site's DNS. If squid is now doing the SSL work, then what would the user see? I looked briefly at SSLBump, is that what I want? Also, is chromium the only browser that would support such a configuration?
Walter
Offline
#4 2012-03-21 13:11:18
- Gcool
- Member
- Registered: 2011-08-16
- Posts: 1,456
Re: Squid - HTTPS
So you would like to do SSL termination on the proxy basically? That's indeed perfectly possible through for example SslBump. The user will have to trust a certifate which will be generated by the prxy and which will be served for all https sites, replacing the actual certificate the https site is using (the actual session towards the site will be terminated on the proxy).
I know you're probably only thinking about the caching part; but the problem is that you'll be decrypting everything that passes through the ssl tunnel (login credentials,...) and hence breaching a user's privacy by doing that. So all in all, not something you would want to do.
Burninate!
Offline
#5 2012-03-21 13:30:09
- walterjwhite
- Member
- Registered: 2011-05-01
- Posts: 207
Re: Squid - HTTPS
Yes, I was thinking about the security ramifications, if it is mis-configured, then it could lead to more problems. However, if it is done right, I think it could add additional security by blocking sites with expired or untrusted certificates.
Offline
Pages: 1