Re: [squid-users] HTTPS sites

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 05 Oct 2001 09:05:33 +0200

Deb Heller-Evans wrote:
>
> Trying to understand another issue - it has been said that squid
> shouldn't be interception proxying requests to HTTPS sites, since
> they can't be cached, and the client hits the site directly.

Not only because they can't be cached, but the traffic between the
client and server is encrypted by SSL, and if your redirect SSL
encrypted traffic to a HTTP proxy the proxy will get confused as it
expects HTTP, not some unknown encrypted data.

> In my configuration, if I don't intercept this, and let them hit the
> site directly, then the request bypasses my VirusWall.

Correct.

But even if you send the requests via the proxy and VirusWall, the most
your VirusWall can do is to consider if the user at all is allowed to
reach the requested site. All information including the requested URL is
encrypted and cannot be seen by proxies.

> So, this means that my user can be potentially infected by an https
> site. Also, we have https sites on our intranet, and it would be
> good for me to know that our own site might be infected, so I could
> take action (I don't administer all of them).

Correct.

Regards
Henrik Nordström
Received on Fri Oct 05 2001 - 01:06:37 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:37 MST