Re: [squid-users] https

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 14 Jun 2002 01:49:48 +0200

On Thursday 13 June 2002 23:12, Joe Cooper wrote:
> As I said, you can't do that. Transparent proxying of SSL traffic
> is not supported by Squid (or any proxy I know of).

There is some.. It is for example supported by some special proxies
running on proxy based firewalls that transparently intercepts all
traffic.. but these are just TCP proxies who exists for the only
purpose of applying the firewall rules and logging..

> I believe Henrik has mentioned in the past that it would be
> possible with some coding in Squid (basically hacking every SSL
> request into a CONNECT transparently). If you must have it, I
> reckon you could hire Henrik or someone else to implement it for
> you. It is considered to be a rather ugly hack by most or all of
> the developers, so it is unlikely that any will ever spend time on
> developing such a feature for fun.

The whole thing of at all tunneling SSL over a HTTP proxy is a big
ugly hack in my opinion.

SSL cannot be proxied without breaking SSL, only tunneled.

Adding the support to allow Squid to transparently tunnel SSL requests
is no bigger hack than to allow it to trasparently proxy HTTP
requests, but it has not been done as there is more efficient ways of
"transparently" forwarding SSL traffic such as Masquerade/NAT, and if
you can do transparent proxying then you can by definition also do
Masquerade/NAT as all TCP implementation capable of supporting
transparent proxies are also capable of Masquerade/NAT.

If someone absolutely want's Squid to support transparent tunnelling
of SSL then sure, I can be hired to add the feature. Or if someone
else feels like doing it I could accept a patch to have it included
in future Squid versions (2.6).

Regards
Henrik
Received on Thu Jun 13 2002 - 18:24:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:41 MST