Re: [squid-users] HTTPS on a port other than 81

From: K K <kkadow@dont-contact.us>
Date: Thu, 22 Feb 2007 09:56:42 -0600

On 2/22/07, Adrian Chadd <adrian@creative.net.au> wrote:
> On Thu, Feb 22, 2007, Krzysztof Pawlak wrote:
> > I have a problem with caching the following:

HTTPS content is inherently uncacheable.

> > https://student.qantmcollege.edu.au:2096/
> >
> > If Firefox doesn't use proxy for the mentioned url, everything is
> > fine. But if I activate proxy I have the following:

Unless you need to pass all traffic through a proxy (e.g. for policy
reasons), there really isn't much reason to activate proxy for HTTPS,
it may be better to set Firefox to not use a proxy for HTTPS content.

> Its because there's an ACL which limits which destination ports you can
> speak HTTP to. THere's another ACL for HTTPS.
>
> Check out the acl's to do with Safe_ports and the http_access lines which
> use an ACL that references "method CONNECT" for the SSL safe ports.

The risk of enabling additional destination ports in the Safe_ports
ACL is that if you are forcing all the traffic through a proxy for
policy enforcement reasons, allowing additional destination ports
makes it much easier to use CONNECT tunneling for unapproved and
dangerous protocols.

There are other (commercial only, TMK) proxies which will inspect the
conversation after the connect to ensure it looks like real SSL/TLS,
and a handful which will actually do MITM decryption and re-encryption
so they can inspect the protocol inside TLS.

Kevin
Received on Thu Feb 22 2007 - 08:56:54 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST