[squid-users] Squid https

Discussion:

[squid-users] Squid https_port

John Refwe

2018-09-14 17:49:38 UTC

_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

John Refwe

2018-09-14 18:11:15 UTC

Permalink

Hi (sorry resending this because the original sent as an html email),

I have a couple of questions about the squid https_port.

1) Does it only exist for transparent connections? I know if I want to have a transparent proxy that can accept requests TLS requests, I need to have the port be a https_port rather than a http_port, but is that what it was created for?

2) How come the https_port does not support receiving proxy protocol? Perhaps I'm misunderstanding a bit here, but I thought that HAProxy supports sending it before instantiating a TLS connection?

Thank you so much for the help and I'm sorry if I'm misunderstanding and these questions don't make sense.

Alex Rousskov

2018-09-14 21:25:28 UTC

Permalink

On 09/14/2018 12:11 PM, John Refwe wrote:

Post by John Refwe
I have a couple of questions about the squid https_port.

1) Does it only exist for transparent connections?

No, it does not. It also supports encrypted connections between the
client and Squid. In that scenario, Squid can be called an HTTPS proxy.
Many modern browsers and other clients (e.g., curl) support HTTPS proxies.

Post by John Refwe
I know if I want to have a transparent proxy that can accept requests
TLS requests, I need to have the port be a https_port rather than a
http_port, but is that what it was created for?

IIRC, it was created for the HTTPS proxy support. Inspection of
intercepted TLS connections came much later.

Post by John Refwe
2) How come the https_port does not support receiving proxy protocol?

If it does not, then nobody added that support. There is nothing in the
PROXY protocol itself that would make it impossible to support on the
https_port AFAICT.

Post by John Refwe
I thought that HAProxy supports sending it before instantiating a TLS connection?

I do not know what HAProxy does or whether it supports talking to HTTPS
proxies at all, but the whole idea behind HTTPS proxying is to
protect/encrypt client-proxy communication. I would expect HAProxy to
send the PROXY header _inside_ the TLS connection to the HTTPS proxy,
not outside it!

Alex.

John Refwe

2018-11-29 23:16:45 UTC

Permalink

_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Amos Jeffries

2018-11-30 10:03:01 UTC

Permalink

Hi,

I'm encountering a ssl bump error when going
to https://www.finansinspektionen.se/

The error is similar in nature
to http://squid-web-proxy-cache.1019090.n4.nabble.com/Message-with-SSL-bump-with-a-specific-site-td4686867.html

TLS is complex protocol. "Similar to" is not enough to be accurate.

Did you do what I suggested in that thread to closer identify what was
actually happening?

I took a packet capture and it didn't explain anything beyond what is
discussed in the above thread. I could readily reproduce it with both
squid 3.5 and squid 4.0. Interestingly, when I did an openssl s_client
to the domain and then did pasted:
GET / HTTP/1.1
Host: www.finansinspektionen.se
Connection: keep-alive

Things seemed to work. So, it doesn't immediately seem to be an openssl
issue?

The test only shows that the default parameters your OpenSSL library
wants to use will work.

The parameters of the handshake outgoing from Squid is mediated by
settings the client uses and anything you have forced limits on through
squid.conf settings.

Is anyone able to reproduce this / maybe provide a little bit of insight
as to what might be happening?

Not from those clues.

Amos

Amos Jeffries

2018-09-14 23:08:51 UTC

Permalink

Post by John Refwe
Hi,

I have a couple of questions about the squid https_port.

1) Does it only exist for transparent connections? I know if I want to
have a transparent proxy that can accept requests TLS requests, I need
to have the port be a https_port rather than a http_port, but is that
what it was created for?

https_port is for receiving port 443 https:// (HTTP over TLS) rather
than port 3128 or 80 http:// (HTTP over TCP).

Post by John Refwe

2) How come the https_port does not support receiving proxy protocol?
Perhaps I'm misunderstanding a bit here, but I thought that HAProxy
supports sending it before instantiating a TLS connection?

HAProxy does, Squid does not (yet). Mainly because OpenSSL was the code
receiving TLS handshakes. SSL-Bump changes that somewhat, but has not
stabilized enough yet to integrate PROXY protocol into the new TLS
parser. Patches welcome.

Amos