Re: HTTPS transparent proxy with Squid

To: debian-isp@lists.debian.org
Subject: Re: HTTPS transparent proxy with Squid
From: Alson van der Meulen <alson@linuxfreak.nl>
Date: Thu, 26 Jul 2001 12:50:43 +0200
Message-id: <[🔎] 20010726125043.D17985@md2.mediadesign.nl>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 7186547819.20010726085253@ibd.ru>
References: <8B12F6A1231DD411A70600A0CC68AFC5138A20@NTSERVER> <[🔎] 20010725143308.A5184@md2.mediadesign.nl> <[🔎] 7186547819.20010726085253@ibd.ru>

On Thu, Jul 26, 2001 at 08:52:53AM +0400, Ant wrote:
> AvdM> HTTPS uses port 443, so it won't work with your current ipchains setup.
> AvdM> You might be able to start a second squid process, and redirect HTTPS
> AvdM> requists through it.
> Could you tell me how to redirect HTTPS through squid, and give an example of
> configuration. It is very interesting for me for the ICQ with HTTPS proxing option
> enabled.
Just look for HTTPS proxy options in ICQ...

a few points:
- Don't use transparant proxying if you don't really need it. Some
  services (last time I cheked the hotmail attachment function didn't
  work thru a transparant proxy). This is because some pages check for
  proxy settings, and use some different way if a proxy is detected.
  They won't detect a transparant proxy though. There often are ways you
  can set proxy settings centralized, f.e. in Windows 9x and NT4, you
  can make some 'policy' to do it (contact me if you need an
  administrative template for it). Windows 2000 can set it in group
  policies. In *nix you can often set it using some export
  http_proxy=http://foo:8080 (or ftp_proxy) in /etc/profile, or setenv
  http_proxy http://foo:8080 in cshrc for csh. I guess there are
  similair ways to do it for netscape & friends. For other proxy
  settings, consult your application's manual.

- HTTPS won't be cached by any proxy, for security reasons, so proxying
  HTTPS won't speed up anything. If possible, just NAT (masquerade) it.

- The only valid reason to transproxy HTTPS is if your internet
  connection does not allow direct connections to port 443 (some
  restrictive firewall f.e.), and the clients are too decentralized to
  enforce real proxy settings.

I think you'll need specific HTTPS transproxy support in squid (or some
other transproxy) to be able to transproxy HTTPS. The HTTPS requests
should just be tunneled thru a proxy (using CONNECT, read my previous
mail for more info). AFAIK a transparant proxy usually uses GET
requests, for normal HTTP requests. Since HTTPS is encrypted, you can't
decode the GET request, and translate it in some proxy GET request. The
transparant proxy should establish a CONNECTion thru the proxy, and
redirect the traffic thru that tunnel.

If you find (or make) a transparant proxy with HTTPS support (thru
CONNECT), you'll have to set it up in ipchains just like http
(substitute all occurances of port 80 with port 443). Then instruct the
transparant proxy to listen for requests to port 443 (http_accel_port
443).

I never really tested transproxying with HTTPS, always just masqueraded
it, so don't ask me for real example configurations for transproxy HTTPS
;)

Cheers,
Alson

Reply to:

References:
- Re: HTTPS transparent proxy with Squid
  - From: Alson van der Meulen <alson@linuxfreak.nl>
- Re[2]: HTTPS transparent proxy with Squid
  - From: Ant <Ant@ibd.ru>

Prev by Date: rsync and named-xfer
Next by Date: portable recommendation
Previous by thread: Re[2]: HTTPS transparent proxy with Squid
Next by thread: nslookup and dig
Index(es):
- Date
- Thread