Re: HTTPS transparent proxy with Squid
On Thu, Jul 26, 2001 at 08:52:53AM +0400, Ant wrote:
> AvdM> HTTPS uses port 443, so it won't work with your current ipchains setup.
> AvdM> You might be able to start a second squid process, and redirect HTTPS
> AvdM> requists through it.
> Could you tell me how to redirect HTTPS through squid, and give an example of
> configuration. It is very interesting for me for the ICQ with HTTPS proxing option
Just look for HTTPS proxy options in ICQ...
a few points:
- Don't use transparant proxying if you don't really need it. Some
services (last time I cheked the hotmail attachment function didn't
work thru a transparant proxy). This is because some pages check for
proxy settings, and use some different way if a proxy is detected.
They won't detect a transparant proxy though. There often are ways you
can set proxy settings centralized, f.e. in Windows 9x and NT4, you
can make some 'policy' to do it (contact me if you need an
administrative template for it). Windows 2000 can set it in group
policies. In *nix you can often set it using some export
http_proxy=http://foo:8080 (or ftp_proxy) in /etc/profile, or setenv
http_proxy http://foo:8080 in cshrc for csh. I guess there are
similair ways to do it for netscape & friends. For other proxy
settings, consult your application's manual.
- HTTPS won't be cached by any proxy, for security reasons, so proxying
HTTPS won't speed up anything. If possible, just NAT (masquerade) it.
- The only valid reason to transproxy HTTPS is if your internet
connection does not allow direct connections to port 443 (some
restrictive firewall f.e.), and the clients are too decentralized to
enforce real proxy settings.
I think you'll need specific HTTPS transproxy support in squid (or some
other transproxy) to be able to transproxy HTTPS. The HTTPS requests
should just be tunneled thru a proxy (using CONNECT, read my previous
mail for more info). AFAIK a transparant proxy usually uses GET
requests, for normal HTTP requests. Since HTTPS is encrypted, you can't
decode the GET request, and translate it in some proxy GET request. The
transparant proxy should establish a CONNECTion thru the proxy, and
redirect the traffic thru that tunnel.
If you find (or make) a transparant proxy with HTTPS support (thru
CONNECT), you'll have to set it up in ipchains just like http
(substitute all occurances of port 80 with port 443). Then instruct the
transparant proxy to listen for requests to port 443 (http_accel_port
I never really tested transproxying with HTTPS, always just masqueraded
it, so don't ask me for real example configurations for transproxy HTTPS