Re: [squid-dev] Why squid would not allow non encrypted "https://" in a request?

2015-12-23 Thread Alex Rousskov 

On 12/22/2015 09:08 PM, Eliezer Croitoru wrote:


There was probably an issue with the network connectivity while I was
testing since it works now.


Yes, Squid supports this. AFAIK, this feature is used in production 
environments, with client SSL certificate-based authentication.


AFAIK, recent Firefox and Chrome releases support HTTPS proxies, but 
your need a PAC file to configure Firefox (not sure about Chrome). I 
hope Curl will support HTTPS proxies soon as well:

  https://github.com/bagder/curl/pull/305


HTH,

Alex.



On 22/12/2015 21:16, Eliezer Croitoru wrote:

I was wondering to myself about it for a while now.
A client can fetch http:/x/y using a regular netcat using squid or in
the case it wants to use squid for a TCP connection it will use a
CONNECT request.
But squid doesn't allow clients to use it as a fully trusted https
proxy, IE to send the next request to squid:
GET https://www.secured.example.com/ HTTP/1.1
Host: www.secured.example.com
Other-Headers: ...

..and possibly a body
##END OF Request

I do have a proxy program that supports this feature and one usage case
I do have in mind is some trusted\secured automated closed environment
which uses the proxy to access the external world and that the proxy is
the admin delegated ssl enforcement authority.

I know that browsers do not implement this kind of a feature but I think
it should be a feature.

I am looking for pros and cons of enabling such a feature.
pros:
- Allows full ssl delegation without any addition implications in the
client side ssl implementation.

cons:
- Being transmitted over a non secured channel(IE plain text)

Thanks,
Eliezer
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Why squid would not allow non encrypted "https://" in a request?

2015-12-23 Thread Kinkie 
On Wed, Dec 23, 2015 at 11:30 PM, Alex Rousskov
 wrote:
> On 12/22/2015 09:08 PM, Eliezer Croitoru wrote:
>
>> There was probably an issue with the network connectivity while I was
>> testing since it works now.
>
>
> Yes, Squid supports this. AFAIK, this feature is used in production
> environments, with client SSL certificate-based authentication.
>
> AFAIK, recent Firefox and Chrome releases support HTTPS proxies, but your
> need a PAC file to configure Firefox (not sure about Chrome). I hope Curl
> will support HTTPS proxies soon as well:
>   https://github.com/bagder/curl/pull/305

I've tested it working OK with Chrome via return "HTTPS proxy:port"
pacfile syntax.
I was not able to test it with Firefox, nor to achieve client
certificate-based access control.
Any success story (and configuration snippet) is highly welcome :)

  Kinkie
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Why squid would not allow non encrypted "https://" in a request?

2015-12-22 Thread Eliezer Croitoru 

I was wondering to myself about it for a while now.
A client can fetch http:/x/y using a regular netcat using squid or in 
the case it wants to use squid for a TCP connection it will use a 
CONNECT request.
But squid doesn't allow clients to use it as a fully trusted https 
proxy, IE to send the next request to squid:

GET https://www.secured.example.com/ HTTP/1.1
Host: www.secured.example.com
Other-Headers: ...

..and possibly a body
##END OF Request

I do have a proxy program that supports this feature and one usage case 
I do have in mind is some trusted\secured automated closed environment 
which uses the proxy to access the external world and that the proxy is 
the admin delegated ssl enforcement authority.


I know that browsers do not implement this kind of a feature but I think 
it should be a feature.


I am looking for pros and cons of enabling such a feature.
pros:
- Allows full ssl delegation without any addition implications in the 
client side ssl implementation.


cons:
- Being transmitted over a non secured channel(IE plain text)

Thanks,
Eliezer
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Why squid would not allow non encrypted "https://" in a request?

2015-12-22 Thread Eliezer Croitoru 

Answering to myself...

There was probably an issue with the network connectivity while I was 
testing since it works now.


Eliezer

On 22/12/2015 21:16, Eliezer Croitoru wrote:

I was wondering to myself about it for a while now.
A client can fetch http:/x/y using a regular netcat using squid or in
the case it wants to use squid for a TCP connection it will use a
CONNECT request.
But squid doesn't allow clients to use it as a fully trusted https
proxy, IE to send the next request to squid:
GET https://www.secured.example.com/ HTTP/1.1
Host: www.secured.example.com
Other-Headers: ...

..and possibly a body
##END OF Request

I do have a proxy program that supports this feature and one usage case
I do have in mind is some trusted\secured automated closed environment
which uses the proxy to access the external world and that the proxy is
the admin delegated ssl enforcement authority.

I know that browsers do not implement this kind of a feature but I think
it should be a feature.

I am looking for pros and cons of enabling such a feature.
pros:
- Allows full ssl delegation without any addition implications in the
client side ssl implementation.

cons:
- Being transmitted over a non secured channel(IE plain text)

Thanks,
Eliezer
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev