Re: [squid-dev] Why squid would not allow non encrypted "https://" in a request?
On 12/22/2015 09:08 PM, Eliezer Croitoru wrote: There was probably an issue with the network connectivity while I was testing since it works now. Yes, Squid supports this. AFAIK, this feature is used in production environments, with client SSL certificate-based authentication. AFAIK, recent Firefox and Chrome releases support HTTPS proxies, but your need a PAC file to configure Firefox (not sure about Chrome). I hope Curl will support HTTPS proxies soon as well: https://github.com/bagder/curl/pull/305 HTH, Alex. On 22/12/2015 21:16, Eliezer Croitoru wrote: I was wondering to myself about it for a while now. A client can fetch http:/x/y using a regular netcat using squid or in the case it wants to use squid for a TCP connection it will use a CONNECT request. But squid doesn't allow clients to use it as a fully trusted https proxy, IE to send the next request to squid: GET https://www.secured.example.com/ HTTP/1.1 Host: www.secured.example.com Other-Headers: ... ..and possibly a body ##END OF Request I do have a proxy program that supports this feature and one usage case I do have in mind is some trusted\secured automated closed environment which uses the proxy to access the external world and that the proxy is the admin delegated ssl enforcement authority. I know that browsers do not implement this kind of a feature but I think it should be a feature. I am looking for pros and cons of enabling such a feature. pros: - Allows full ssl delegation without any addition implications in the client side ssl implementation. cons: - Being transmitted over a non secured channel(IE plain text) Thanks, Eliezer ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] Why squid would not allow non encrypted "https://" in a request?
On Wed, Dec 23, 2015 at 11:30 PM, Alex Rousskovwrote: > On 12/22/2015 09:08 PM, Eliezer Croitoru wrote: > >> There was probably an issue with the network connectivity while I was >> testing since it works now. > > > Yes, Squid supports this. AFAIK, this feature is used in production > environments, with client SSL certificate-based authentication. > > AFAIK, recent Firefox and Chrome releases support HTTPS proxies, but your > need a PAC file to configure Firefox (not sure about Chrome). I hope Curl > will support HTTPS proxies soon as well: > https://github.com/bagder/curl/pull/305 I've tested it working OK with Chrome via return "HTTPS proxy:port" pacfile syntax. I was not able to test it with Firefox, nor to achieve client certificate-based access control. Any success story (and configuration snippet) is highly welcome :) Kinkie ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] Why squid would not allow non encrypted "https://" in a request?
I was wondering to myself about it for a while now. A client can fetch http:/x/y using a regular netcat using squid or in the case it wants to use squid for a TCP connection it will use a CONNECT request. But squid doesn't allow clients to use it as a fully trusted https proxy, IE to send the next request to squid: GET https://www.secured.example.com/ HTTP/1.1 Host: www.secured.example.com Other-Headers: ... ..and possibly a body ##END OF Request I do have a proxy program that supports this feature and one usage case I do have in mind is some trusted\secured automated closed environment which uses the proxy to access the external world and that the proxy is the admin delegated ssl enforcement authority. I know that browsers do not implement this kind of a feature but I think it should be a feature. I am looking for pros and cons of enabling such a feature. pros: - Allows full ssl delegation without any addition implications in the client side ssl implementation. cons: - Being transmitted over a non secured channel(IE plain text) Thanks, Eliezer ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] Why squid would not allow non encrypted "https://" in a request?
Answering to myself... There was probably an issue with the network connectivity while I was testing since it works now. Eliezer On 22/12/2015 21:16, Eliezer Croitoru wrote: I was wondering to myself about it for a while now. A client can fetch http:/x/y using a regular netcat using squid or in the case it wants to use squid for a TCP connection it will use a CONNECT request. But squid doesn't allow clients to use it as a fully trusted https proxy, IE to send the next request to squid: GET https://www.secured.example.com/ HTTP/1.1 Host: www.secured.example.com Other-Headers: ... ..and possibly a body ##END OF Request I do have a proxy program that supports this feature and one usage case I do have in mind is some trusted\secured automated closed environment which uses the proxy to access the external world and that the proxy is the admin delegated ssl enforcement authority. I know that browsers do not implement this kind of a feature but I think it should be a feature. I am looking for pros and cons of enabling such a feature. pros: - Allows full ssl delegation without any addition implications in the client side ssl implementation. cons: - Being transmitted over a non secured channel(IE plain text) Thanks, Eliezer ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev