We do use proxy_auth and that initial Basic Auth box should be encrypted. We only have port 443 open so the username/password can't be coming in on port 80.
We encrypt (SSL) because it is a reverse proxy, where users are accessing extranets with information for internal employees and customers only. Adam pointed out a way that he says is a cleaner setup for outbound traffic. Our infrustructure is someone complicated too, done that way for security. This works for us in reverse proxy (accelerated mode). To the end user, they think the proxy server is the webserver, they don't/can't know otherwise. In this case it is easier to setup the ssl than the normal proxy configuration you are setting up. Webuser-->ssl-->fw-->reverse proxy-->no ssl, ldap auth'd-->fw-->reverse proxy-->fw-->back end webservers (the user only talks to the first rp. Rp1 only talks to the second rp. Rp2 talks to the back end webservers. Inner and outer DMZ areas. The user is always ssl to the first reverse proxy, the rest of the pass through traffic (from first proxy to the next one) is not. Squid3.0.pre acl netusers src all acl authenticated proxy_auth REQUIRED http_access allow netusers authenticated -----Original Message----- From: Rick Whitley [mailto:[EMAIL PROTECTED] Sent: Thursday, July 15, 2004 10:50 AM To: [EMAIL PROTECTED]; Chris Perreault Subject: RE: [squid-users] Re: Encrypted traffic with proxy server? Does your configuration use proxy_auth and is the initial communication encrypted? (dialogbox). Is there a place I can go to see examples of this? rick... Rom.5:8 >>> Chris Perreault <[EMAIL PROTECTED]> 7/14/2004 9:56:54 AM >>> We've set up a reverse proxy with the --enable-ssl option. Our back end webservers are http on port 80. Squid only accepts traffic from port 443. The browsers are connecting to the proxy (run in accelerator/reverse proxy mode) All traffic between internet users and the proxy are ssl. From the proxy to our web servers are not ssl. A proxy is not the same as a reverse proxy, although it is close. One solution would be to have 2 squid boxes in a server room, where the only sniffing that could be done would have to be done within the server room. Configure one has a reverse proxy, sending all traffic to the normal proxy. Student PC --> ssl connection--> squid as reverse proxy in server room --> port 80 -->squid as proxy in server room --> internet webservers Chris Perreault -----Original Message----- From: Adam Aube [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 10:31 AM To: [EMAIL PROTECTED] Subject: [squid-users] Re: Encrypted traffic with proxy server? Rick Whitley wrote: > We would like to encrypt all network traffic on the segment our proxy > server is on. Will a proxy server work with enctypted traffic. If I am > asking this wrong please forgive me. We would like to remove the > ability for users on this segment to sniff packetts. Squid supports encrypted connections to clients (use the --enable-ssl configure option), but to date no known browser supports encrypted connections to proxy servers. You could use something like Stunnel (www.stunnel.org) on the client to connect to the proxy, then have the browser use 127.0.0.1 as the proxy server. This is just a suggestion - I have not tried this exact setup, so I can't say for sure if it will work. Adam
