Hi,
On Thu, 1 Mar 2001, Taylor, ForrestX wrote:
> I asked this question earlier, but I did not get an answer.
>
> Why can I not use transparent proxy for https???
>
Here's how a browser handles https with a proxy.
If you look at your browser (Netscape in my example) config you'll see
that the https proxy is exactly the same as your http proxy and probably
even your ftp proxy.
- user types: https://www.some.where/path
- browser connects to proxy (eg squid port 3128) and says
CONNECT www.some.where:443
All this goes in plain text.
- proxy makes tcp connection to port 443 on server www.some.where
- server starts SSL negotiations with browser
- proxy now just ferries packets back and forth
- inside the encrypted stream the browser sends
GET /path
and a whole lot of other HTTP headers.
The proxy cannot see anything in the stream because it's all encrypted.
Without a proxy configured in the browser:
- user types https://www.some.where/path
- browser connects to www.some.where port 443
- encryption negotiation takes place
- stream is encrypted
Since squid cannot cache the content (the outgoing URL is hidden in the
encrypted stream) there's no point putting the functionality into
squid. All that squid could do would be forward packets, slowing down the
stream.
Colin
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Thu Mar 01 2001 - 19:45:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:28 MST