Re: [squid-users] HTTPS sites

From: Joe Cooper <joe@dont-contact.us>
Date: Fri, 05 Oct 2001 13:46:58 -0500

Deb Heller-Evans wrote:

> Meanwhile, Joe Cooper says:
> |
> | If you are performing interception (transparent) proxying, as I seem to
> | recall you are, your Squid isn't seeing those packets. Squid doesn't
> | handle tunnelling of SSL requests unless the browser is explicitly
> | configured to use the proxy--so you can't redirect 443 over to Squid,
> | and if it isn't redirected then Squid doesn't see them.
>
> Wow, have you ever illuminated the holes in my knowledge. It all
> begins to make more sense to me (See that LightBulb over my head?
> See how it is getting brighter??).

Good. That's what we're here for.

> | If VirusWall can be used in an interception configuration even with SSL
> | connections (it is possible I think, and Henrik has explained some time
> | ago on this list how it could be accomplished), then you may wish to
> | implement some form of port forwarding to redirect SSL requests on port
> | 443 over to the VirusWall. It will then log those requests, I presume.
> | As it is, it never sees them either.
>
> Hmmm... I didn't catch this discussion in the archives - I'll have to
> do another search.

I should point out that Henrik explained how it could be implemented,
but it would require significant programming to do it. It's not a
simple configuration change. So may not be worth searching for, except
for further illumination of the topic.

> | If you aren't using interception proxying, and your browsers are
> | explicitly configured, then just fill in the Squid address for all of
> | your clients SSL connections in addition to HTTP. You'll get logging of
> | those requests just like any other.
>
> Actually, I'm testing both interception and explicit proxying
> config's to see which would gain us the better control, logging,
> and response times - not necessarily in that order!
>
> Joe, Thanks for the tips. I appreciate your clarity. More work to do!

You're welcome.
                                   --
                      Joe Cooper <joe@swelltech.com>
                  Affordable Web Caching Proxy Appliances
                         http://www.swelltech.com
Received on Fri Oct 05 2001 - 12:42:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:37 MST