Re: [squid-users] Dumb Lurker question

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 05 Apr 2002 21:18:49 +0200

Raymond Jacob wrote:
>
> I realize that in order for the squid server to proxy the ssl
> openssl libraries must be installed.

No. Why should it be required?

Proxying of SSL do not require any knowledge of SSL, as SSL is an
end-to-end protocol.

> Question: Does this
> mean that client opens an ssl connection to squid server;
> the squid server and the client do a key exchange; the
> squid server then opens a up connection to the destination,
> does a key exchange and downloads the webpage. The
> server then sends the page to the client over the
> SSL connection between squid and the client?
> Is this correct?

Only if you are running Squid as a web server accelerator with SSL
termination, and in such case SSL will only be used between the client
and Squid, not between Squid and the accelerated server.

Normal proxied SSL traffic is simply tunelled by Squid using the CONNECT
method. This establishes a full-duplex TCP tunnel via the proxy, where
Squid will forward traffic as-is in both directions. Should be obvious
to most why the default squid.conf is very restrictive on which ports
are acceptable for use in CONNECT.

Regards
Henrik Nordström
Squid Developer
Received on Fri Apr 05 2002 - 14:06:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:28 MST