Re: [squid-users] WCCP2 L2 redirect with Squid transparent

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 27 Aug 2010 20:28:39 +1200

Nyamul Hassan wrote:
> Hi,
>
> Sometime ago, a sales pitch from a very well known proxy vendor,
> claimed to have SSL working seamlessly through their cache. Does
> anyone know of a commercial proxy solution that can work without this
> explicit config on the client side?

A TCP-level proxy is needed to legally do that. Squid does not pass
packets through anonymously, but requires the HTTP headers to be visible
for security checks.

HTTPS is designed specifically to prevent middleware decrypting traffic
without the client being informed. Which is why the client needs to
trust the proxy.

>
> On 2010-08-27, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Shawn Wright wrote:
>>> Got it working after closer inspection of tcpdump output, which revealed a
>>> routing problem.
>>>
>>> Now I need to move on to SSL traffic. We are using Squid 2.6-20 in
>>> production, so clearly we need to upgrade to use SSLbump. Which version of
>>> squid is considered most stable for use with SSLbump, in conjunction with
>>> many ACLs and delay pools.
>>>
>>> Thanks
>>>
>> I should mention that SSL Bump only works for browsers configured
>> explicitly to know the proxy is there and also to trust the proxy
>> generated SSL certificates.
>>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.7
   Beta testers wanted for 3.2.0.1
Received on Fri Aug 27 2010 - 08:28:46 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 27 2010 - 12:00:03 MDT