Okay, I understand now.
In transparent mode--squid has no way of handling the SSL traffic
unless it was to serve as a Man-in-the-Middle.
The only way Squid can see SSL as CONNECT traffic is if the client
browsers were aware of the fact that they are sending to a proxy, in
which case they would wrap the SSL inside an HTTP CONNECT.
So basically, unless you can configure all the clients to trust your
proxy's certificates, then theres no way to have a transparent SSL
proxy.
On Tue, Jan 4, 2011 at 11:45 AM, Roberto Franchesco
<robfranchesco_at_gmail.com> wrote:
> I know Squid loses some of its capabilities when its set up to run in
> Transparent/intercept mode. But looking around I can't find a
> definitive answer to the following question:
>
> If squid is set up in transparent mode, can it still tunnel secure
> traffic (via the CONNECT method)?
>
> Currently I have this set up with squid acting as a normal proxy
> (where the client's browser knows to send traffic to squid) and I can
> route any traffic (regular http or https via CONNECT) to my first
> squid proxy, and then send it to another squid proxy in the hierarchy.
>
> client --> squid ----> squid ---> destination
>
> I know this works because I can see the CONNECT statements in my
> access log for the second squid proxy.
>
> My question is, if I were to set up the first squid proxy to run in
> transparent mode--so the client's browser would not have to be set to
> direct traffic to the first squid--could I still then route all
> traffic in the same way as the above diagram?
>
> It was my understanding that squid takes SSL traffic and wraps it in
> HTTP CONNECT and passes it along without ever touching any of it. So
> to me it seems like a squid set in transparent mode would just wrap
> the SSL traffic up and keep passing it. But I could be mistaken.
>
Received on Tue Jan 04 2011 - 21:14:27 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 05 2011 - 12:00:01 MST