Dedicated HTTPS proxy?
Hello,
I was wondering whether Is there any dedicated proxy server for catering HTTPS conections AS normal SQuid proxy that I use does not seem to take care of HTTPS requests As in access.log I never see any HTTPS request being logged.. Is it true that It not possible to proxy HTTPS requests..? If so Then why do we have an option for Secure proxy server in Internet Explorer..? Any Ideas Help in this regard would be appreciated.. thanks... |
yes, squid works with HTTPS... you'll need to have given it the "--enable-ssl" configure option before you compiled it, though...
http://www.squid-cache.org/Doc/FAQ/FAQ-1.html#ss1.12 just my :twocents:... |
As said, squid will work with HTTPS, however, thats quite insecure really - do note that it 'could' be possible for other network users to gain access to HTTPS data.
|
Ummm ... Not without the keys that are on the remote server. I fail to see how squid will help with that ... SSL is secure through proxies. Squid is no different.
Anybody1234: You won't see SSL wrapped requests. You'll see CONNECT requests, but the actual transmission (including the URI requested) is encrypted. That's kinda the point ;) |
yeah, take Google WebAccelerator though, probably based on squid. There was a major security flaw where users were being logged into onling shops, etc. I dont trust proxies for HTTPS, unless they are secure and dont cache encrypted requests.
|
Then I'd say you didn't read the disclosure closely enough. The issue was with cached copies of HTTP pages (this forum for example) where the user has to "log in", not HTTPS. Google doesn't cache HTTPS. They can't (without doing some nasty "man in the middle" stuff).
Standard HTTP proxies do not cache HTTPS. I can't say without digging a little more into specs and whatnot than I want to right now, but I'm inclined to say that HTTP proxies not only do not, but can not cache HTTPS transactions, even if they wanted to. Proxies facilitate HTTPS through the use of CONNECT. The proxy opens a socket to the server and forwards all data to and from the client through it. It has no knowledge of what's *in* the data as it's encrypted. As I said earlier, "That's kinda the point" |
Thanks for the info, just... My proxy server has a HTTPS transaction cache :-o It's a PC LAN SUITE 2004, from 602software so thats why I thought that. Soon I'll be running squid when I get my smoothwall installed up again.
|
Quote:
|
I'm 100% sure that it doesn't. :p
|
Hi there,
Thanks everybody for replies.... Does squid proxy https requests transparenlty.?? this was the reason for posting the query .sorry I forgot to mention abt that in my earlier post. As far as I have seen It does not proxy HTTPS requests transparenlty; If anybody had success in configuring squid in tranparent proxy mode with HTTPS requests..proxied please share what are the configurations....? or does any other proxy do this ...ie. HTTPs requests in transparent mode..? |
AFAIK, squid can NOT proxy HTTPS in transparent mode...
|
BTW, just curious: why do you want to proxy HTTPS transparently considering the cache won't be used anyways??
|
Screenshot
HTTPS is there, in advanced settings there is a tick box to disable CGI caching, HTTPS caching. Both are disabled by default, so it's not a security problem. I assume it doesn't actually cache anything other than images in that mode anyway. |
Without seeing a screenshot of the advanced tab, we'll have to take your word for it. I'm not going to install it just to find out, but really ... A HTTP proxy *can't* cache HTTPS data. It's just not possible.
Without going into a boring dissertation on the merits of PKE and all that stuff -- when the client browser connects to the server, it verifies (or tries to) the identity of the server based on it's hostname and the CN field in the SSL cert. If they don't match, you get a security warning. If they do match (and the cert is valid for the date you're using it and a whole host of other stuff), then the crypto begins and everything from that point on is wrapped up in really big math... That's why a client will call out to the proxy and say CONNECT Host:Port HTTP/1.1. That tells the proxy "Don't do anything to get in my way here, just give me a connection to Host:Port". The only way that I can think of for a proxy to cache HTTPS data would involve DNS hijacking and/or key theft, neither of which seem terribly likely in this case. For extra credit - You can use CONNECT on loosely configured proxies to talk to all kinds of services such as IRC, SSH or just about any other "one port" protocol ... And no, it won't be cached either ;) |
Quote:
|
All times are GMT -5. The time now is 06:21 PM. |