Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have not compiled squid with SSL nor installed an SSL certificate on my server yet all https requests are working correctly.
Does squid just pass these on?
In the logs it looks like it is doing this:
1249824051.113 141276 86.xxx.xxx.xxx TCP_MISS/200 15206 CONNECT ssl.gstatic.com:443 demo_1 DIRECT/209.xx.xxx.xxx -
That's fine. You are not doing any SSL in squid there, just passing through a connection. SSL would be to stop the SSL, inspect the data inside the connection, and then create a new ssl connection upstream to the destination.
That's fine. You are not doing any SSL in squid there, just passing through a connection. SSL would be to stop the SSL, inspect the data inside the connection, and then create a new ssl connection upstream to the destination.
Can proxies do that?
I though the whole point of SSL was that it was encrypted all the way to destination?
Do I still need to keep port 443 open for this though?
I assume the browser just directs SSL traffic to port 3128?
In line with our previous discussions about transparent proxies, the CONNECT method is the way that a browser asks a proxy to pass a connection through to a destination serverort. There is no inspection / knowledge of SSL at all, indeed many different protocols can use CONNECT methods to get a connection, e.g you could use PuTTY to get an SSH session through a proxy by also explicitly requesting a CONNECT to myserver.com:22 and such - if you do look at your squid.conf you'll hopefully see though that CONNECT is only permitted by the default ACL's on ports 443 and 563, i.e. known ports for valid SSL traffic. So here there is a very small plain text HTTP request made to the proxy, the proxy responds, opens a TCP connection with the destination and then acknowledges to the client that that connection is available. once it does the proxy will blindly pass all data through, data which it can't understand as it's not HTTP any more, and has no interest in.
If you're interested, install wireshark on your client and then watch what actually does happen when you connect to an HTTPS site. That will make it also much clearer why you can't do it transparently, because it actually behaves significantly different when a proxy is involved.
In line with our previous discussions about transparent proxies, the CONNECT method is the way that a browser asks a proxy to pass a connection through to a destination serverort. There is no inspection / knowledge of SSL at all, indeed many different protocols can use CONNECT methods to get a connection, e.g you could use PuTTY to get an SSH session through a proxy by also explicitly requesting a CONNECT to myserver.com:22 and such - if you do look at your squid.conf you'll hopefully see though that CONNECT is only permitted by the default ACL's on ports 443 and 563, i.e. known ports for valid SSL traffic. So here there is a very small plain text HTTP request made to the proxy, the proxy responds, opens a TCP connection with the destination and then acknowledges to the client that that connection is available. once it does the proxy will blindly pass all data through, data which it can't understand as it's not HTTP any more, and has no interest in.
If you're interested, install wireshark on your client and then watch what actually does happen when you connect to an HTTPS site. That will make it also much clearer why you can't do it transparently, because it actually behaves significantly different when a proxy is involved.
So, incoming, I only need port 3128 open and or a forwarding rule from port 80 or 8080.
Outgoing, I need port 80 and 443 open to the proxy can pass on a 443 request?
Ideally, you'd make all requests to a proxy on port 3128, just one port. Outbound it would be all ports that you class as valid. By default this would be 80 and 443, but could be others, eg. 8080 if you have known reasons for this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.