Re: [squid-users] icap and https

Tue, 01 Mar 2011 01:23:14 -0800 

On 01/03/11 21:49, arielf wrote:

Hello,

I am trying to use Squid as proxy so that traffic goes through an icap
service I built and continues to intended site. I will have several clients
(browsers) that are accessing several server sites.
I need help configuring https correctly :(

I tried testing out my configuration using a broswer from ip: 9.148.16.192
I used firefox foxyproxy plugin to direct http traffic to 9.148.26.247:3128
and https to 3129 (machine/ports where my squid is listening, checked this
with netstat)

I started testing two sites, one http and another https:
1. http://mydomain.com/MyCRM/index.php
2. https://9.148.26.247:8443/    - this site runs on tomcat that I
configured with mykey.jks

when I start I get all OK messages:
2011/03/01 08:23:40| Accepting  HTTP connections at [::]:3128, FD 15.
2011/03/01 08:23:40| Accepting HTTPS connections at [::]:3129, FD 16.
2011/03/01 08:23:40| HTCP Disabled.
2011/03/01 08:23:40| Configuring Parent 9.148.16.192/3129/0

when I try site 1 (http) all seems to work fine.
however when I try site 2, I get an error:
2011/03/01 08:37:54| clientNegotiateSSL: Error negotiating SSL connection on
FD 12: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy
request (1/-1)

where am I going wrong??
The wrong step is in using https_port to receive traffic from the browser. Those ports are for receiving a SSL/TLS encrypted connection. None of the popular browsers support such encryption on the link between themselves and proxies.
The browser wraps https:// inside a plain-text HTTP method called CONNECT and sends it to the Squid port. The encrypted part goes through a tunnel the CONNECT creates.
This error message about negotiating is due to https_port failing to decrypt the non-encrypted CONNECT.
In order to break into the CONNECT requests you will need the ssl-bump mode enabled on the normal http_port. Then send both HTTP and HTTPS traffic to the same proxy port via regular browser proxy settings. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5

Reply via email to