Cache Https Quizzesseasourcesnet

Feature: HTTPS (HTTP Secure or HTTP over TLS)

• Version: 2.five

• More: RFC 2817, 2818, Features/SHTTP

Contents

1. Characteristic: HTTPS (HTTP Secure or HTTP over TLS)
2. CONNECT tunnel
   1. CONNECT tunnel through Squid
   2. Intercepting CONNECT tunnels
   3. Bumping CONNECT tunnels
3. Direct TLS connection
   1. Directly TLS connection to a reverse proxy
   2. Intercepting direct TLS connections
   3. Bumping direct TLS connections
4. Encrypted browser-Squid connection
   1. Chrome
   2. Firefox

When a client comes across an https:// URL, it tin can practise one of three things:

• opens an TLS connection directly to the origin server, or

• opens a tunnel through a proxy to the origin server using the CONNECT asking method, or

• opens an TLS connection to a secure proxy.

Squid interaction with these traffic types is discussed below.

CONNECT tunnel

The CONNECT method is a way to tunnel any kind of connectedness through an HTTP proxy. Past default, the proxy establishes a TCP connection to the specified server, responds with an HTTP 200 (Connectedness Established) response, and then shovels packets back and forth between the client and the server, without understanding or interpreting the tunneled traffic. For the gory details on tunneling and the CONNECT method, please see RFC 2817 and the expired Tunneling TCP based protocols through Spider web proxy servers draft.

CONNECT tunnel through Squid

When a browser establishes a CONNECT tunnel through Squid, Access Controls are able to control CONNECT requests, just simply express information is available. For case, many common parts of the request URL practise not exist in a CONNECT request:

• the URL scheme or protocol (due east.g., http://, https://, ftp://, voip://, itunes://, or telnet://),

• the URL path (e.thou., /index.html or /secure/images/),

• and query string (east.g. ?a=b&c=d)

With HTTPS, the above parts are present in encapsulated HTTP requests that flow through the tunnel, but Squid does not have access to those encrypted messages. Other tunneled protocols may not fifty-fifty employ HTTP messages and URLs (e.one thousand., telnet).

• Information technology is of import to notice that the protocols passed through CONNECT are non express to the ones Squid normally handles. Quite literally anything that uses a two-style TCP connection tin be passed through a CONNECT tunnel. This is why the Squid default ACLs start with deny CONNECT !SSL_Ports and why you must have a very good reason to place whatsoever type of allow rule above them.

Intercepting CONNECT tunnels

A browser sends CONNECT requests when it is configured to talk to a proxy. Thus, it should not be necessary to intercept a CONNECT request. TBD: Document what happens of Squid does intercept a CONNECT asking, either because Squid was [mis]configured to intercept traffic destined to another proxy OR because a possibly malicious client sent a hand-crafted CONNECT request knowing that it is going to be intercepted.

Bumping CONNECT tunnels

• WARNING: HTTPS was designed to give users an expectation of privacy and security. Decrypting HTTPS tunnels without user consent or knowledge may violate upstanding norms and may be illegal in your jurisdiction. Squid decryption features described here and elsewhere are designed for deployment with user consent or, at the very least, in environments where decryption without consent is legal. These features also illustrate why users should be conscientious with trusting HTTPS connections and why the weakest link in the chain of HTTPS protections is rather delicate. Decrypting HTTPS tunnels constitutes a man-in-the-middle set on from the overall network security point of view. Attack tools are an equivalent of an atomic bomb in existent globe: Make certain you lot empathise what you are doing and that your decision makers have plenty information to make wise choices.

Squid SslBump and associated features can be used to decrypt HTTPS CONNECT tunnels while they pass through a Squid proxy. This allows dealing with tunneled HTTP letters every bit if they were regular HTTP messages, including applying detailed access controls and performing content adaptation (e.thou., check request bodies for information leaks and check responses for viruses). Configuration mistakes, Squid bugs, and malicious attacks may lead to unencrypted messages escaping Squid boundaries.

From the browser signal of view, encapsulated messages are not sent to a proxy. Thus, general interception limitations, such as inability to authenticate individual embedded requests, apply here as well.

Direct TLS connection

When a browser creates a direct TLS connection with an origin server, there are no HTTP CONNECT requests. The first HTTP asking sent on such a connection is already encrypted. In about cases, Squid is out of the loop: Squid knows naught near that connection and cannot block or proxy that traffic. The reverse proxy and interception exceptions are described below.

Direct TLS connection to a contrary proxy

Squid-2.5 and later can terminate TLS or SSL connections. You must have built with --enable-ssl. See https_port for more than information. Squid-three.5 and afterward autodetect the availability of GnuTLS library and enable the functionality if available. OpenSSL must be enabled explicitly with the --with-openssl configure selection. If the library is installed in a non-standard location you may need to use the --with-foo=PATH configure pick. Encounter configure --help for details.

This is perhaps nigh useful in a surrogate (aka, http accelerator, reverse proxy) configuration. Simply configure Squid with a normal opposite proxy configuration using port 443 and SSL certificate details on an https_port line.

Intercepting directly TLS connections

Information technology is possible to intercept an HTTPS connection to an origin server at Squid's https_port. This may exist useful in surrogate (aka, http accelerator, reverse proxy) environments, but limited to situations where Squid tin correspond the origin server using that origin server SSL document. In most situations though, intercepting direct HTTPS connections will not work and is pointless because Squid cannot do annihilation with the encrypted traffic -- Squid is not a TCP-level proxy.

Bumping direct TLS connections

• WARNING: HTTPS was designed to give users an expectation of privacy and security. Decrypting HTTPS tunnels without user consent or knowledge may violate ethical norms and may be illegal in your jurisdiction. Squid decryption features described here and elsewhere are designed for deployment with user consent or, at the very least, in environments where decryption without consent is legal. These features besides illustrate why users should be careful with trusting HTTPS connections and why the weakest link in the concatenation of HTTPS protections is rather fragile. Decrypting HTTPS tunnels constitutes a man-in-the-eye attack from the overall network security betoken of view. Assault tools are an equivalent of an atomic bomb in real earth: Make sure you empathise what you are doing and that your determination makers take enough information to make wise choices.

A combination of Squid NAT Interception, SslBump, and associated features can exist used to intercept direct HTTPS connections and decrypt HTTPS messages while they pass through a Squid proxy. This allows dealing with HTTPS messages sent to the origin server equally if they were regular HTTP letters, including applying detailed access controls and performing content adaptation (e.grand., check asking bodies for information leaks and check responses for viruses). Configuration mistakes, Squid bugs, and malicious attacks may lead to unencrypted messages escaping Squid boundaries.

Currently, Squid-to-client traffic on intercepted directly HTTPS connections cannot apply Dynamic Document Generation, leading to browser warnings and rendering such configurations nearly impractical. This limitation will be addressed by the bump-server-first project.

From the browser betoken of view, intercepted messages are not sent to a proxy. Thus, general interception limitations, such every bit inability to cosign requests, apply to bumped intercepted transactions as well.

Encrypted browser-Squid connection

Squid can have regular proxy traffic using https_port in the same way Squid does information technology using an http_port directive. RFC 2818 defines the protocol requirements around this.

Unfortunately, pop modernistic browsers practise not yet allow configuration of TLS encrypted proxy connections. In that location are open bug reports against near of those browsers now, waiting for back up to appear. If you have any interest, please assist browser teams with getting that to happen.

Meanwhile, tricks using stunnel or SSH tunnels are required to encrypt the browser-to-proxy connection earlier it leaves the client car. These are somewhat heavy on the network and can be slow as a effect.

Chrome

The Chrome browser is able to connect to proxies over TLS connections if configured to use 1 in a PAC file or command line switch. GUI configuration appears non to be possible (yet).

More details at http://dev.chromium.org/developers/blueprint-documents/secure-web-proxy

Firefox

The Firefox 33.0 browser is able to connect to proxies over TLS connections if configured to use i in a PAC file. GUI configuration appears not to be possible (however), though in that location is a config hack for embedding PAC logic.

There is nevertheless an of import bug open:

• Using a customer certificate authentication to a proxy: https://bugzilla.mozilla.org/show_bug.cgi?id=209312

If you lot have trouble with adding trust for the proxy cert, there is a procedure past Patrick McManus to workaround that.

---

CategoryFeature

vazquezentakeeke.blogspot.com

Source: http://wiki.squid-cache.org/Features/HTTPS%C2%A0

Share this post