10

How we can enable squid to cache web content (let says from firefox) for SSL connection, i mean for https URLs?

Braiam
  • 4,345
  • 11
  • 47
  • 69
Wasim A.
  • 8,661
  • 19
  • 86
  • 113

3 Answers3

14

Actually SQUID can be used to access HTTPS traffic - it is in essence a man-in-the-middle attack - and there are caveats:

See: http://wiki.squid-cache.org/Features/SslBump

I have not tried cacheing this data yet, so can't say that it will work with absolute certainty. If/when I do, I'll update this post.

JaysonRaymond
  • 596
  • 5
  • 8
  • 4
    That is a rather ugly hack. In that scenario the browser will not see the real server certificates, but instead fake certificates dynamically created by Squid, i.e. you must install a trusted root CA in the browser to not get security warnings, but then you are really vulnerable to all kinds of problems. E.g. you *think* you are accessing gmail over https, but you are really talking https to your Squid which decrypts your traffic (password and such) and then uses another encrypted connection to pass on the data to some server which your browser cannot validate... *shrug* – krisku Dec 03 '14 at 10:11
  • This is quite similar to the way that [Microsoft ISA Server](https://msdn.microsoft.com/en-us/library/ms826748.aspx) performs as an SSL caching proxy. The difference is that in the ISA environment, hosts behind the proxy are managed by an Active DIrectory (AD). AD servers, in turn are capable of distributing CA certificates to the trust roots of all hosts it manages. This last step must be performed manually in Squid environments. – cjac Jun 09 '16 at 19:02
  • @krisku A hack, yes, but this is the only way one can capture/cache TLS/SSL traffic. It's just the way it is. – orev Dec 19 '17 at 21:19
8

SSL encrypts the traffic between server and client so it cannot be read by a middle man. When using Squid as a proxy it simply cannot see the actual content in the traffic and therefore it has no means of caching it. The SSL traffic is just random bits that look different each time even if the same content is transferred multiple times and that is how encryption should work. It simply cannot be cached.

krisku
  • 3,676
  • 1
  • 16
  • 10
  • 1
    Google Chrome can read SSL over cache but Firefox can't. On the other side when you use Hotspot, both browser can read SSL over proxy. That is where i am confused with – Wasim A. Sep 18 '13 at 17:46
  • Squid can pass arbitrary TCP traffic, such as SSL, using the CONNECT directive, but it cannot cache the content in any way. So the answer to your original question is simply no. You cannot cache web content for SSL connections as those as encrypted end-to-end. How to get Firefox to connect to https URLs via a proxy is a totally different question that has nothing to do with caching. – krisku Sep 19 '13 at 06:28
  • 3
    using [ssl-bump](http://wiki.squid-cache.org/Features/SslBump), squid can establish a socket between clientproxy and proxyorigin. When this is done, the traffic is in the clear on the proxy and can be cached before being returned to the client. – cjac Jun 09 '16 at 18:56
0

I have no problems getting Firefox (version 23.0.1 on Windows) to route SSL traffic via Squid. In Firefox Network Connection settings I just point SSL Proxy and HTTP Proxy to the same Squid installation.

After that I can successfully access https URLs in Firefox and in Squid's access_log I see entries like these:

1379660084.878 115367 10.0.0.205 TCP_MISS/200 6581 CONNECT www.gravatar.com:443 - DIRECT/68.232.35.121 -

Do you have any details about how it doesn't work for you? Squid has quite complicated possibilities to deny and allow certain types of traffic, so it is possible there is a configuration issue in Squid. Do you get any error messages in Squid's logfiles?

krisku
  • 3,676
  • 1
  • 16
  • 10
  • 4
    that is not a problem, squid accept ssl but it don't cache it. http contents got cached but https don't – Wasim A. Sep 20 '13 at 09:38
  • 2
    As I said: you cannot cache SSL traffic! All data is encrypted so Squid cannot see or understand anything of the content. Squid only sees the TCP connection to port 443 on the remote web server, but everything in the traffic is encrypted. Squid does not know which URLs you are accessing on that server, it does not see what you are requesting and it does not see what the responses are. That is what encrypted means! – krisku Sep 20 '13 at 10:51
  • krisku, the problem is not getting squid to proxy SSL traffic, it is getting it to cache the content of the SSL tunnel. The default configuration is to allow the client to request https traffic via the proxy. Without an ssl-bump, the proxy does not see the SSL traffic and cannot cache it. The part that does *not* work with firefox (and does with chrome) is an ssl connection between client and proxy for those hostile networks on which you do not wish to transmit plaintext content between client and proxy. – cjac Jun 09 '16 at 19:21