Squid & SSL Proxies
I'm wondering if anyone can point me in the right direction for information on using squid in the following manner (or, alternatively, I can always install something other than Squid…):
I want to use my web browser such that content is encrypted from the browser to my linode running squid, which will then retrieve content from a non-SSL-enabled site, sending back the content to me over the encrypted connection. Yes -- I realize that the content from the non-ssl-enabled server to my linode will not be encrypted, I don't need it to be. But I do want the traffic from my linode to my browser to be encrypted…
Is that possible? I'm assuming it must be. I would imagine that the browser and the proxy software exchange certificates and then chat away… But searches through google yield copious numbers of documents on how to get SSL working with Squid so that you can have your proxy server get documents from SSL-enabled websites and pass them to you… I can do that already. But I'd like to SSL to the proxy, and have the proxy fetch the unencrypted content for me.
Any help would be appreciated.
Thanks!
j.
4 Replies
If you configure an http proxy in your browser, the browser will pass http requests to that proxy. If you configure an https proxy on your browser, the browser will pass all ssl requests to that proxy. I don't think you can change protocols part way through the proxying process.
To achieve what I think you want (secure http browsing connection through a hostile network or firewall) - what about setting localhost as your http proxy on a non-standard port and then using ssh to forward that port from your desktop to your linode. Configure the proxy/cache on your Linode to listen to the forwarded port and off you go - maybe. I haven't tried this, but I use a similar technique to burrow through my employer's corporate firewall and connect MySQL GUI admin tools on an XP desktop to MySQL on my Linode.
For your Linode proxy - what about Apache with mod_proxy. Configure a virtual server to listen on the forwarded port and put all the proxy config directives inside that server's config section.
@pclissold:
To achieve what I think you want (secure http browsing connection through a hostile network or firewall) - what about setting localhost as your http proxy on a non-standard port and then using ssh to forward that port from your desktop to your linode.
Yup – I'm looking for a secure connection to my linode through a hostile network. I like the localhost ssh forward idea, but I'm trying to come up with a solution that will be easy for non-techie users to implement. I've stumbled across stunnel recently, which, if I'm not mistaken, allows users to encrypt TCP traffic generally to a host, which then decrypts and passes it internally to another server of some kind.
I still have to do a bunch more reading to figure out if it's possible, but I think I could probably have stunnel listen on a non-standard port, decrypt the connection and pass it to Squid, which would then proxy the results and return them to stunnel. Stunnel would encrypt the result on the way back to the client. I don't know if that'll work, I have yet to try it…
> For your Linode proxy - what about Apache with modproxy. Configure a virtual server to listen on the forwarded port and put all the proxy config directives inside that server's config section.
That's a good idea – I've been trying Squid lately, but I wonder if using modproxy would free up some memory given that apache is already running anyway…
Thanks for your suggestions pclissold -- I'll keep reading… If anyone comes up with anything else, feel free to add…
j.
Adding a module to Apache sure sounds like it's got to be more memory efficient that running Squid - but Linux lesson #1 is that you can't be sure until you've tried it