You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Jacov Koren <Ja...@commtouch.com> on 2012/06/17 15:15:57 UTC

ssl with transparent proxy 

I am just trying to understand how ssl connection can take place when using transparent proxy.



Do I need to intercept the traffic with iptables just like I did for port 80 ?



Do I need to configure something else in records.config?



It's pretty urgent , I would really appreciate it if someone can help me ?



Thanks,

Jacob

RE: ssl with transparent proxy

Posted by Jacov Koren <Ja...@commtouch.com>.
Thank you. 


-----Original Message-----
From: Leif Hedstrom [mailto:zwoop@apache.org] 
Sent: Sunday, June 17, 2012 9:32 PM
To: users@trafficserver.apache.org
Cc: Jacov Koren; dev@trafficserver.apache.org
Subject: Re: ssl with transparent proxy

On 6/17/12 7:15 AM, Jacov Koren wrote:
>
> I am just trying to understand how ssl connection can take place when 
> using transparent proxy.
>
> Do I need to intercept the traffic with iptables just like I did for 
> port
> 80 ?
>
> Do I need to configure something else in records.config?
>
> It's pretty urgent , I would really appreciate it if someone can help me ?
>
>

How would you expect it to work in transparent proxy? It's not like the proxy can so SSL termination here, without having every web sites in the world private certificate key. Unless of course you force your clients to trust your own CA, and make a SSL certificate for e.g. *.*. Funny that this discussion is coming up again (we've had this exercise at least a few times
before) with the recent /. article:

     
http://ask.slashdot.org/story/12/06/16/223208/ask-slashdot-whats-your-take-on-https-snooping


Basically, to tproxy HTTPS, your proxy has to act as a man-in-the-middle. 
Very undesirable.


Typically, in order to do HTTPS proxying, you would use normal forward proxying, where the client configures the browser to use a particular proxy server. When doing HTTPS through that proxy, the UA will use the CONNECT method and the proxy simply "tunnels" the SSL requests. It's really only useful to e.g. control which server(s) your UAs can CONNECT to (for example).

If you are doing transparent proxy for HTTP, you probably should just let HTTPS bypass the proxying layer entirely.

-- Leif

RE: ssl with transparent proxy

Posted by Jacov Koren <Ja...@commtouch.com>.
Thank you. 


-----Original Message-----
From: Leif Hedstrom [mailto:zwoop@apache.org] 
Sent: Sunday, June 17, 2012 9:32 PM
To: users@trafficserver.apache.org
Cc: Jacov Koren; dev@trafficserver.apache.org
Subject: Re: ssl with transparent proxy

On 6/17/12 7:15 AM, Jacov Koren wrote:
>
> I am just trying to understand how ssl connection can take place when 
> using transparent proxy.
>
> Do I need to intercept the traffic with iptables just like I did for 
> port
> 80 ?
>
> Do I need to configure something else in records.config?
>
> It's pretty urgent , I would really appreciate it if someone can help me ?
>
>

How would you expect it to work in transparent proxy? It's not like the proxy can so SSL termination here, without having every web sites in the world private certificate key. Unless of course you force your clients to trust your own CA, and make a SSL certificate for e.g. *.*. Funny that this discussion is coming up again (we've had this exercise at least a few times
before) with the recent /. article:

     
http://ask.slashdot.org/story/12/06/16/223208/ask-slashdot-whats-your-take-on-https-snooping


Basically, to tproxy HTTPS, your proxy has to act as a man-in-the-middle. 
Very undesirable.


Typically, in order to do HTTPS proxying, you would use normal forward proxying, where the client configures the browser to use a particular proxy server. When doing HTTPS through that proxy, the UA will use the CONNECT method and the proxy simply "tunnels" the SSL requests. It's really only useful to e.g. control which server(s) your UAs can CONNECT to (for example).

If you are doing transparent proxy for HTTP, you probably should just let HTTPS bypass the proxying layer entirely.

-- Leif

Re: ssl with transparent proxy

Posted by Leif Hedstrom <zw...@apache.org>.
On 6/17/12 7:15 AM, Jacov Koren wrote:
>
> I am just trying to understand how ssl connection can take place when 
> using transparent proxy.
>
> Do I need to intercept the traffic with iptables just like I did for port 
> 80 ?
>
> Do I need to configure something else in records.config?
>
> It's pretty urgent , I would really appreciate it if someone can help me ?
>
>

How would you expect it to work in transparent proxy? It's not like the 
proxy can so SSL termination here, without having every web sites in the 
world private certificate key. Unless of course you force your clients to 
trust your own CA, and make a SSL certificate for e.g. *.*. Funny that this 
discussion is coming up again (we've had this exercise at least a few times 
before) with the recent /. article:

     
http://ask.slashdot.org/story/12/06/16/223208/ask-slashdot-whats-your-take-on-https-snooping


Basically, to tproxy HTTPS, your proxy has to act as a man-in-the-middle. 
Very undesirable.


Typically, in order to do HTTPS proxying, you would use normal forward 
proxying, where the client configures the browser to use a particular proxy 
server. When doing HTTPS through that proxy, the UA will use the CONNECT 
method and the proxy simply "tunnels" the SSL requests. It's really only 
useful to e.g. control which server(s) your UAs can CONNECT to (for example).

If you are doing transparent proxy for HTTP, you probably should just let 
HTTPS bypass the proxying layer entirely.

-- Leif

Re: ssl with transparent proxy

Posted by Leif Hedstrom <zw...@apache.org>.
On 6/17/12 7:15 AM, Jacov Koren wrote:
>
> I am just trying to understand how ssl connection can take place when 
> using transparent proxy.
>
> Do I need to intercept the traffic with iptables just like I did for port 
> 80 ?
>
> Do I need to configure something else in records.config?
>
> It's pretty urgent , I would really appreciate it if someone can help me ?
>
>

How would you expect it to work in transparent proxy? It's not like the 
proxy can so SSL termination here, without having every web sites in the 
world private certificate key. Unless of course you force your clients to 
trust your own CA, and make a SSL certificate for e.g. *.*. Funny that this 
discussion is coming up again (we've had this exercise at least a few times 
before) with the recent /. article:

     
http://ask.slashdot.org/story/12/06/16/223208/ask-slashdot-whats-your-take-on-https-snooping


Basically, to tproxy HTTPS, your proxy has to act as a man-in-the-middle. 
Very undesirable.


Typically, in order to do HTTPS proxying, you would use normal forward 
proxying, where the client configures the browser to use a particular proxy 
server. When doing HTTPS through that proxy, the UA will use the CONNECT 
method and the proxy simply "tunnels" the SSL requests. It's really only 
useful to e.g. control which server(s) your UAs can CONNECT to (for example).

If you are doing transparent proxy for HTTP, you probably should just let 
HTTPS bypass the proxying layer entirely.

-- Leif