From owner-freebsd-net@FreeBSD.ORG  Tue Sep  7 17:08:29 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C001F16A4CE
	for <freebsd-net@freebsd.org>; Tue,  7 Sep 2004 17:08:29 +0000 (GMT)
Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.86])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9B07943D1F
	for <freebsd-net@freebsd.org>; Tue,  7 Sep 2004 17:08:29 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from mac.com (smtpin08-en2 [10.13.10.153])
	by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i87H8Sao029773;
	Tue, 7 Sep 2004 10:08:29 -0700 (PDT)
Received: from [10.1.1.245] (nfw2.codefab.com [199.103.21.225] (may be
	forged))	(authenticated bits=0)i87H8Qj5015941;
	Tue, 7 Sep 2004 10:08:27 -0700 (PDT)
In-Reply-To: <20040907165345.359dd5b6@daemon.cmotd.com>
References: <20040907165345.359dd5b6@daemon.cmotd.com>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <86B15E9E-00F0-11D9-A3E8-003065ABFD92@mac.com>
Content-Transfer-Encoding: 7bit
From: Charles Swiger <cswiger@mac.com>
Date: Tue, 7 Sep 2004 13:08:23 -0400
To: Vladimir Terziev <vladimir.terziev@sun-fish.com>
X-Mailer: Apple Mail (2.619)
cc: freebsd-net@freebsd.org
Subject: Re: Tunneling HTTPS with Squid
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2004 17:08:29 -0000

On Sep 7, 2004, at 9:53 AM, Vladimir Terziev wrote:
> 	When HTTP traffic is forwarded with Squid all is ok, because the 
> proper X-FORWARDED-FOR header is set and we are able to identify the 
> request issuer. When Squid forwards HTTPS traffic to us, situation is 
> different, because the only IP which we are able to "see" is that one 
> of the Squid server.
> 	Now, my question ... is there a way to instruct Squid to create some 
> kind of tunnel and to forward the HTTPS traffic through it?

Hmm.  Squid supports proxying https connections, and it will create a 
tunnel between itself and the SSL server on the other side (using 
DIRECT rather than an HTTP GET method).

However, once you've gotten that SSL tunnel formed, what goes through 
it is opaque to Squid: Squid cannot add headers or do anything of that 
sort without violating the encryption.

-- 
-Chuck