Squid Cache – Can Squid Cache HTTPS Requests?

cachehttpssquidssl

Just as said in "Can squid cache objects from HTTPS sites?", to cache objects from https sites, one would need to use the SSL bump feature.

But, I can set https proxy as well as http one, even the SSL bump feature is not installed. Does that means setting https proxy only means it can only let the content passing through without caching?

What is really happening without the SSL bump feature then?
What is preventing it to cache files like https://some.sites/some/path/image.png, so the next time people request it, it can be served from cache?

Best Answer

Unless a proxy is intercepting the HTTPS traffic (i.e. SSL bump) and thus gets access to the decrypted content, it cannot cache the traffic. When just being a non-intercepting HTTPS proxy squid will just build a tunnel to the final server whenever a client issues a CONNECT request and will forward all traffic without any changes. Even if the client would access the same resource again the proxy will not realize this since the traffic is encrypted differently, i.e. different encryption key and initialization vector. Similar it would not be possible to reply with a cached (encrypted) response since the encryption key used between client and final server would be different from the last access to this resource.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Can Squid Cache Objects from HTTPS Sites? – Configuration Guide

You would need to use the SSL bump feature http://wiki.squid-cache.org/Features/SslBump - though it makes no specific mention of caching (where it does mention adaption), so I don't know if it will actually work even then.

Of course there may be serious privacy issues associated with caching https traffic.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Can Squid Cache Objects from HTTPS Sites? – Configuration Guide

Related Topic