SSL tunneling

This applies to forward proxy configurations only.

When Caching Proxy is configured as a forward proxy, it uses SSL tunneling to support secure connections between clients and content servers. In SSL tunneling, encrypted data is passed through the proxy server unaltered. Because the proxy server does not unencrypt the data, functions that require the proxy server to read requests or document headers are not supported in SSL tunneling. Also, tunneled requests are not cached.

Figure 2 shows how a connection is established by using SSL tunneling.

Figure 2. SSL tunneling
SSL tunneling

The SSL tunneling process is as follows:

  1. The client makes a tunneling request: CONNECT server-host-name:port HTTP/1.1 (or HTTP/1.0). The port number is optional and is usually 443. The client's browser will automatically send the CONNECT request to the proxy server first for every HTTPS request if the forward proxy is configured in the browser.
  2. The proxy accepts the connection on its port 80, receives the request, and connects to the destination server on the port requested by the client.
  3. The proxy replies to the client that a connection is established.
  4. The proxy relays SSL handshake messages in both directions: From client to destination server, and from destination server to client.
  5. After the secure handshake is completed, the proxy sends and receives encrypted data to be decrypted at the client or at the destination server.
  6. If the client or the destination server requests a closure on either port, the proxy server closes both connections (ports 443 and 80) and resumes its normal activity.

Configuring SSL tunneling

In a forward proxy setting, only SSL tunneling is available. To enable SSL tunneling, in the Configuration and Administration forms, select Proxy Configuration -> Proxy Settings. Select the SSL Tunneling check box.

The CONNECT method (which by default is disabled) must also be enabled for SSL tunneling connections. To enable this in the configuration forms, select Server Configuration -> Request Processing and use the HTTP Methods form.

Three options (OutgoingPorts, OutgoingIPs, IncomingIPs) are provided for the Enable CONNECT directive for enhanced SSL tunneling security. It is required that you specify a value for at least OutgoingPorts, otherwise the CONNECT method will not be enabled.

For more information to enable SSL tunneling and the CONNECT directives by editing the proxy configuration file, see the reference sections in Appendix B. Configuration file directives for the following directives: