Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a proxy server cache SSL GETs? If not, would response body encryption suffice?

People also ask

Do proxy servers use cache?

These web servers are also referred to as origin servers or content hosts . However, you can configure the proxy server to handle other protocols, such as File Transfer Protocol (FTP) and Gopher. The proxy server stores cacheable content in a local cache before delivering the content to the requester.

How does SSL work with proxy?

How Does SSL Proxy Work? A key function of SSL proxy is to emulate server certificates. This allows a web browser to use a trusted certificate to validate the identity of web server. SSL encrypts data to ensure that communications are private and the content has not been tampered with.

What are the benefits of caching proxy server?

Caching proxy primarily enables improving website access times, minimizing data download and lowering bandwidth usage. Caching proxy works when the proxy server analyzes and stores an instance or some proportion of data for the frequently used websites and/or Internet based resources.

How is proxy server encrypt the data?

In a standard configuration of secure terminal emulation sessions, the connection between the client and Security Proxy Server is encrypted using SSL/TLS, but the connection between the Security Proxy and the host uses unencrypted Telnet.


The comment by Rory that the proxy would have to use a self-signed cert if not stricltly true.

The proxy could be implemented to generate a new cert for each new SSL host it is asked to deal with and sign it with a common root cert. In the OP's scenario of a corportate environment the common signing cert can rather easily be installed as a trusted CA on the client machines and they will gladly accept these "faked" SSL certs for the traffic being proxied as there will be no hostname mismatch.

In fact this is exactly how software such as the Charles Web Debugging Proxy allow for inspection of SSL traffic without causing security errors in the browser, etc.


No, it's not possible to cache https directly. The whole communication between the client and the server is encrypted. A proxy sits between the server and the client, in order to cache it, you need to be able to read it, ie decrypt the encryption.

You can do something to cache it. You basically do the SSL on your proxy, intercepting the SSL sent to the client. Basically the data is encrypted between the client and your proxy, it's decrypted, read and cached, and the data is encrypted and sent on the server. The reply from the server is likewise descrypted, read and encrypted. I'm not sure how you do this on major proxy software (like squid), but it is possible.

The only problem with this approach is that the proxy will have to use a self signed cert to encrypt it to the client. The client will be able to tell that a proxy in the middle has read the data, since the certificate will not be from the original site.


I think you should just use SSL and rely on an HTTP client library that does caching (Ex: WinInet on windows). It's hard to imagine that the benefits of enterprise wide caching is worth the pain of writing a custom security encryption scheme or certificate fun on the proxy. Worse, on the encryption scheme you mention, doing asymmetric ciphers on the entity body sounds like a huge perf hit on the server side of your application; there is a reason that SSL uses symmetric ciphers for the actual payload of the connection.