This applies to forward proxy configurations only.
When Caching Proxy is configured as a forward proxy, it uses SSL tunneling to support secure connections between clients and content servers. In SSL tunneling, encrypted data is passed through the proxy server unaltered. Because the proxy server does not unencrypt the data, functions that require the proxy server to read requests or document headers are not supported in SSL tunneling. Also, tunneled requests are not cached.
Figure 2 shows how a connection is established by using SSL tunneling.
The SSL tunneling process is as follows:
In a forward proxy setting, only SSL tunneling is available. To enable SSL tunneling, in the Configuration and Administration forms, select Proxy Configuration -> Proxy Settings. Select the SSL Tunneling check box.
The CONNECT method (which by default is disabled) must also be enabled for SSL tunneling connections. To enable this in the configuration forms, select Server Configuration -> Request Processing and use the HTTP Methods form.
Three options (OutgoingPorts, OutgoingIPs, IncomingIPs) are provided for the Enable CONNECT directive for enhanced SSL tunneling security. It is required that you specify a value for at least OutgoingPorts, otherwise the CONNECT method will not be enabled.
Enable CONNECT OutgoingPorts [all | [port1|port1-port2|port1-*],...]To allow clients to connect only to the remote servers' port 443 for SSL tunneling, set the following directives. (Normally port 443 is for HTTPS requests on the remote server.)
Enable CONNECT OutgoingPorts 443 SSLTunneling onTo allow clients to connect to any port on the remote servers for SSL tunneling, set the following directives:
Enable CONNECT OutgoingPorts all SSLTunneling onTo allow clients to connect to ports 80, 8080-8088, and 9000 and above ports on the remote servers for SSL tunneling, set the following directives:
Enable CONNECT OutgoingPorts 80,8080-8088,9000-* SSLTunneling on
Ports and port ranges are separated by a comma without any space in the list.
IMPORTANT: For forward proxy configurations, at least specify 443 or all with OutgoingPorts option to enable normal SSL tunneling.
Enable CONNECT OutgoingIPs [[!]IP_pattern,...]For example, to allow clients to connect to any port on the remote servers that matches the IP/host name *.ibm.com and must not match 192.168.*.* , set the following directives:
Enable CONNECT OutgoingPorts all OutgoingIPs *.ibm.com,!192.168.*.* SSLTunneling on
Enable CONNECT IncomingIPs [[!]IP_Pattern,...]For example, to allow clients coming from IP address 192.168.*.* to make a connection to any port on the remote servers for SSL tunneling, set the following directives:
Enable CONNECT OutgoingPorts all IncomingIPs 192.168.*.* SSLTunneling on
For more information to enable SSL tunneling and the CONNECT directives by editing the proxy configuration file, see the reference sections in Appendix B. Configuration file directives for the following directives: