I started down this path and learned some things, although maybe not enough to be 100% accurate here. A proxy by default cannot explicitly see SSL data or the security model is compromised. The CONNECT request is a request to a proxy to open a connection to a server. The idea (I think) is that the proxy can see that request, can then open a socket to the named host/port, and pass data back and forth between the client. I've seen this done by having the proxy take a CONNECT and turn it into a socket open to the server. So you can't just pass the CONNECT on as you can for other HTTP requests. Once the connection is established I'd think the proxy could dig into the data if it knows enough about the client's encryption settings to do so. Never gone that far though ...