[squid-dev] [RFC] TLS peek by default

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 5 22:47:09 UTC 2015


In order to support PROXY protocol on HTTPS inbound traffic we will be
needing Squid to "peek" at the initial client connection bytes and
process the PROXY header.

There is no need for the decryption to enter into the picture and in
current trunk Squid the bytes can be relayed in the BIO buffer to
whatever processing is appropriate.

Along these lines, I am wondering why we need to have "ssl_bump peek"
checked for in relation to client peeking. Can we make Squid simply do
that first 'peek' step always for all potential HTTPS connections ?


This would also give SNI and the like up front and make Squid able to
act lot more like what people in squid-users seem to be starting off
assuming it does.

Amos


More information about the squid-dev mailing list