[squid-dev] Online Translator interface for Squid

Jeffrey Merkey jeffmerkey at gmail.com
Thu Sep 14 06:15:42 UTC 2017


On 9/14/17, Jeffrey Merkey <jeffmerkey at gmail.com> wrote:
> On 9/13/17, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>> On 09/13/2017 11:25 PM, Jeffrey Merkey wrote:
>>
>>> It will allow me to translate any web content read through such a
>>> cache to downstream clients.  I need to know where to hook into your
>>> cache at the layer it is reading html pages to insert the translator.
>>
>>
>> Hello Jeffrey,
>>
>>     You should not hook this inside Squid. Implement an ICAP or eCAP
>> service instead: http://wiki.squid-cache.org/SquidFaq/ContentAdaptation
>>
>>
>>> Is there a neat and clean interface where I can get the pages being
>>> read from the cache, and translate them, then send them to the
>>> downstream clients.
>>
>> Not really. Squid does not even have a concept of a "page"; it operates
>> on the level of HTTP messages. Adaptation services also have to work
>> with HTTP messages, not pages, but at least you will not have to deal
>> with Squid code (changes). As an added bonus, your service will work
>> with any proxy that supports ICAP (most production proxies do) or eCAP
>> (I am not aware of any production proxy that does, but that may change).
>>
>>
>> Please note that due to the "success" of the "TLS everywhere" campaign,
>> you will most likely have to attack and bump user TLS traffic in order
>> to translate most pages on the fly. This opens up a big can of worms.
>> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>>
>> At the end of the day, you may want to write browser plugins instead,
>> although that option also comes with its own set of serious problems. In
>> theory, you can even write a browser plugin that will talk to an ICAP or
>> eCAP service, so that you can cover all possible deployment vectors with
>> a single adaptation service, but that is even more work, and I have not
>> heard of anybody doing that.
>>
>>
>> HTH,
>>
>> Alex.
>>
>
>
> Alex,
>
> Thanks for the quick response.  I have reviewed the ssl-bump feature
> -- perfect just what I needed the proxy to do.  As for C_ICAP, I am
> reviewing the program as we speak.  I may have other questions later,
> but you certainly got me off on the right foot.
>
> So, to configure the ssl-bump it appears I need to configure a
> certificate.  What are the steps to do that with the ss-bump feature?
>
> You are awesome.  Thanks for the help.
>
> Jeff
>

I think I found it.

https://wiki.squid-cache.org/Features/DynamicSslCert

Jeff


More information about the squid-dev mailing list