[squid-dev] Online Translator interface for Squid

Jeffrey Merkey jeffmerkey at gmail.com
Thu Sep 14 06:20:56 UTC 2017 

On 9/14/17, Jeffrey Merkey <jeffmerkey at gmail.com> wrote:
> On 9/14/17, Jeffrey Merkey <jeffmerkey at gmail.com> wrote:
>> On 9/13/17, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>>> On 09/13/2017 11:25 PM, Jeffrey Merkey wrote:
>>>
>>>> It will allow me to translate any web content read through such a
>>>> cache to downstream clients.  I need to know where to hook into your
>>>> cache at the layer it is reading html pages to insert the translator.
>>>
>>>
>>> Hello Jeffrey,
>>>
>>>     You should not hook this inside Squid. Implement an ICAP or eCAP
>>> service instead: http://wiki.squid-cache.org/SquidFaq/ContentAdaptation
>>>
>>>
>>>> Is there a neat and clean interface where I can get the pages being
>>>> read from the cache, and translate them, then send them to the
>>>> downstream clients.
>>>
>>> Not really. Squid does not even have a concept of a "page"; it operates
>>> on the level of HTTP messages. Adaptation services also have to work
>>> with HTTP messages, not pages, but at least you will not have to deal
>>> with Squid code (changes). As an added bonus, your service will work
>>> with any proxy that supports ICAP (most production proxies do) or eCAP
>>> (I am not aware of any production proxy that does, but that may change).
>>>
>>>
>>> Please note that due to the "success" of the "TLS everywhere" campaign,
>>> you will most likely have to attack and bump user TLS traffic in order
>>> to translate most pages on the fly. This opens up a big can of worms.
>>> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>>>
>>> At the end of the day, you may want to write browser plugins instead,
>>> although that option also comes with its own set of serious problems. In
>>> theory, you can even write a browser plugin that will talk to an ICAP or
>>> eCAP service, so that you can cover all possible deployment vectors with
>>> a single adaptation service, but that is even more work, and I have not
>>> heard of anybody doing that.
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>>
>>
>>
>> Alex,
>>
>> Thanks for the quick response.  I have reviewed the ssl-bump feature
>> -- perfect just what I needed the proxy to do.  As for C_ICAP, I am
>> reviewing the program as we speak.  I may have other questions later,
>> but you certainly got me off on the right foot.
>>
>> So, to configure the ssl-bump it appears I need to configure a
>> certificate.  What are the steps to do that with the ss-bump feature?
>>
>> You are awesome.  Thanks for the help.
>>
>> Jeff
>>
>
> I think I found it.
>
> https://wiki.squid-cache.org/Features/DynamicSslCert
>
> Jeff
>

Alex,

Can I just use one certificate, or do I need to enable this dynamic capability.

Jeff

More information about the squid-dev mailing list