[squid-users] redirect TCP_NONE

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 17 04:09:11 UTC 2015


On 17/07/2015 11:40 a.m., HackXBack wrote:
> i have an idea for solve problems with sites and app's that work on port 443
> but cant establish connection with squid,
> i see that when this connection cant established the TCP_NONE appear in
> access.log,
> then why we cant use an option that when this tcp_none come on some app
> redirect it to TCP_TUNNEL and then it will bypassed and the connection will
> be established without decryption but at minimum it will work automatically
> without make to that ip ssl_bump none x.x.x.x
> who support me ? 

TCP_TUNNEL means TCP packets being passed through a CONNECT tunnel. No
TLS involvement in any way.

What you are thinking of would be labeled "TLS_SPLICE" (if we had such
labels - since we dont it gets "NONE"). Where Squid is mediating between
two TLS encrypted tunnels, has touched the non-crypted parts without
actively decrypting the payload.

The case where Squid peeks at the first few bytes and sees immediately
that its not even TLS, (or have configured "ssl_bump none" to happen)
will already TCP_TUNNEL automatically in Squid-3.5+.

Amos



More information about the squid-users mailing list