[squid-users] Squid reverse proxy with SSL bump
Alex Rousskov
rousskov at measurement-factory.com
Wed Sep 9 14:29:51 UTC 2015
On 09/08/2015 11:41 PM, Amos Jeffries wrote:
> On 9/09/2015 8:14 a.m., Alex Rousskov wrote:
>> On 09/08/2015 01:33 AM, Amos Jeffries wrote:
>>> On 8/09/2015 6:45 p.m., joseph jose wrote:
>>>> Is it possible to configure a squid reverse proxy with SSL-bump enabled?
>>
>>
>>> The concept does not make any sense.
>>> * accel / revers-proxy traffic is destined to and terminated by the proxy.
>>> * ssl-bump is a pile of trickery and hacks to intercept traffic
>>> destined to somewhere else.
>>
>> Since CONNECT requests are not limited to forward proxies, an origin
>> server (or a reverse proxy) might receive a CONNECT request. When a
>> reverse proxy receives a CONNECT request, it might decide to bump it.
>> Thus, the combination makes sense in some esoteric environments.
>
>
> "
> CONNECT is intended only for use in requests to a proxy. An origin
> server that receives a CONNECT request for itself MAY respond with a
> 2xx (Successful) status code to indicate that a connection is
> established. However, most origin servers do not implement CONNECT.
> "
Yes, I read that paragraph before posting. It supports what I have said:
The intended use is different, but there is nothing prohibiting an
origin server from supporting CONNECTs [to arbitrary addresses]. What is
not prohibited is allowed.
> Even if we did accept/200 it; the only valid connections are those going
> to self
Why only to self? And why do you think the server notion of "self" may
not include an address different from the destination address of the
current connection? It is up to the server to allow or deny tunnels [to
various addresses].
> which is port 80 thus plain text HTTP.
CONNECT may be received inside an SSL/TLS connection as well, but this
does not really matter for this discussion.
Alex.
More information about the squid-users
mailing list