[squid-users] squid callout sequence

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 25 02:17:50 UTC 2018

On 25/06/18 05:15, Gordon Hsiao wrote:
> at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed
> redirectors are way ahead of ssl-bump in the callout order, in a
> https-ssl-bump case

There is not really any "https-ssl-bump" case.

There is SSL-Bump (decrypting a TLS stream - or not), and there is HTTPS
(HTTP messages inside TLS).

> you will need ssl-bump to run (so you can get full
> URL for example), then you can run redirector based on the result of
> ssl-bump, correct?

No. SSL-Bump is an operation applied to a CONNECT message, when setting
up the TLS tunnel. There are maybe also *multiple* CONNECT messages when
SSL-Bump gets involved - which the FAQ text following that sequence

HTTP is stateless protocol. So the CONNECT message(s) are independent of
both each other, and anything decrypted from inside the tunnel. Each and
every message Squid handles gets its own cycle through the callout sequence.

> why is redirector run before ssl-bump?

Because Squid needs to know _where_ it is going before it can connect
there. SSL-Bump is part of tunnel/connection setup.


More information about the squid-users mailing list