[squid-users] squid callout sequence (Amos Jeffries)
Gordon Hsiao
capcoding at gmail.com
Mon Jun 25 02:59:59 UTC 2018
>
> On 25/06/18 05:15, Gordon Hsiao wrote:
> > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed
> > redirectors are way ahead of ssl-bump in the callout order, in a
> > https-ssl-bump case
>
> There is not really any "https-ssl-bump" case.
>
> There is SSL-Bump (decrypting a TLS stream - or not), and there is HTTPS
> (HTTP messages inside TLS).
>
>
> > you will need ssl-bump to run (so you can get full
> > URL for example), then you can run redirector based on the result of
> > ssl-bump, correct?
>
> No. SSL-Bump is an operation applied to a CONNECT message, when setting
> up the TLS tunnel. There are maybe also *multiple* CONNECT messages when
> SSL-Bump gets involved - which the FAQ text following that sequence
> describes.
>
>
> HTTP is stateless protocol. So the CONNECT message(s) are independent of
> both each other, and anything decrypted from inside the tunnel. Each and
> every message Squid handles gets its own cycle through the callout
> sequence.
>
>
> > why is redirector run before ssl-bump?
>
> Because Squid needs to know _where_ it is going before it can connect
> there. SSL-Bump is part of tunnel/connection setup.
>
> Amos
>
>
will SSL-Bump(not 'peek+splice', but the 'peek+bump' mode) decrypt all the
tcp packets? For example I connect to youtube.com/myvideo, will peek+bump
only decrypt the pseudo CONNECT messages(I'm doing transparent proxy), or
will it decrypt all the video streams too? if it's the latter case the
proxy will be cpu intensive.
Thanks for the hellp
Gordon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180624/715b9543/attachment.html>
More information about the squid-users
mailing list