[squid-users] http_port vs https_port (Alex Rousskov)

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 27 23:26:57 UTC 2018

On 28/06/18 11:04, Gordon Hsiao wrote:
>  Keep reading http_port vs https_port here...
> 1. http_port does not require openssl, https_port does, however
> http_port can do ssl-bump so I would think http_port is conditionally
> depending on openssl


> 2. reading cfgman v3.5 page I could not really tell their difference
> when openssl/ssl-bump is involved, it seems http_port is a superset of
> https_port and they behave the same when ssl-bump(splice or bump) is to
> be used.

No, the behaviour is very different at all times:
 One is HTTP maybe containing TLS.
 One is TLS maybe containing HTTP.

The "unwrapping" of layered protocols is different in the two cases.
Modern Squid require ports tuned to the explicit protocol syntax
expected, and the mode of delivery from the client.

> Since http_port (--with-openssl) seems can do everything https_port can
> do, why do we have https_port at all? in which circumstances I must use
> https_port?

When *HTTPS* is being directly received by the port.

http_port is for when the client sends HTTP (no 'S') traffic to Squid.
For example, port 80 or port 3128 syntax traffic.

https_port is for when the client sends HTTPS (TLS with HTTP inside) to
Squid. For example; port 443 syntax or port 3128 with encryption.

ftp_port is for when the client sends FTP. For example; port 21 syntax

icp_port for ICP protocol ...

htcp_port for HTCP protocol ...

snmp_port for SNMP protocol ...

see the pattern?

Naturally since you always expect TLS on https_port that is why simply
adding it requires crypto library support. The other port(s) only
_sometimes_ have to deal with crypto, so its the crypto related options
being set which is when the requirements get mentioned.

Also, OpenSSL support is optional in Squid-4. GnuTLS can be used
instead, depending on what your TLS needs are.


More information about the squid-users mailing list