[squid-users] Questions around https transparent chained proxy
Walid A. Shaari
walid.shaari at linux.com
Sat Feb 16 08:18:17 UTC 2019
Greetings,
The end goal is enforcing an appliance(s) tls traffic to go through
the corporate proxy, as I understand it (splice, not interested in
decrypting)
http traffic works fine. however not clear 100% regarding https traffic.
1) does the order of the below directives (ssl_bump, never_direct, and
cacher_peer,..etc) matter where it is in the squid.conf file, or is it
just the ACLs and ssl_bump that are order strict in squid.conf?
------ partial squid.conf # is that order ok----
ssl_bump peek all # or should I just peek at step1
ssl_bump splice all
#ssl_bump bump all # not necessary in that case, traffic should have
been already spliced
never_direct allow all
cache_peer upstream-proxy parent 8118 0 no-query no-digest
---------------------------
2) What does the only-proxy option really means for cache-peer?
3) if the parent proxy is not using SSL/tls, however, the clients are
using tls/SSL, is that an issue?
4) in an https transparent chained proxy scenario, is there a way I
can get rid of exporting the squid proxy certificates to the clients?
as the clients are part of an appliance that I do not have control
over and not all traffic is actually originating from browsers?
5) Is squid 3.5 out of the Linux distro good enough, or should I
upgrade to latest 4.x for a guaranteed splice functionality? the
unofficial binary package for RHEL available is 3.5.27, while centos
package is 4.5-1. shouldn't both be the same?
TIA
Walid
ReplyForward
More information about the squid-users
mailing list