[squid-users] Header Detection Post SSL Bump in Squid 4.10

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 16 06:02:34 UTC 2020

On 16/04/20 5:15 pm, shubham jain wrote:
> Hi,
> *Context*:
> I want to use Squid as a forward proxy, where I want to
> 1) send all the Image requests directly, presumably using request header
> 'accept'
> 2) send all other requests through a cache peer Proxy service
> The req_header directive is working fine for HTTP Requests, but not for
> I've done the setup for SSL Bump in here and that's giving decrypted
> HTTPS requests in the access.log as well.
> *Issue:*
> The req_header directive is not working on the decrypted HTTPS requests.
> *Squid.conf*
> # SSL Bump Port
> http_port <> ssl-bump
> cert=/usr/local/etc/cert/example.com.cert
> key=/usr/local/etc/cert/example.com.private
> generate-host-certificates=on version=1 options=SINGLE_DH_USE  
> # SSL Bump Config
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl imageIsBlocked req_header accept -i image
> ssl_bump terminate imageIsBlocked    #terminate is just for testing, to
> be replaced by splice
> ssl_bump bump all

Do the CONNECT tunnels Accept headers contain "image" ?

ssl_bump decides what to do during the TLS handshake process. For your
setup that is only the CONNECT requests.

Once decrypted HTTPS is just HTTP with https:// URLs schemes. It is
controlled by http_access and does not pass through ssl_bump rules again.


More information about the squid-users mailing list