[squid-users] ssl proxy and decrypted forwarding

Alex Rousskov rousskov at measurement-factory.com
Fri Apr 17 15:49:13 UTC 2020

On 4/17/20 11:22 AM, Sam Castellano wrote:

> My question relates to ssl bumping and potentially Icap/Ecap
> functionality. I currently have ssl bump/ interception working and
> communicating with a local ICAP server. Im trying to understand the
> process of how the decrypted data gets sent to the ICAP server for
> analysis in things such as clamav etc. My goal is to have the decrypted
> traffic analyzed by Suricata preferably on a separate box if possible.  

I do not know what particular information you are looking for, but ICAP
mechanics are documented in RFC 3507 while eCAP mechanics are documented
at www.e-cap.org.

If you are worried about exposing proxied HTTP[S] messages in transit to
your ICAP service, then consider using a "Secure ICAP" service (for a
starting point, look for those two words in squid.conf.documented).

N.B. Neither ICAP nor eCAP know about SslBump. In an SslBump context,
they just get CONNECT requests and the HTTP messages decrypted by Squid.
The same is true for the majority of Squid features -- while inside
Squid, decrypted HTTP traffic is usually handled similar to plain HTTP



More information about the squid-users mailing list