[squid-users] SSL Terminating Reverse Proxy with Referral Tracking
Grant Taylor
gtaylor at tnetconsulting.net
Wed Sep 15 01:16:39 UTC 2021
On 9/14/21 7:12 PM, Grant Taylor wrote:
> I have concerns about "SSL terminating". It sounds to me like you are
> decidedly outside of the typical enterprise or home network scenario
> where you are wanting to terminate / intercept / bump-in-the-wire TLS
> connections. As such, I have *SERIOUS* /concerns/ about the security
> implications of this. -- But, I'm going to assume that you are well
> aware of the implications and are addressing them properly. But I'd be
> remiss to not say something. Moving on.
I meant to add, I'm not convinced that you /need/ to do TLS termination.
Or said another way, I'm not convinced that simply proxying CONNECT
requests isn't sufficient.
Do you actually /need/ to terminate the TLS? Or is simply proxying the
CONNECT request sufficient? Can you stay out of the TLS stream, thereby
avoiding any and all security concerns associated with TLS termination?
Proxies have been passing TLS traffic for decades without TLS termination.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210914/f4820d65/attachment.bin>
More information about the squid-users
mailing list