<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
Tom,<br>
<br>
one simple question.<br>
<br>
Soon, all or almost all the Internet go into HTTPS. Why do you then
need caching proxy? The tunnel connection and process ACLs?<br>
<br>
My second question to Amos. Amos, what the hell do we under these
conditions caching proxy?<br>
<br>
WBR, Yuri<br>
<br>
24.06.15 21:41, Tom Mowbray пишет:<br>
<span style="white-space: pre;">> Squid 3.5.5<br>
><br>
> I seem to have some confusion about how acl lists are
processed in<br>
> squid.conf regarding the handling of SSL (HTTPS) traffic,
attempting to use<br>
> ssl_bump directives with transparent proxy.<br>
><br>
> Based on available documentation, I believe my squid.conf is
correct,<br>
> however it never seems to actually behave as expected.<br>
><br>
> I define the SSL port, as usual:<br>
><br>
> acl SSL_ports port 443<br>
><br>
> But here's where my confusion lies... Many state to place the
following<br>
> line above the ssl_bump configuration lines:<br>
><br>
> http_access allow SSL_ports<br>
><br>
> However when I do this, it appears to simply stop processing
any other<br>
> rules and allows ALL https traffic through the proxy (which
is actually how<br>
> I'd expect a standard ACL list to operate, but then how do I
actually<br>
> filter the traffic though our content-based ACL lists?). If
I put the<br>
> above line below the ssl_bump configuration options in my
squid.conf, then<br>
> it appears to BUMP all, even though I've told the config to
SPLICE all<br>
> https traffic, which doesn't work for our deployment.<br>
><br>
> So, does squid actually continue to process the https traffic
using the<br>
> ssl_bump rules if the "http_access allow SSL_ports" line is
placed above it<br>
> in the configuration?<br>
><br>
> I should note that we've been able to get filtering to work
correctly when<br>
> using our configuration in NON-transparent mode, however our
goal is get<br>
> this functionality working as a transparent proxy. We're
unable to load<br>
> our self-signed cert onto client machines that will be
accessing the proxy,<br>
> so using the "bump" or man-in-the-middle style https
filtering isn't a<br>
> viable option for us.<br>
><br>
> Any help or advice is appreciated!<br>
><br>
> Thanks,<br>
><br>
> Tom<br>
><br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJVitQqAAoJENNXIZxhPexGDaQIAKtb0MvhmOlS6OpGHNCjvWqd
<br>
dYXvdm+gMGE2NSl1FPAUa1sz6zj2gyI21p0nWZZu+BPWRa3Puo2XJDFlujtLtbgq
<br>
Tsqf7WeKD/dxSJzK1ooIK4OsxSpXpHchHcPnUTZ4qMPDBaAy5JKnqHK4IaX6Py5u
<br>
8AByGDCWkacHOZsjgvWpjlqoPK3bGwHsoQTTp6bs87J1JkpWdrw2eKjQCK4OfCA3
<br>
hra/kp38UFIMm/Jy8TPIv1jzx8CJsC72ImovovBSuPn7Aq2QXNyO3ZVC/TtBVHVi
<br>
x63zzJ1B599ZOZ2QqeL2fAyzeYr7ZL6MT+J6l8Vk0YvUCCO63b1rwX1Jp4qMyog=
<br>
=kTMC
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>