[squid-dev] Fake CONNECT requests during SSL Bump
Marcus Kool
marcus.kool at urlfilterdb.com
Thu Sep 24 11:40:36 UTC 2015
On 09/24/2015 02:13 AM, Eliezer Croitoru wrote:
> On 23/09/2015 04:52, Amos Jeffries wrote:
>> Exactly. They are processing steps. Not messages to be adapted.
>>
>> Amos
>
> +1 For that.
>
[...]
> In any case the bottom line from me is that for now ICAP and ECAP are called ADAPTATION services and not ACL services.
> It can be extended to do so and it's not a part of the RFCs or definitions and it might be the right way to do things but it will require simple enough libraries that will let most admins (if not all)
> to be able to implement their ACL logics using these protocol\implementations.
>
> Eliezer
ICAP is an adaptation protocol that almost everybody uses for access control.
The ICAP server must be able to see all traffic going through Squid so that it can do what it was designed for and block (parts) of websites and other data streams.
Other data streams may not be HTTP(S)-based and hence are not bumped, but for the ICAP server to be able to do its thing, it still needs a (fake) CONNECT.
Going back to Steve's original message, I think that it is not necessary to generate a (fake) CONNECT for each bump step,
but to send exactly one CONNECT at the moment that Squid makes a decision. I.e. when Squid decides to bump or splice.
Marcus
More information about the squid-dev
mailing list