[squid-users] does http_port sssl-bump work require-proxy-header?

Yuhua Wu ywu at bitglass.com
Tue Apr 14 17:05:39 UTC 2015


I think, in the sslbump mode, if PROXY protocol is enabled, client cannot
set up the SSL tunnel with squid after CONNECT call succeeds. I remember
that HAProxy will send PROXY protocol line during ssl negotiation. If squid
does not parse the PROXY protocol header during SSL negotiation, this will
cause the problem.

Alex

On Mon, Apr 13, 2015 at 7:56 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 14/04/2015 4:47 a.m., Yuhua Wu wrote:
> > For example, is this configuration supported?
> >
> > http_port 3129 require-proxy-header ssl-bump ……
> >
> > By the way, we added acl rules:
> >
> > acl frontend src 10.0.0.0/8
> > proxy_protocol_access allow frontend
> >
> > Alex
> >
>
> Yes that should work.
>
> <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.7>
>
> Your above config example decrypts the traffic through the following
> layers:
>   HTTPS over HTTP/1.x over PROXY/TCP ...
>
> As you can see the PROXY and HTTPS layers are separate protocols that
> dont interact.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150414/7e2aac7d/attachment.html>


More information about the squid-users mailing list