[squid-users] sslbump and caching of generated cert
Alex Wu
alex_wu2012 at hotmail.com
Thu Jul 9 19:03:21 UTC 2015
It seems the option http_port cannot be put under each process ID. If using workers, http_port cannot bind to ports specified from http_port.
Alex
> Date: Wed, 1 Jul 2015 14:56:46 +1200
> From: squid3 at treenet.co.nz
> To: alex_wu2012 at hotmail.com; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] sslbump and caching of generated cert
>
> On 1/07/2015 5:08 a.m., Alex Wu wrote:
> > /*
> > You could assign two workers, each with a different http_port and
> > ssl_crtd helper using different cert databases.
> >
> > */
> >
> > How to do this? It sounds it might meet our need.
> >
>
> at the top of squid.conf place:
>
> workers 2
>
> if ${process_number} = 1
> http_port 10045 ...
> sslcrtd_program ...
>
> else
> http_port 10046 ...
> sslcrtd_program ...
>
> endif
>
> The list of other directives which also need separate per-worker
> configuration can be found at
> <http://wiki.squid-cache.org/MultipleInstances#Relevant_squid.conf_directives>.
>
>
> > The reason is that we assign a port for internal,
> > so we can use cheap CA (self-generated CA), for the collaboration, we use a diffrent port,
> > may need to set up a different CA.
>
> That dont make sense to me. There should be no need for internal traffic
> to use a different CA from what external has. Costs are already paid to
> get the public CA, there is no incremental increase for internal traffic
> to use it as well.
>
> You can do simpler things like using a private LAN-specific IP on the
> listening http_port for internal traffic and myportname ACL for internal
> vs external access controls (that work regardless of whether the request
> has been bumped or not).
>
> Amos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150709/07bef2a1/attachment-0001.html>
More information about the squid-users
mailing list