[squid-users] Squid reverse proxy with SSL bump
Amos Jeffries
squid3 at treenet.co.nz
Wed Sep 9 05:41:34 UTC 2015
On 9/09/2015 8:14 a.m., Alex Rousskov wrote:
> On 09/08/2015 01:33 AM, Amos Jeffries wrote:
>> On 8/09/2015 6:45 p.m., joseph jose wrote:
>>> Is it possible to configure a squid reverse proxy with SSL-bump enabled?
>
>
>> The concept does not make any sense.
>> * accel / revers-proxy traffic is destined to and terminated by the proxy.
>> * ssl-bump is a pile of trickery and hacks to intercept traffic
>> destined to somewhere else.
>
> Since CONNECT requests are not limited to forward proxies, an origin
> server (or a reverse proxy) might receive a CONNECT request. When a
> reverse proxy receives a CONNECT request, it might decide to bump it.
> Thus, the combination makes sense in some esoteric environments.
"
CONNECT is intended only for use in requests to a proxy. An origin
server that receives a CONNECT request for itself MAY respond with a
2xx (Successful) status code to indicate that a connection is
established. However, most origin servers do not implement CONNECT.
"
Even if we did accept/200 it; the only valid connections are those going
to self - which is port 80 thus plain text HTTP. So only plain-text
traffic is accepted inside such CONNECT's. No TLS encrypted traffic that
can be ssl-bumped involved.
The concept of SSL-bumping plain-text does not make sense.
>
> I do not know whether Squid supports and Joseph is dealing with such an
> environment.
As Joseph noted, Squid actively rejects CONNECT arriving on accel ports.
Just like every other origin server. So the answer is a flat "no, it is
not supported".
Amos
More information about the squid-users
mailing list