[squid-users] Fwd: Modifying squid

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 22 12:15:51 UTC 2016


[please reply via the mailing list]

On 23/03/2016 12:22 a.m., Ģirts Dālbergs wrote:
> Thank you for your reply.
> I already had an exchange of mails with Benjamin, but you seem a little
> more knowing in this particular topic.
> Since I`m not the most knowing person in this myself I need to ask
> further questions. Would "plugging" the software in squid provide an
> inline setup?

Yes the way you have been describing the "inline setup" that you want it
reads exactly as if you were describing how ICAP works.

By "plugging into Squid" with ICAP I mean setting some squid.conf
directives to tell Squid were to send the traffic through its ICAP
interface (and what to send that way).


> In other words could the software forward the traffic back
> to squid and act like a sort of transparent proxy inside squid? And
> would the traffic be encrypted at that point?

The SSL-Bump feature of Squid decrypts TLS on arrival, and re-encrypts
when sending to the upstream HTTP server. What can be decrypted is
unencrypted when sent to ICAP and/or eCAP.

If the TLS/SSL cannot be "Bumped" by Squid (or you choose to configure
Squid not to for any reason). Then that traffic is not sent through the
ICAP/eCAP services.

Amos



More information about the squid-users mailing list