[squid-users] Clarity on sending intercepted HTTPS traffic upstream to a cache_peer
Charlie Orford
charlie at charlie.is
Sat Jan 28 00:32:44 UTC 2017
On 27/01/2017 23:43, Alex Rousskov wrote:
> On 01/27/2017 04:04 PM, Charlie Orford wrote:
>> A post from another user on this list seems to suggest they successfully
>> got squid to do what we want
>> (http://lists.squid-cache.org/pipermail/squid-users/2015-November/007955.html)
>> but when emulating their setup (i.e. peeking at step1, staring at step2
>> and then bumping at step3) we get the same
>> SQUID_X509_V_ERR_DOMAIN_MISMATCH error.
> I suggest the following order:
>
> 1. Decide whether your Squid should bump or splice.
> 2. Find the configuration that does what you decided in #1.
>
> So far, you have given no reasons to warrant bumping so I assume you do
> not need or want to bump anything. Thus, you should ignore any
> configurations that contain "stare", "bump", or deprecated "*-first"
> ssl_bump actions.
Sorry if my original intent wasn't clear. Obviously it makes no sense
intercepting ssl traffic if we're going to splice everything.
Our design goal is: intercept and bump local client https traffic on
squid1 (so we can filter certain urls, cache content etc.) and then
forward the request on to the origin server via an upstream squid2
(which has internet access).
The user who posted
http://lists.squid-cache.org/pipermail/squid-users/2015-November/007955.html
seems to have successfully done this but I can't replicate it. After
doing a lot of googling (and semi-successfully trying to interpret Amos'
various replies whenever bumping and cache_peers come up on this list)
I'm beginning to wonder if it is indeed possible or if that user simple
mistook what he was seeing when he posted that message (e.g. didn't
notice that squid was actually not bumping his client connections).
Charlie
More information about the squid-users
mailing list