[squid-users] Proxy Chaining with ssl_bump

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 5 12:42:24 UTC 2018


On 6/12/18 1:03 am, Christof Gerber wrote:
> I have a squid 3.5 as forward proxy that does ssl_bump by default.
> Some traffic I need to forward in addition to a second proxy by proxy
> chaining. The following configuration works for HTTP traffic but not
> with HTTPS. I found out through
> https://www.spinics.net/lists/squid/msg84767.html that this is because
> Squid 3.5 is not capable of doing ssl_bump + proxy chaining because
> the first proxy in the chain won't send a CONNECT after ssl_bump was
> performed. My question is:
> 
> 1. Is this finding still up-to-date , saying that Squid 3.5 does not
> support ssl_bump + proxy chaining. How is it for Squid 4?

The situation is better and constantly being improved. But the official
releases are still not doing CONNECT to upstream peers in the case where
traffic is fully decrypted by the first proxy. Only the cases where
decryption is avoided with splice or on_unsupported_protocol tunnel's.

IIRC Measurement Factory had an experimental git branch to add CONNECT
over non-TLS/SSL peers. I'm not sure what the status is on that now, it
has not been submitted for merge auditing yet.

Amos


More information about the squid-users mailing list