[squid-users] squid callout sequence

Alex Rousskov rousskov at measurement-factory.com
Mon Jun 25 16:17:04 UTC 2018


On 06/24/2018 11:15 AM, Gordon Hsiao wrote:
> why is redirector run before ssl-bump?

Adding to Amos' response: Please note that the redirector runs both
before SslBump for CONNECT URLs and "after" SslBump for each of the
decrypted HTTP requests inside the CONNECT tunnel (if the tunnel was
bumped). In other words, the redirector can attempt to "redirect"
virtually any HTTP request allowed by Squid.

What would happen to a bumped HTTPS GET request if it gets redirected to
another _domain_? I am not sure, and I am not sure that whatever happens
today will happen tomorrow. On one hand, admins do not want Squid to
accidentally change the domain that the client thinks it is securely
communicating with. On the other hand, some admins may have a legitimate
need to do exactly that for some of the requests.

Alex.


More information about the squid-users mailing list