[squid-users] how to go from connect/tunnel in squid4 ->GET

Alex Rousskov rousskov at measurement-factory.com
Fri Nov 30 18:48:45 UTC 2018


On 11/30/18 10:39 AM, L A Walsh wrote:
> On 11/29/2018 12:41 PM, Alex Rousskov wrote:
>> You have not configured any ssl_bump rules. Thus, you are effectively
>> not using any SslBump features. All HTTPS traffic is simply tunneled
>> through without decryption/analysis.

> Where were the ssl_bump options set in 3.x.

Not sure I understand the question: The location of ssl_bump directives
has not changed. They are and have always been squid.conf directives. In
modern Squids, they exact location within squid.conf does not matter
(but their order does).


> I thought
> the 'ssl-bump' keyword in the http_port options enabled the bumping.

It enables SslBump processing, which may or may not include bumping
connections (depending on the matching ssl_bump rule and other factors).

All modern Squid versions need ssl_bump rules. It is _possible_ that
(but I do not remember whether) omitting those rules worked by accident
in some older Squid versions. You should use explicit ssl_bump rules in
any modern Squid version.


> Did it work that way in 3.x and now just doesn't work
> that way in 4.x?

I do not know or do not remember. And 3.x is a large range; things may
have changed from v3.1 to v3.5... However, again, explicit ssl_bump
rules should be used in any version that supports ssl_bump directive.


>     I'm wanting to know why the old setup worked (mostly)
> while the 4.x version seems to be missing "basic bumping"
> that you highlighted.

I understand that you want to know that. I cannot spend more free cycles
on this (secondary) question/investigation. FWIW, whether your old setup
"worked" or not, it was wrong.


> What is the 'ssl-bump' option for in the http_port statement?

To tell Squid that the corresponding http_port should pay the cost (and
take the risks) of SslBump processing (validating relevant port
configuration options, creating associated SSL structures at start time,
checking ssl_bump rules at runtime, etc.).

In many Squid deployments, only certain ports do SslBump. Consider
traffic on the other ports: What should happen to it when it matches a,
say, "ssl_bump bump" rule? The only correct answer is ... not to ask
that question in the first place! An ssl-bump flag on a _port line
allows us to avoid that question (and all the other risks/expenses
associated with SslBump).


HTH,

Alex.


More information about the squid-users mailing list