[squid-users] Questions around https transparent chained proxy
Walid A. Shaari
walid.shaari at linux.com
Wed Feb 20 15:33:33 UTC 2019
On Mon, 18 Feb 2019 at 09:29, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> >> On 16/02/19 9:18 pm, Walid A. Shaari wrote:
> >>> Greetings,
> >>>
> >>> The end goal is enforcing an appliance(s) tls traffic to go through
> >>> the corporate proxy, as I understand it (splice, not interested in
> >>> decrypting)
> > .... ... ...
> > ------ partial squid.conf # is that order ok----
> > never_direct allow all
> > ssl_bump peek all # or should I just peek at step1
> > ssl_bump splice all
>
> To perform a peek at step 2 needs the destination server (or peer)
> connection to be using TLS/SSL. Since you are wanting traffic to go
> through a peer without TLS/SSL you will likely need to splice at step 2.
>
> So to the question on the peek line. Yes, probably should.
when I enable peek at step 2, squid does not last for over 2-5
minutes, crashes, went back to step 1, and will check if release
upgrade to 4.x latest solves the crashing issue.
> > cache_peer upstream-proxy parent 8118 0 no-query no-digest only-proxy
>
> Ah, apologies I thought you had just typo'd the question earlier.
>
> The option name is actually "proxy-only".
so If I am doing splice, does proxy-only make any sense, or I should
remove it as there is also http trafic?
Thanks in advance ;-)
Walid
More information about the squid-users
mailing list