[squid-users] Non-standard proxy setup

Alex Rousskov rousskov at measurement-factory.com
Tue Jul 16 18:24:38 UTC 2019


On 7/16/19 1:51 PM, Arunabha Saha wrote:
> i did get it working with the latest 5.0.0 (unreleased) code
> in github.    The configuration has to be  "ssl-bump client-first .."
> for this to work. Does that sound right?


No, it does not, both because the deprecated "client-first" action
should not be used in moderns Squids, and because supported SslBump
actions should work through peers IIRC (which action is the right one
for you depends on your exact needs -- not every action will work for
any given use case, of course).

Alex.

>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of squid-users digest..."


>> On 7/10/19 7:44 PM, Arunabha Saha wrote:
>>>> The client will attempt to open a TLS/TCP connection to the origin
>>>> server. Your router (or some such) will redirect client TLS/TCP bytes to
>>>> your Squid's https_port. If configured correctly, Squid will accept that
>>>> TCP connection and wrap/forward it into/inside an HTTP CONNECT tunnel
>>>> through the corporate proxy.
>>
>>> i don't see squid
>>> wrap the connection to parent proxy in a HTTP CONNECT tunnel.
>>>    User ----->Squid(Transparent Proxy)--------->Parent Proxy------>Internet.
>>>    I need to see a CONNECT tunnel between Squid(Transparent Proxy)
>>> and Parent Proxy but I don't.   Based on another thread, Is this
>>> something that works only starting squid 4.X.
>>
>> I do not remember for sure, but you may need a development version of
>> Squid (future v5) or an unofficial patch to forward intercepted tunnels
>> to a cache peer. If SslBump-related peering support is indeed required
>> to support such forwarding, then please see this seemingly unrelated bug
>> report for more details and options:
>>
>>   https://bugs.squid-cache.org/show_bug.cgi?id=4968
>>
>> Alex.


More information about the squid-users mailing list