[squid-users] Trying to set up SSL cache - solved!
Amos Jeffries
squid3 at treenet.co.nz
Fri Feb 25 13:06:23 UTC 2022
On 25/02/22 10:49, Dave Blanchard wrote:
> On Thu, 24 Feb 2022 15:07:53 -0500
> Alex Rousskov wrote:
>
>>> What is the replacement for client-first?
>>
>> A "good" answer depends on what exactly you are trying to achieve;
>> details matter. A "dumb" answer (i.e. a direct replacement without
>> considering your true needs and Squid bugs) is:
>>
>> ssl_bump bump all
>
> That's what I had tried first, and was banging my head on the wall for hours trying to get it to work right--though the "ssl_bump peek" was in there also, on the suggestion of various tutorials. Now I just tried it again, with only that line...and it works perfectly! No problem. SMH...
>
> This tutorial situation is really out of control. Sadly, this is what can be expected to happen when the syntax is changed with every version. Now we're in a real mess. I hope the Squid developers will make up their minds on how they want the syntax to be structured, build it that way, then LEAVE IT ALONE!
>
Agreed. Luckily we hear you (Alex and I are pretty much "them" these days).
If it helps. The config for this stabilized in Squid-3.5.
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>
>>> I prefer to handle the certificate validation externally
>>
>> It is a common need. Squid supports external certificate validator
>> programs (a.k.a. helpers). Look for sslcrtvalidator_program in
>> squid.conf.documented.
Or at <http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/>
> For communication details, see the following
>> wikip age and src/security/cert_validators/fake/
>>
>> https://wiki.squid-cache.org/Features/AddonHelpers
>
> Awesome! That's very useful.
>
> Thanks a lot for your help!
>
HTH
Amos
More information about the squid-users
mailing list