[squid-users] Per client tls_outgoing_options
Alex Rousskov
rousskov at measurement-factory.com
Fri Jan 28 14:12:33 UTC 2022
On 1/28/22 9:07 AM, Alex Rousskov wrote:
> On 1/28/22 8:57 AM, clark_wfh at hotmail.com wrote:
>> Is there some way to make clients use different outgoing TLS options
>> like ciphers or CA file ?
>
> The combination of [Squid] "clients" and "outgoing" sounds
> self-contradictory, but if you are thinking about from-Squid TLS
> connections, then look for tls_outgoing_options.
>
> If you are asking this question in an SslBump context, then please note
> that you will have to bump the connection (not splice) at step2 to allow
> Squid to honor tls_outgoing_options.
Sorry, just noticed that you have already mentioned tls_outgoing_options
in the Subject line. That directive does not accept ACLs (yet) so you
cannot customize it on a per-client basis.
If the number of destinations you need this customization for is small,
then you may be able to hack it using cache_peer directives with an
originserver option and custom TLS settings. You can use
cache_peer_access to control which client gets which cache_peer. IIRC,
you can have multiple cache_peers (with different options) that use the
same IP address.
HTH,
Alex.
More information about the squid-users
mailing list