[squid-users] Does Squid support client ssl termination?
Alex Rousskov
rousskov at measurement-factory.com
Tue Nov 1 19:22:27 UTC 2022
On 11/1/22 13:33, squid3 at treenet.co.nz wrote:
> On 2022-11-02 05:44, Grant Taylor wrote:
>> On 10/31/22 7:32 PM, mingheng wang wrote:
>>> I delved into the configuration the last few days, and found that
>>> Squid doesn't officially support cache_peer when ssl_bump is in use.
>> That surprises me. I wonder if it's a technical limitation or an
>> oversight.
> That is not true as a blanket statement.
Agreed.
> What Squid officially *does not* support is decrypting traffic then
> sending the un-encrypted form to a HTTP-only cache_peer.
Yes, if we are still talking about Squid that does SslBump.
Outside of SslBump, "decrypting traffic then sending the un-encrypted
form to a HTTP-only cache_peer should be supported": A combination of
https_port forward proxy (i.e. no SslBump!) and plain text cache_peer
should work. I have not tested that, but there is no technical reason to
prohibit that and, arguably, there is no policy reason to prohibit that
either.
> All other permutations of inbound TCP/TLS, http:// or https:// URL, and
> outbound TCP/TLS should currently work to some degree. The more recent
> your Squid version the better it is.
The other thing that is not yet supported is "TLS inside TLS". That is,
a combination of SslBump and a TLS cache_peer. That is a purely
technical limitation.
HTH,
Alex.
More information about the squid-users
mailing list