Did some tcpdump between the squid and its parent proxy, saw many connection on port 443 were sent in clear. So sslbump + parent proxy is not advisable for now. Ming -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: January-27-11 11:59 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: sslbump and always_direct On 28/01/11 01:53, Ming Fu wrote: > Hi Amos, > > Does this mean if I use sslbump, I can't have parent proxy. > Should work most of the time. Just be aware there is at least one bug. We know it bites badly when there is auth involved, other circumstances are unknown. > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: January-26-11 5:53 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: sslbump and always_direct > > On Wed, 26 Jan 2011 20:18:08 +0000, Ming Fu wrote: >> Hi, >> >> >> The wiki sample http://wiki.squid-cache.org/Features/SslBump suggested >> addi= ng "always_direct allow all". >> >> This will prevent me from having a peer proxy when sslbump is > configured. >> >> Wonder what is the reason behind the setting. > > With ssl-bump Squid will hit bugs when un-wrapping back to a CONNECT > request or may send raw unencrypted https://... URLs to the peers. > Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.10 Beta testers wanted for 3.2.0.4
