On 9/09/2015 8:14 a.m., Alex Rousskov wrote: > On 09/08/2015 01:33 AM, Amos Jeffries wrote: >> On 8/09/2015 6:45 p.m., joseph jose wrote: >>> Is it possible to configure a squid reverse proxy with SSL-bump enabled? > > >> The concept does not make any sense. >> * accel / revers-proxy traffic is destined to and terminated by the proxy. >> * ssl-bump is a pile of trickery and hacks to intercept traffic >> destined to somewhere else. > > Since CONNECT requests are not limited to forward proxies, an origin > server (or a reverse proxy) might receive a CONNECT request. When a > reverse proxy receives a CONNECT request, it might decide to bump it. > Thus, the combination makes sense in some esoteric environments. " CONNECT is intended only for use in requests to a proxy. An origin server that receives a CONNECT request for itself MAY respond with a 2xx (Successful) status code to indicate that a connection is established. However, most origin servers do not implement CONNECT. " Even if we did accept/200 it; the only valid connections are those going to self - which is port 80 thus plain text HTTP. So only plain-text traffic is accepted inside such CONNECT's. No TLS encrypted traffic that can be ssl-bumped involved. The concept of SSL-bumping plain-text does not make sense. > > I do not know whether Squid supports and Joseph is dealing with such an > environment. As Joseph noted, Squid actively rejects CONNECT arriving on accel ports. Just like every other origin server. So the answer is a flat "no, it is not supported". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
