On 09/08/2015 11:41 PM, Amos Jeffries wrote: > On 9/09/2015 8:14 a.m., Alex Rousskov wrote: >> On 09/08/2015 01:33 AM, Amos Jeffries wrote: >>> On 8/09/2015 6:45 p.m., joseph jose wrote: >>>> Is it possible to configure a squid reverse proxy with SSL-bump enabled? >> >> >>> The concept does not make any sense. >>> * accel / revers-proxy traffic is destined to and terminated by the proxy. >>> * ssl-bump is a pile of trickery and hacks to intercept traffic >>> destined to somewhere else. >> >> Since CONNECT requests are not limited to forward proxies, an origin >> server (or a reverse proxy) might receive a CONNECT request. When a >> reverse proxy receives a CONNECT request, it might decide to bump it. >> Thus, the combination makes sense in some esoteric environments. > > > " > CONNECT is intended only for use in requests to a proxy. An origin > server that receives a CONNECT request for itself MAY respond with a > 2xx (Successful) status code to indicate that a connection is > established. However, most origin servers do not implement CONNECT. > " Yes, I read that paragraph before posting. It supports what I have said: The intended use is different, but there is nothing prohibiting an origin server from supporting CONNECTs [to arbitrary addresses]. What is not prohibited is allowed. > Even if we did accept/200 it; the only valid connections are those going > to self Why only to self? And why do you think the server notion of "self" may not include an address different from the destination address of the current connection? It is up to the server to allow or deny tunnels [to various addresses]. > which is port 80 thus plain text HTTP. CONNECT may be received inside an SSL/TLS connection as well, but this does not really matter for this discussion. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
