On 6/01/2016 8:30 a.m., Nir Krakowski wrote: > how can you combine accel proxy with ssl-bump ? > To use accel mode the proxy needs to be an origin for the domain and thus have access to the servers TLS private keys. If you have those keys just use a normal https_port (note the 's') to receive the traffic - no bumping (TLS MITM) required. > the problem: intercept mode looks at IP addresses > > requested solution: we need to look at the SNI info.. You dont seem to understand intercept mode. It is TCP level MITM. All the proxy receives from TCP is IP address and port details. So those are considered *first*. Only if those details are acceptible (in the form of "CONNECT raw-IP HTTP/1.1") does Squid go on to do the additional complexity of MITM at the TLS level. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
