On 09/30/2016 03:12 PM, Evan Blackstone wrote: > Is there any safe way of using SSL-Bump on Squid to decrypt client > traffic, redirect (via standard HTTP or some other means) to another > network location, then receive and re-encrypt it before sending it out > to its ultimate destination? You have two options: 1. Write or purchase an eCAP adapter (or an ICAP service) that does what you want. eCAP and ICAP are the only Squid interfaces to get [unencrypted] bumped messages out of Squid without modifying Squid. 2. Modify Squid to do what you want. I doubt such modifications would be officially accepted, but I might be wrong. The biggest problem with what you want to do is the "then receive" part. Sending unencrypted traffic to a DPI system is straightforward and there is at least one eCAP adapter doing that already, but that is a "one way" "inform only" solution. If you want the traffic to come back to the adapter (and then to Squid), then you would have to do a lot more work. > Is this idea insane? Many would consider SslBump itself "insane"... IMHO, the security implications of your scheme depend on how that unencrypted traffic will reach your web filter product. If the security of the transmission channel is comparable to the security of the web filter product itself, then you are not really making [the already insane] thing _much_ worse. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users