On 01/27/2017 05:32 PM, Charlie Orford wrote: > Obviously it makes no sense > intercepting ssl traffic if we're going to splice everything. It actually does make a lot of sense in many environments, but not necessarily yours. > Our design goal is: intercept and bump local client https traffic on > squid1 (so we can filter certain urls, cache content etc.) and then > forward the request on to the origin server via an upstream squid2 > (which has internet access). Understood. Squid can be enhanced to do what you want. There is nothing fundamentally impossible in what you are describing AFAICT. We need to add an insecure peer connector, and then using that connector code on the regular request forwarding path. The low-level code to do that already exists in tunnel.cc, but needs to be refactored/moved. This is an architecturally challenging work, but it is certainly doable. After those Squid modifications, in the simplest case (ignoring that you cannot bump some sites and that you may not want to bump some of the clients either), your squid1 configuration would be something like this: ssl_bump stare all ssl_bump bump all Your squid2 will not do SslBump. In fact, to achieve the stated goal, squid2 does not need to support SSL at all -- it can blindly forward [encrypted] traffic from squid1 to the internet. Your next steps to make the above happen are outlined at http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F > http://lists.squid-cache.org/pipermail/squid-users/2015-November/007955.html > seems to have successfully done this but I can't replicate it. The configuration posted at the above URL is broken because it does not tell Squid what to do after step1. If it did work, it was a bug like, for example, bug 3209. Most likely, Squid just spliced everything (as you suspect). Ignore that email. To learn why that configuration makes no sense, study http://wiki.squid-cache.org/Features/SslPeekAndSplice HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
