On 18/06/18 16:54, Kedar K wrote: > Hi Amos, > Here is the topology: > > client (curl from host running docker) --> squid_child (docker, using > ssl-bump with intercept) --> squid_parent (VM with internet connection, > https_port without ssl-bump) --> origin server. Consider where/how the child proxy is getting the origin servers' TLS certificate details with which to forge a server certificate in the bump action. > > local - 72.19.0.2:443 <http://72.19.0.2:443/> is the container running > squid child > remote - remote=172.19.0.1:44522 <http://172.19.0.1:44522/> is the host > machine where containers are running, I am using a curl to do initial > tests. Eventually, request would come from other containers or external > hosts on the docker daemon host. > > With http traffic this works fine; wherein the request is forwarded to > Parent and then to origin server. However, with https header forgery > kicks in and tls is terminated. Given that you are essentially void'ing what little security TLS provides, there is no point in using it to secure any of these connections. Just use curl (or squidclient) to send https:// URLs in plain text HTTP messages. It is just as (in)secure as your current setup and works much more reliably. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
