On 25/06/18 05:15, Gordon Hsiao wrote: > at https://wiki.squid-cache.org/SquidFaq/OrderIsImportant I noticed > redirectors are way ahead of ssl-bump in the callout order, in a > https-ssl-bump case There is not really any "https-ssl-bump" case. There is SSL-Bump (decrypting a TLS stream - or not), and there is HTTPS (HTTP messages inside TLS). > you will need ssl-bump to run (so you can get full > URL for example), then you can run redirector based on the result of > ssl-bump, correct? No. SSL-Bump is an operation applied to a CONNECT message, when setting up the TLS tunnel. There are maybe also *multiple* CONNECT messages when SSL-Bump gets involved - which the FAQ text following that sequence describes. HTTP is stateless protocol. So the CONNECT message(s) are independent of both each other, and anything decrypted from inside the tunnel. Each and every message Squid handles gets its own cycle through the callout sequence. > why is redirector run before ssl-bump? Because Squid needs to know _where_ it is going before it can connect there. SSL-Bump is part of tunnel/connection setup. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
