On 11/30/18 10:39 AM, L A Walsh wrote: > On 11/29/2018 12:41 PM, Alex Rousskov wrote: >> You have not configured any ssl_bump rules. Thus, you are effectively >> not using any SslBump features. All HTTPS traffic is simply tunneled >> through without decryption/analysis. > Where were the ssl_bump options set in 3.x. Not sure I understand the question: The location of ssl_bump directives has not changed. They are and have always been squid.conf directives. In modern Squids, they exact location within squid.conf does not matter (but their order does). > I thought > the 'ssl-bump' keyword in the http_port options enabled the bumping. It enables SslBump processing, which may or may not include bumping connections (depending on the matching ssl_bump rule and other factors). All modern Squid versions need ssl_bump rules. It is _possible_ that (but I do not remember whether) omitting those rules worked by accident in some older Squid versions. You should use explicit ssl_bump rules in any modern Squid version. > Did it work that way in 3.x and now just doesn't work > that way in 4.x? I do not know or do not remember. And 3.x is a large range; things may have changed from v3.1 to v3.5... However, again, explicit ssl_bump rules should be used in any version that supports ssl_bump directive. > I'm wanting to know why the old setup worked (mostly) > while the 4.x version seems to be missing "basic bumping" > that you highlighted. I understand that you want to know that. I cannot spend more free cycles on this (secondary) question/investigation. FWIW, whether your old setup "worked" or not, it was wrong. > What is the 'ssl-bump' option for in the http_port statement? To tell Squid that the corresponding http_port should pay the cost (and take the risks) of SslBump processing (validating relevant port configuration options, creating associated SSL structures at start time, checking ssl_bump rules at runtime, etc.). In many Squid deployments, only certain ports do SslBump. Consider traffic on the other ports: What should happen to it when it matches a, say, "ssl_bump bump" rule? The only correct answer is ... not to ask that question in the first place! An ssl-bump flag on a _port line allows us to avoid that question (and all the other risks/expenses associated with SslBump). HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
