On 4/17/20 11:22 AM, Sam Castellano wrote: > My question relates to ssl bumping and potentially Icap/Ecap > functionality. I currently have ssl bump/ interception working and > communicating with a local ICAP server. Im trying to understand the > process of how the decrypted data gets sent to the ICAP server for > analysis in things such as clamav etc. My goal is to have the decrypted > traffic analyzed by Suricata preferably on a separate box if possible. I do not know what particular information you are looking for, but ICAP mechanics are documented in RFC 3507 while eCAP mechanics are documented at www.e-cap.org. If you are worried about exposing proxied HTTP[S] messages in transit to your ICAP service, then consider using a "Secure ICAP" service (for a starting point, look for those two words in squid.conf.documented). N.B. Neither ICAP nor eCAP know about SslBump. In an SslBump context, they just get CONNECT requests and the HTTP messages decrypted by Squid. The same is true for the majority of Squid features -- while inside Squid, decrypted HTTP traffic is usually handled similar to plain HTTP traffic. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
