On 5/5/20 10:18 AM, Ryan Le wrote: > Is there plans to support explicit forward proxy over HTTPS to the proxy > with ssl-bump? There have been a few requests for TLS-inside-TLS support, but I am not aware of any actual sponsors or features on the road map. It is a complicated project, even though each of its two components already works today. > We would like to use https_port ssl-bump without using the > intercept or tproxy option. Clients will use PAC with a HTTPS directive > rather than a PROXY directive. The goal is to also encrypted the CONNECT > header which exposes the domain in plain text while it traverses to the > proxy. Yes, it is a valid use case (that few people understand). > Felipe: you don't need to use ssl-bump with explicit https proxy. Popular browsers barely support HTTPS proxies and refuse to delegate TLS handling to them. Thus, a connection to a secure origin server will be encrypted by the browser and sent over an encrypted channel through the HTTPS proxy -- TLS-inside-TLS. If you want to look inside that browser connection, you have to remove both TLS layers. To remove the outer layer, you need an https_port in a forward proxy configuration. To remove the inner layer, you need SslBump. The combination is not yet supported. > Matus: people will still be able to see SNI SSL header. ... but not the origin server SNI. Only the proxy SNI is exposed in this use case, and that exposure is usually not a problem. Cheers, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
