On 11/1/22 13:33, squid3@xxxxxxxxxxxxx wrote:
On 2022-11-02 05:44, Grant Taylor wrote:
On 10/31/22 7:32 PM, mingheng wang wrote:
I delved into the configuration the last few days, and found that
Squid doesn't officially support cache_peer when ssl_bump is in use.
That surprises me. I wonder if it's a technical limitation or an
oversight.
That is not true as a blanket statement.
Agreed.
What Squid officially *does not* support is decrypting traffic then
sending the un-encrypted form to a HTTP-only cache_peer.
Yes, if we are still talking about Squid that does SslBump.
Outside of SslBump, "decrypting traffic then sending the un-encrypted
form to a HTTP-only cache_peer should be supported": A combination of
https_port forward proxy (i.e. no SslBump!) and plain text cache_peer
should work. I have not tested that, but there is no technical reason to
prohibit that and, arguably, there is no policy reason to prohibit that
either.
All other permutations of inbound TCP/TLS, http:// or https:// URL, and
outbound TCP/TLS should currently work to some degree. The more recent
your Squid version the better it is.
The other thing that is not yet supported is "TLS inside TLS". That is,
a combination of SslBump and a TLS cache_peer. That is a purely
technical limitation.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
