Greetings, The end goal is enforcing an appliance(s) tls traffic to go through the corporate proxy, as I understand it (splice, not interested in decrypting)
http traffic works fine. however not clear 100% regarding https traffic. 1) does the order of the below directives (ssl_bump, never_direct, and cacher_peer,..etc) matter where it is in the squid.conf file, or is it just the ACLs and ssl_bump that are order strict in squid.conf? ------ partial squid.conf # is that order ok---- ssl_bump peek all # or should I just peek at step1 ssl_bump splice all #ssl_bump bump all # not necessary in that case, traffic should have been already spliced never_direct allow all cache_peer upstream-proxy parent 8118 0 no-query no-digest --------------------------- 2) What does the only-proxy option really means for cache-peer? 3) if the parent proxy is not using SSL/tls, however, the clients are using tls/SSL, is that an issue? 4) in an https transparent chained proxy scenario, is there a way I can get rid of exporting the squid proxy certificates to the clients? as the clients are part of an appliance that I do not have control over and not all traffic is actually originating from browsers? 5) Is squid 3.5 out of the Linux distro good enough, or should I upgrade to latest 4.x for a guaranteed splice functionality? the unofficial binary package for RHEL available is 3.5.27, while centos package is 4.5-1. shouldn't both be the same? TIA Walid ReplyForward _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
