On 18/02/19 5:04 pm, Walid A. Shaari wrote: > Thank you again, Amos, > > On Sat, 16 Feb 2019 at 17:09, Amos Jeffries wrote: >> >> On 16/02/19 9:18 pm, Walid A. Shaari wrote: >>> Greetings, >>> >>> The end goal is enforcing an appliance(s) tls traffic to go through >>> the corporate proxy, as I understand it (splice, not interested in >>> decrypting) > .... ... ... > ------ partial squid.conf # is that order ok---- > never_direct allow all > ssl_bump peek all # or should I just peek at step1 > ssl_bump splice all
To perform a peek at step 2 needs the destination server (or peer) connection to be using TLS/SSL. Since you are wanting traffic to go through a peer without TLS/SSL you will likely need to splice at step 2. So to the question on the peek line. Yes, probably should. > ssl_bump none all > "none" action is from an old deprecated SSL-Bump design. It only has meaning at step 1 and is equivalent to "splice" in that step. At best it will be ignored, at worst will cause unpredictable splice or bump operations on a per-transaction basis. Given the environment you described earlier I suggest "terminate all" as the fallback action if splice turns out not to be possible. > cache_peer upstream-proxy parent 8118 0 no-query no-digest only-proxy Ah, apologies I thought you had just typo'd the question earlier. The option name is actually "proxy-only". > http_port 8080 intercept # transparent http NP: the comment on the line above is slightly confusing. "intercept" is for NAT interception. "Transparent HTTP" is an entirely different thing. Which Squid does regardless of what settings you use. > https_port 8090 intercept ssl-bump generate-host-certificates=off > cert=/etc/squid/ssl_certs/myCA.pem > cafile=/etc/pki/ca-trust/source/anchors/ca.crt > http_port 8100 #forward port > ---- end of partial conf > > Question, What if I use 'ssl_bump none all' instead of ssl_bump > splice all?, wouldn't I get rid for any client configuration at the > same time https traffic will pass through to the parent proxy? It will have no effect beyond possibly throwing up warnings in your cache.log when mixed with peek action. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
