On 2026-01-13 07:45, Ben Goz wrote:
I'm using ssl-bump it's cooperate with https_port?
* https_port in an "intercept" or "tproxy" mode supports SslBump (and
requires an "ssl-bump" option).
* https_port in other modes, including the default forward proxy mode,
does not support SslBump (and prohibits an "ssl-bump" option).
Squid will correctly reject unsupported configurations, but the
corresponding documentation is missing. That is a known Squid bug:
https://bugs.squid-cache.org/show_bug.cgi?id=5092
We tried to fix that documentation bug, but failed:
https://github.com/squid-cache/squid/pull/1981
Alex.
בתאריך יום ב׳, 12 בינו׳ 2026 ב-19:12 מאת Amos Jeffries
<[email protected] <mailto:[email protected]>>:
On 12/01/2026 21:44, Matus UHLAR - fantomas wrote:
> On 11.01.26 16:58, Ben Goz wrote:
>> My customer netskope cloud configures forward to proxy to my
squid proxy.
>> The forwarding works only if Netskope's ssl decryption disabled,
If ssl
>> decryption enabled
>> I can't see in the access log the traffic forwards to squid from
>> Netskope.
>>
>> I suspect that Netskope forwards encrypted data to squid but I'm
not sure
>> that is the case because the Connect request is never encrypted
and I
>> don't
>> see it on the access log.
>
>
>> Anyones know how Netskope and squid can work together without
disabling
>> Netskope decryption (MITM)?
>
> This is completely issue of netskope proxy.
>
> If netskope proxy decides to forward or not to forward request to
squid,
> squid can't do anything with it.
Nod. If there is no CONNECT tunnel request reaching Squid then it is
not
being forwarded in the classical "over-HTTP" way.
I would check to see what is happening on port 443 when the traffic is
"forwarded". HTTPS may actually be routed rather than relayed/proxied.
Or perhapse it is being sent to some other port number, though how to
find that may require asking your customer or Netskope directly for
more
details on how it is setup there.
FWIW, Squid can receive HTTPS/443 traffic fine. Just use "https_port"
(note the 's') to receive it instead of the regular HTTP port, and will
need a SSL server certificate (can be self-signed) for your Squid which
the customer software trusts.
HTH
Amos
_______________________________________________
squid-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.squid-cache.org/listinfo/squid-users
<https://lists.squid-cache.org/listinfo/squid-users>
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
