On 18/05/20 10:15 am, David Touzeau wrote: > > > Hi we want to use squid as * * * Secure Proxy * * * using https_port > We have tested major browsers and it seems working good. > > To make it work, we need to deploy the proxy certificate on all browsers > to make the secure connection running. > > In this case, squid forward requests without decrypting them.because > ssl-bump is not added. > > But Adding the ssl-bump in https_port is not permitted : > > "sl-bump on https_port requires tproxy/intercept which is missing" > > why bumping is not allowed ? >
Because origin server and explicit proxy traffic are mutually exclusive syntax at the HTTP level, and use different types of SSL certificate at the TLS level. A "Secure proxy" receives explicit-proxy HTTP traffic over TLS. That traffic gets decrypted normally on receipt by the https_port, using a proxy server certificate. SSL-Bump auto-generates a server certificate to decrypt with, and expects origin form HTTP syntax once decrypted. HTTPS traffic as we know it (CONNECT tunnels to port 443) might still be sent to a secure proxy. In which case there are two layers of encryption nested inside each other. Decrypting the interior layer of at is not yet supported by Squid. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
