Squid configuration directive ssl_bump
Available in: 3.3 3.2 3.1 3.HEAD
History:
- Changes in 3.3 ssl_bump
-
New action types none, client-first, server-first. The default is none.
Use of allow/deny is now deprecated and they should be removed as soon as possible. To retain the exact same behaviour between 3.3 and older releases replace deny with none, and allow with client-first. However an upgrade to server-first is the recommended.
NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.
- Changes in 3.1 ssl_bump
-
New Access control for which CONNECT requests to an http_port marked with an ssl-bump flag are actually "bumped". Please see the ssl-bump flag of an http_port option for more details about decoding proxied SSL connections. DEFAULT: No requests are bumped.
NOCOMMENT_START # Example: Bump all requests except those originating from localhost and # those going to webax.com or example.com sites. # # acl broken_sites dstdomain .webax.com # acl broken_sites dstdomain .example.com # ssl_bump deny localhost # ssl_bump deny broken_sites # ssl_bump allow all
Configuration Details:
| Option Name: | ssl_bump |
|---|---|
| Replaces: | |
| Requires: | --enable-ssl |
| Default Value: | none |
| Suggested Config: |
|
This option is consulted when a CONNECT request is received on an http_port (or a new connection is intercepted at an https_port), provided that port was configured with an ssl-bump flag. The subsequent data on the connection is either treated as HTTPS and decrypted OR tunneled at TCP level without decryption, depending on the first bumping "mode" which ACLs match. ssl_bump <mode> [!]acl ... The following bumping modes are supported: client-first Allow bumping of the connection. Establish a secure connection with the client first, then connect to the server. This old mode does not allow Squid to mimic server SSL certificate and does not work with intercepted SSL connections. server-first Allow bumping of the connection. Establish a secure connection with the server first, then establish a secure connection with the client, using a mimicked server certificate. Works with both CONNECT requests and intercepted SSL connections. none Become a TCP tunnel without decoding the connection. Works with both CONNECT requests and intercepted SSL connections. This is the default behavior when no ssl_bump option is given or no ssl_bump ACLs match. By default, no connections are bumped. The first matching ssl_bump option wins. If no ACLs match, the connection is not bumped. Unlike most allow/deny ACL lists, ssl_bump does not have an implicit "negate the last given option" rule. You must make that rule explicit if you convert old ssl_bump allow/deny rules that rely on such an implicit rule. This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. See also: http_port ssl-bump, https_port ssl-bump # Example: Bump all requests except those originating from # localhost and those going to example.com. acl broken_sites dstdomain .example.com ssl_bump none localhost ssl_bump none broken_sites ssl_bump server-first all |
|
Search
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Help Out or Donate
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
Miscellaneous
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork