On 2/12/19 7:21 AM, leomessi...@yahoo.com wrote: > Do i have to use CA and Certificate configuration if i want to block > only HTTPS requests with splice action?!
IIRC, you currently need a CA certificate if you want to use SslBump, regardless of the SslBump actions in use. In some ways, this is a limitation of the current SslBump implementation rather than a natural requirement, but the CA certificate is needed when Squid reports an error to the client because Squid has to bump the client connection to report errors. If you do not care what happens when handling errors, then you probably do not need to configure dynamic certificate generation. I have not tested that, but I assume that, when reporting errors in that case, Squid will silently revert to using the old code that generates self-signed certificates (and the client will not trust them). Please note that it is not clear what you mean by "to block with splice action" -- splice does not block anything. If you are blocking requests using http_access rules, then Squid is probably using an (implicit) bump action to report blocking to the client, as discussed above. Blocking is an example of errors that may happen even when you do not explicitly bump any requests. Alex. > https_port 3130 tproxy ssl-bump \ > cert=/etc/squid/ssl_cert/myCA.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db > -M 4MB _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
