Squid configuration directive https_port

Available in: 4   3.5   3.4   3.3   3.2   2.7   3.1   3.0   2.6  

History:

Changes to https_port in Squid-4:

New option tls-min-version=1.N to set minimum TLS version allowed.

All options= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

New options=SINGLE_ECDH_USE parameter to enable ephemeral ECDH key exchange.

Deprecated dhparams= option. Use tls-dh= instead. The new option allows to optionally specify an elliptic curve for ephemeral ECDH by adding curve-name: in front of the parameter file name.

Manual squid.conf update may be required on upgrade.

Changes to https_port in Squid-3.5:

protocol= option altered to accept protocol version details. Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1

For older versions than 3.3 see the linked pages above

Configuration Details:

Option Name:https_port
Replaces:
Requires:--with-openssl
Default Value:none
Suggested Config:

	Usage:  [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]

	The socket address where Squid will listen for client requests made
	over TLS or SSL connections. Commonly referred to as HTTPS.

	This is most useful for situations where you are running squid in
	accelerator mode and you want to do the SSL work at the accelerator level.

	You may specify multiple socket addresses on multiple lines,
	each with their own SSL certificate and/or options.

	Modes:

	   accel	Accelerator / reverse proxy mode

	   intercept	Support for IP-Layer interception of
			outgoing requests without browser settings.
			NP: disables authentication and IPv6 on the port.

	   tproxy	Support Linux TPROXY for spoofing outgoing
			connections using the client IP address.
			NP: disables authentication and maybe IPv6 on the port.

	   ssl-bump	For each intercepted connection allowed by ssl_bump
			ACLs, establish a secure connection with the client and with
			the server, decrypt HTTPS messages as they pass through
			Squid, and treat them as unencrypted HTTP messages,
			becoming the man-in-the-middle.

			An "ssl_bump server-first" match is required to
			fully enable bumping of intercepted SSL	connections.

			Requires tproxy or intercept.

	Omitting the mode flag causes default forward proxy mode to be used.


	See http_port for a list of generic options


	SSL Options:

	   cert=	Path to SSL certificate (PEM format).

	   key=		Path to SSL private key file (PEM format)
			if not specified, the certificate file is
			assumed to be a combined certificate and
			key file.

	   cipher=	Colon separated list of supported ciphers.

	   options=	Various SSL engine options. The most important
			being:

			    NO_SSLv3    Disallow the use of SSLv3

			    NO_TLSv1    Disallow the use of TLSv1.0

			    NO_TLSv1_1  Disallow the use of TLSv1.1

			    NO_TLSv1_2  Disallow the use of TLSv1.2

			    SINGLE_DH_USE
				      Always create a new key when using
				      temporary/ephemeral DH key exchanges

			    SINGLE_ECDH_USE
				      Enable ephemeral ECDH key exchange.
				      The adopted curve should be specified
				      using the tls-dh option.

			    SSL_OP_NO_TICKET
				      Disable use of RFC5077 session tickets.
				      Some servers may have problems
				      understanding the TLS extension due
				      to ambiguous specification in RFC4507.

			    ALL       Enable various bug workarounds
				      suggested as "harmless" by OpenSSL
				      Be warned that this reduces SSL/TLS
				      strength to some attacks.

			See the OpenSSL SSL_CTX_set_options documentation for a
			more complete list.

	   clientca=	File containing the list of CAs to use when
			requesting a client certificate.

	   cafile=	File containing additional CA certificates to
			use when verifying client certificates. If unset
			clientca will be used.

	   capath=	Directory containing additional CA certificates
			and CRL lists to use when verifying client certificates.

	   crlfile=	File of additional CRL lists to use when verifying
			the client certificate, in addition to CRLs stored in
			the capath. Implies VERIFY_CRL flag below.

	   tls-dh=[curve:]file
			File containing DH parameters for temporary/ephemeral DH key
			exchanges, optionally prefixed by a curve for ephemeral ECDH
			key exchanges.

	   sslflags=	Various flags modifying the use of SSL:
			    DELAYED_AUTH
				Don't request client certificates
				immediately, but wait until acl processing
				requires a certificate (not yet implemented).
			    NO_DEFAULT_CA
				Don't use the default CA lists built in
				to OpenSSL.
			    NO_SESSION_REUSE
				Don't allow for session reuse. Each connection
				will result in a new SSL session.
			    VERIFY_CRL
				Verify CRL lists when accepting client
				certificates.
			    VERIFY_CRL_ALL
				Verify CRL lists for all certificates in the
				client certificate chain.

	   sslcontext=	SSL session ID context identifier.

	   generate-host-certificates[=<on|off>]
			Dynamically create SSL server certificates for the
			destination hosts of bumped SSL requests.When
			enabled, the cert and key options are used to sign
			generated certificates. Otherwise generated
			certificate will be selfsigned.
			If there is CA certificate life time of generated
			certificate equals lifetime of CA certificate. If
			generated certificate is selfsigned lifetime is three
			years.
			This option is enabled by default when SslBump is used.
			See the sslBump option above for more information.

	   dynamic_cert_mem_cache_size=SIZE
			Approximate total RAM size spent on cached generated
			certificates. If set to zero, caching is disabled. The
			default value is 4MB.

	See http_port for a list of available options.

 

Back

Search

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors