On Tue, 2007-11-06 at 16:22 +1300, Amos Jeffries wrote:
> My understanding is that https_port is for when squid is accelerating
> https and thus listening. IMHO it should remain an inbound-only config.
Agreed.
> Ah, I took your commit comment "but it relies on https_port being set (to
> get SSL certificates and related info)" to mean the settings were being
> taken from the https_port part of Config, not the sslproxy part (of which
> I was only vaguely aware until you pointed it out).
I think we are on the same page now.
Currently, SSL Bump is using http_port for incoming settings and
sslproxy_* for outgoing. The http_port option can now accept SSL-related
properties, just like https_port does.
> But Yes, looking up the sslproxy_*. My proposal would encompass the
> sslproxy_* options as optional arguments in a single ssl_outgoing_address
> which could be a per-outgoing-IP setting (due to SSL certs being
> per-address/port) or a wildcard if ALL use the same details in a generic
> cert. Instead of the many individual options at present.
Right. There are a lot of cleanup opportunities there. For example, it
may be a good idea to pack all SSL-related options in one port-unrelated
user-named setting and then just use that name in http_port, https_port,
and sslproxy_* options:
ssl_profile <name> [certificate] [key] ...
...
https_port <address> ssl_profile=<name>
sslproxy [address] ssl_profile=<name>
...
But that is another project/discussion... :-)
Thank you,
Alex.
Received on Mon Nov 05 2007 - 21:26:28 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:05 MST