CONNECT tunnel on http_port: same as https_port
CONNECT tunnel on https_port: same as https_port
- Currently, this directive has effect on intercepted connections and
+ Currently, this directive has effect on intercepted connections and
bumped tunnels only. Other cases are not supported because Squid
cannot know the intended destination of other traffic.
DEFAULT: none
LOC: HttpsPortList
DOC_START
- Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
+ Usage: [ip:]port [mode] cert=certificate.pem [options]
The socket address where Squid will listen for client requests made
over TLS or SSL connections. Commonly referred to as HTTPS.
This is most useful for situations where you are running squid in
- accelerator mode and you want to do the SSL work at the accelerator level.
+ accelerator mode and you want to do the TLS work at the accelerator level.
You may specify multiple socket addresses on multiple lines,
- each with their own SSL certificate and/or options.
+ each with their own certificate and/or options.
- Modes:
-
- accel Accelerator / reverse proxy mode
-
- intercept Support for IP-Layer interception of
- outgoing requests without browser settings.
- NP: disables authentication and IPv6 on the port.
-
- tproxy Support Linux TPROXY for spoofing outgoing
- connections using the client IP address.
- NP: disables authentication and maybe IPv6 on the port.
-
- ssl-bump For each intercepted connection allowed by ssl_bump
- ACLs, establish a secure connection with the client and with
- the server, decrypt HTTPS messages as they pass through
- Squid, and treat them as unencrypted HTTP messages,
- becoming the man-in-the-middle.
-
- An "ssl_bump server-first" match is required to
- fully enable bumping of intercepted SSL connections.
-
- Requires tproxy or intercept.
-
- Omitting the mode flag causes default forward proxy mode to be used.
-
-
- See http_port for a list of generic options
-
-
- SSL Options:
-
- cert= Path to SSL certificate (PEM format).
-
- key= Path to SSL private key file (PEM format)
- if not specified, the certificate file is
- assumed to be a combined certificate and
- key file.
-
- cipher= Colon separated list of supported ciphers.
-
- options= Various SSL engine options. The most important
- being:
-
- NO_SSLv3 Disallow the use of SSLv3
-
- NO_TLSv1 Disallow the use of TLSv1.0
-
- NO_TLSv1_1 Disallow the use of TLSv1.1
-
- NO_TLSv1_2 Disallow the use of TLSv1.2
-
- SINGLE_DH_USE
- Always create a new key when using
- temporary/ephemeral DH key exchanges
-
- SINGLE_ECDH_USE
- Enable ephemeral ECDH key exchange.
- The adopted curve should be specified
- using the tls-dh option.
-
- SSL_OP_NO_TICKET
- Disable use of RFC5077 session tickets.
- Some servers may have problems
- understanding the TLS extension due
- to ambiguous specification in RFC4507.
-
- ALL Enable various bug workarounds
- suggested as "harmless" by OpenSSL
- Be warned that this reduces SSL/TLS
- strength to some attacks.
-
- See the OpenSSL SSL_CTX_set_options documentation for a
- more complete list.
-
- clientca= File containing the list of CAs to use when
- requesting a client certificate.
-
- tls-cafile= PEM file containing CA certificates to use when verifying
- client certificates. If not configured clientca will be
- used. May be repeated to load multiple files.
-
- capath= Directory containing additional CA certificates
- and CRL lists to use when verifying client certificates.
- Requires OpenSSL or LibreSSL.
-
- crlfile= File of additional CRL lists to use when verifying
- the client certificate, in addition to CRLs stored in
- the capath. Implies VERIFY_CRL flag below.
-
- tls-dh=[curve:]file
- File containing DH parameters for temporary/ephemeral DH key
- exchanges, optionally prefixed by a curve for ephemeral ECDH
- key exchanges.
-
- sslflags= Various flags modifying the use of SSL:
- DELAYED_AUTH
- Don't request client certificates
- immediately, but wait until acl processing
- requires a certificate (not yet implemented).
- NO_SESSION_REUSE
- Don't allow for session reuse. Each connection
- will result in a new SSL session.
- VERIFY_CRL
- Verify CRL lists when accepting client
- certificates.
- VERIFY_CRL_ALL
- Verify CRL lists for all certificates in the
- client certificate chain.
-
- tls-no-default-ca
- Do not use the system default Trusted CA.
-
- sslcontext= SSL session ID context identifier.
-
- generate-host-certificates[=<on|off>]
- Dynamically create SSL server certificates for the
- destination hosts of bumped SSL requests.When
- enabled, the cert and key options are used to sign
- generated certificates. Otherwise generated
- certificate will be selfsigned.
- If there is CA certificate life time of generated
- certificate equals lifetime of CA certificate. If
- generated certificate is selfsigned lifetime is three
- years.
- This option is enabled by default when SslBump is used.
- See the sslBump option above for more information.
-
- dynamic_cert_mem_cache_size=SIZE
- Approximate total RAM size spent on cached generated
- certificates. If set to zero, caching is disabled. The
- default value is 4MB.
+ The TLS cert= option is mandatory on HTTPS ports.
- See http_port for a list of available options.
+ See http_port for a list of modes and options.
DOC_END
NAME: ftp_port
projects / thirdparty / squid.git / commitdiff
