-----Original Message----- From: Chris Robertson [mailto:crobertson@xxxxxxx] Sent: 01 February 2006 20:19 To: squid-users@xxxxxxxxxxxxxxx Subject: RE: HTTPS traffic not being forwarded to upstream proxy. > -----Original Message----- > From: squid user [mailto:squid_user@xxxxxxxxxxxxx] > Sent: Wednesday, February 01, 2006 7:27 AM > To: mark.elsen@xxxxxxxxx > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: HTTPS traffic not being forwarded > to upstream > proxy. > > >On 2/1/06, squid user <squid_user@xxxxxxxxxxxxx> wrote: > > > Hi, > > > > > > I have a Squid 2.5 stable 11 proxy forwarding traffic to > > > an upstream proxy > > > based on domain. This works fine for HTTP traffic, but > > > HTTPS traffic is > > > flowing directly from the downstream proxy to the internet. > > > > > > Would anyone give me any pointers as to an access list or > > > other strategy I > > > can use to ensure that HTTPS traffic flows to the > > > upstream proxy? Here's > > > what I have at the moment... > > > > > > acl forwardTraffic dstdomain .co.uk > > > cache_peer 172.21.118.118 parent 3128 0 proxy-only no-query > > > cache_peer_access 172.21.118.118 allow forwardTraffic > >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > >Try changing the above line into : > > > > never_direct allow forwardTraffic > > > > > cache_peer_access 172.21.118.118 deny all > > > Not such a good idea. Now you are saying that .co.uk can't go direct (fine) but that no requests can use the cache_peer (whoops). Hence the problem seen below... > > > > M. > > > Hi Mark, > > Thanks for getting back to me, but unfortunately that didn't work. > > On the browser I see: > > "The following error was encountered: > > * Unable to forward this request at this time. > > This request could not be forwarded to the origin server or > to any parent > caches. The most likely cause for this error is that: > > * The cache administrator does not allow this cache to > make direct > connections to origin servers, and > * All configured parent caches are currently unreachable." > > And in the squid log I see, using ebay.co.uk for example... > > Failed to select source for 'http://www.ebay.co.uk' > always_direct = 0 > never_direct = 1 > timed_out = 0 > > Cheers > > SU > > >I'd say either add the never_direct line to what you have >(cache_peer_access) or get rid of the cache_peer_access lines, and ONLY >have the never_direct. Otherwise, if you want to direct ALL ssl traffic >through your parent cache, "cache_peer_access 172.21.118.118 allow CONNECT" >will do it. >Chris Hi all, Sorry about starting this up again, but I wasn't around my computer for the latter part of last week. Anyway, I tried adding the 'never_direct' line alongside my cache_peer_access configuration and it still failed to work. HTTPS traffic went direct from the first proxy to the outside world. I installed squid STABLE12 and it happened with that release also. As directing all ssl traffic to the upstream proxy isn't an option, any other ideas would be greatly appreciated! Cheers SU
Attachment:
smime.p7s
Description: S/MIME cryptographic signature