Tomer Brand wrote:
Hi,
I am trying to configure squid to function as SSL cache proxy for an authenticated object (using login=PASS in the cache_peer directive)
To do that I’ve added the “cache-control=public, must-revalidate, max-age=0” directive to the back-end server whose files I would like to cache.
This works great for me when configuring a non-SSL(port 6666) SQUID-based proxy.
However when I access the proxy using SSL (port 4444 below) the cache file is deleted every time and the cache is not used.
Which is what max-age=0 means. "never use again". I think, leave that
off an it will do IMS on each request.
SQUID receives HTTPS requests, performs the SSL termination as expected, gets the data from the back end server and saves the file to the cache directory.
Then I pass the SQUID HTTP request, asking for the same file. SQUID serves the data from the cache.
Next step is to ask the same file with HTTPS. This time SQUID clears that file from the cache and download it from the back end server.
So I used Wireshark to identify the difference:
SQUID pass the HTTP request using the If-None-Match header while the HTTPS request doesn’t contain this directive in the header.
Anyone got any idea?
bellow is my squid.conf file:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhostdomain src 10.10.10.10
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 6666 # SQIOD port
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
https_port 4444 vhost vport cert=/home/tomer/Desktop/certificate.pem key=/home/tomer/Desktop/key.pem
http_port 6666 vhost vport
cache_peer 10.10.10.10 parent 8050 0 originserver default login=PASS
cache_dir ufs /usr/local/squid/var/cache 100 16 256
maximum_object_size 2097000 KB # A bit below 2 GB - SQUID maximum file size hierarchy_stoplist cgi-bin ?
access_log /usr/local/squid/var/logs/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /usr/local/squid/var/cache
visible_hostname ubuntu
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.