Search squid archive

Re: How to proxy a parent Squid SSL proxy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



fulan Peng wrote:
Hi, Everybody!

I have a Squid ssl proxy server(3.0.16Stable) running listening 8443.
Now I want to set up another Squid to proxy it again with SSL between
them.
The second Squid serves http requests to browsers.

Now I use my browser and try to connect the second Squid, it won't work.

I made self-signed certificates for the first Squid.

Could you please help me out the the squid.conf as following:

You state a usage as a normal forward-proxy and yet are running a strange mix of reverse and forward- proxy configuration.

Is this in fact a normal forward-proxy?

This is hard to be fully true without full information about the config. But here is a try. Assuming that the 'unrelated' bits you cut out really are unrelated...


################################################################
cache_peer proxy.website.com parent 8443 0 no-query originserver name=b2


"cache_peer proxy.website.com parent 8443 0"
- Sets up a link to pass requests to a source operating on port 8443 at the location where DNS says proxy.website.com exists.

"... no-query" indicates that ICP cache tests are no to be sent (default IIRC on parent links).

"... originserver"
  - says that the source is a regular web server.


NOTE: there is no settings to say this is HTTPS, therefore Squid will be trying to use regular HTTP to talk to the web server.

To match your stated usage you will need to drop the 'originserver' and add 'ssl' option and maybe some other related ssl*= options.

 see http:/www.squid-cache.org/Doc/config/cache_peer/


sslproxy_flags DONT_VERIFY_PEER


I think you need to change this to the 'cache_peer ... sslflags=DONT_VERIFY_PEER' option. The option you have here is most useful for reverse-proxy setups. Which are not what you are talking about in your request.



hierarchy_stoplist cgi-bin ?

- don't pass any requests that contain "?" or "cgi-bin" text in their URL to any peer.

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

- don't store in the cache anything that contains a "?" or "cgi-bin" in their URL.

cache_mem 128 MB

 ... use a 128MB of storage for in-memory object caching.

cache_dir diskd /usr/local/squid/cache 20000 64 256

... use about 60 GB of storage for on-disk object caching. Using diskd helper.
NP: if you are using Linux change this to AUFS for a faster proxy.

debug_options ALL,1

.. display all important notices to admin in cache.log


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440

NP: add this new pattern here:

   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

... with that pattern you can drop the QUERY acl for better caching.

refresh_pattern .               0       20%     4320

acl proxy.website.com dstdomain proxy.website.com


acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl my_ports port   8080

acl Safe_ports port 3128                # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow  proxy.website.com

This is looks again like a reverse-proxy setup. Dangerous to do at the top in a forward-proxy situation... because anythigng the user want to do to the domain "proxy.website.com" is permitted now.


http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !my_ports

... sets up a security net to prevent abuse of the proxy. They have no effect on requests which match the above "proxy.website.com" line.


http_access allow all

And the above creates a semi-open proxy. Ripe for abuse.

http_access deny all

... and a useless security net. The "allow all" permits everything this would otherwise protect you from.

http_reply_access allow all

cache_peer_access b2  allow proxy.website.com


... Squid will ask the web server at proxy.website.com:8443 (configured by "cache_peer ... name=b2") for any request with URL containing the domain "proxy.website.com".

All other requests must go directly back out to the Internet to be completed.

NP: Requests to "proxy.website.com" which fail at the peer, will be attempted to go direct through the Internet.

visible_hostname second.website.com
.....


I deleted some options which are not the trouble.

I think given the strange mix you have so far, we'd better check the rest of the config is right for your network use too...

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux