Search squid archive

Re: SSL interception: no hits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Amos, right on! It works with 3.1.18. Thank you very much!

On 1/10/12 6:36 PM, Amos Jeffries wrote:
On 11.01.2012 06:33, Damir Cosic wrote:
Hello,

I am trying to configure a Squid (v3.1.11) proxy for SSL connections
between hosts on the LAN and servers on the internet. The traffic is
routed through the host on which Squid runs and iptables are used to
redirect traffic to ports 80 and 443 to ports 3128 and 3130,
respectively. Simple HTTP caching works well. First attempt is a miss
and subsequent ones are hits. For HTTPS, however, there are no hits,
only misses, even though the requested page is in the Squid's cache. I
would greatly appreciate any help.

The Squid configuration is based on the default file, with following
modifications (I understand that some of these are security risks, but
currently it is in testing environment and the only goal is to make it
work):

http_port 3128 intercept
https_port 3130 intercept ssl-bump cert=/etc/certs/beta-srv.crt
key=/etc/certs/beta-srv.key
always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all

The log entry when a client attempts to retrieve a page from a server:

Jan  2 23:51:10 beta squid: 1325573470.788     25 192.168.10.2
TCP_MISS/200 388 GET https://192.168.11.2/ - DIRECT/192.168.11.2
text/html

The cache file (the garbled part at the beginning is left out):

https://192.168.11.2/^@HTTP/1.1 200 OK^M
Date: Sat, 07 Jan 2012 21:22:42 GMT^M
Server: Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0d^M
Last-Modified: Fri, 06 Jan 2012 16:25:09 GMT^M
ETag: "10d-31-4b5de7e0d2340"^M
Accept-Ranges: bytes^M
Content-Length: 49^M
Keep-Alive: timeout=5, max=100^M
Connection: Keep-Alive^M
Content-Type: text/html^M
^M
<html><body><h1>It is secure!</h1></body></html>

Please let me know if some other information would be useful.

Well, that is certainly cacheable, which explains why it is in the cache ;)

BUT,
* what are the client request headers? It is possible and in some agents likely that they are requesting re-validation and new content to be fetched.

* does a newer version work better? ssl-bump is only supported well in the 3.1.13 and later releases. Please try a newer release and see if the problem disappears.

Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux