Search squid archive

https traffic via cache peer with SSL termination enabled on downstream proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi All,

I have a configuration as given below:

client <------> downstream-proxy <------> upstream-proxy <-------> cloud

downstream proxy is always squid, while upstream proxy is either squid
or bluecoat.
When SSL termination enabled on downstream proxy, I noticed traffic
between down-stream and upstream-proxy is not encrypted. That results
in failures when upstream proxy is bluecoat. It returns "400 Bad
request" error.
The root cause is bluecoat always wants "https" traffic to be encrypted.
For example, if below data ( a plain text request
https://accounts.google.com) is sent to bluecoat, bluecoat will return
a "400 Bad request" error, but squid will happily get the response and
send back to the client program.

GET https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif,
application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-IN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
.NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: accounts.google.com
Via: 1.1 taarusg (squid/3.1.11)
X-Forwarded-For: 192.168.119.8
Cache-Control: max-age=259200
Connection: keep-alive



On the other hand if I disable SSL termination on the downstream
proxy, everything works just fine.
My requirement is http traffic between upstream and downstream proxy
should be always non-encrypted. While in case of HTTPS, traffic
between downstream and upstream proxy should never be non-encrypted.
How can I configure downstream squid to always use "HTTP CONNECT" in
case of for HTTPS even when SSL termination enabled on the downstream
proxy ?
Any help is greatly appreciated.

Regards,
Nipun Talukdar
Bangalore
India


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux