Search squid archive

Re: https traffic via cache peer with SSL termination enabled on downstream proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 11 Jun 2012 18:30:14 +0530
nipun_mlist Assam <nipunmlist@xxxxxxxxx> wrote:

> Hi All,
> 
> I have a configuration as given below:
> 
> client <------> downstream-proxy <------> upstream-proxy <------->
> cloud

Im not sure what a cloud is, I think its called the internet.

> 
> downstream proxy is always squid, while upstream proxy is either squid
> or bluecoat.
> When SSL termination enabled on downstream proxy, I noticed traffic
> between down-stream and upstream-proxy is not encrypted. That results
> in failures when upstream proxy is bluecoat. It returns "400 Bad
> request" error.
> The root cause is bluecoat always wants "https" traffic to be
> encrypted. For example, if below data ( a plain text request
> https://accounts.google.com) is sent to bluecoat, bluecoat will return
> a "400 Bad request" error, but squid will happily get the response and
> send back to the client program.
> 
> GET
> https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
> HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif,
> application/xaml+xml, image/pjpeg, application/x-ms-xbap,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/msword, */*
> Accept-Language: en-IN
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
> Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
> .NET CLR 3.0.30729; Media Center PC 6.0)
> Accept-Encoding: gzip, deflate
> Host: accounts.google.com
> Via: 1.1 taarusg (squid/3.1.11)
> X-Forwarded-For: 192.168.119.8
> Cache-Control: max-age=259200
> Connection: keep-alive
> 

Let ssl pass through your downstream proxy uncache, let your parent
proxy handle the ssl. Also, SSL is allready encrypted, whether its
being cached or not. 


> 
> 
> On the other hand if I disable SSL termination on the downstream
> proxy, everything works just fine.
> My requirement is http traffic between upstream and downstream proxy
> should be always non-encrypted. While in case of HTTPS, traffic
> between downstream and upstream proxy should never be non-encrypted.
> How can I configure downstream squid to always use "HTTP CONNECT" in
> case of for HTTPS even when SSL termination enabled on the downstream
> proxy ?
> Any help is greatly appreciated.
> 
> Regards,
> Nipun Talukdar
> Bangalore
> India
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux