Search squid archive

Re: https traffic via cache peer with SSL termination enabled on downstream proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



you can use two cache_peers fot he same host then name them differently with a "name=" and using a CONNECT method acl to allow access to the ssl encrypted upstream connection.

Eliezer

On 11/06/2012 16:00, nipun_mlist Assam wrote:
Hi All,

I have a configuration as given below:

client<------>  downstream-proxy<------>  upstream-proxy<------->  cloud

downstream proxy is always squid, while upstream proxy is either squid
or bluecoat.
When SSL termination enabled on downstream proxy, I noticed traffic
between down-stream and upstream-proxy is not encrypted. That results
in failures when upstream proxy is bluecoat. It returns "400 Bad
request" error.
The root cause is bluecoat always wants "https" traffic to be encrypted.
For example, if below data ( a plain text request
https://accounts.google.com) is sent to bluecoat, bluecoat will return
a "400 Bad request" error, but squid will happily get the response and
send back to the client program.

GET https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif,
application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-IN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
.NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: accounts.google.com
Via: 1.1 taarusg (squid/3.1.11)
X-Forwarded-For: 192.168.119.8
Cache-Control: max-age=259200
Connection: keep-alive



On the other hand if I disable SSL termination on the downstream
proxy, everything works just fine.
My requirement is http traffic between upstream and downstream proxy
should be always non-encrypted. While in case of HTTPS, traffic
between downstream and upstream proxy should never be non-encrypted.
How can I configure downstream squid to always use "HTTP CONNECT" in
case of for HTTPS even when SSL termination enabled on the downstream
proxy ?
Any help is greatly appreciated.

Regards,
Nipun Talukdar
Bangalore
India


--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux