On 12.06.2012 11:17, Eliezer Croitoru wrote:
you can use two cache_peers fot he same host then name them
differently with a "name=" and using a CONNECT method acl to allow
access to the ssl encrypted upstream connection.
Not quite. The downstream has terminated the TLS and Squid does not
wrap things in CONNECT. Squid uses "native" upstream connectivity which
may be over TLS or TCP links.
The encrypted cache_peer link needs to be setup with the "ssl" flag and
possibly related settings.
Eliezer
On 11/06/2012 16:00, nipun_mlist Assam wrote:
Hi All,
I have a configuration as given below:
client<------> downstream-proxy<------> upstream-proxy<------->
cloud
downstream proxy is always squid, while upstream proxy is either
squid
or bluecoat.
When SSL termination enabled on downstream proxy, I noticed traffic
between down-stream and upstream-proxy is not encrypted. That
results
in failures when upstream proxy is bluecoat. It returns "400 Bad
request" error.
This is a mis-configuration and possibly a bug in BlueCoat.
* Bug in the BlueCoat in that it is not accepting https:// over
non-encrypted links. there are clients which need to send such and have
the proxy encrypt.
* mis-configuration in that HTTPS specification require https:// URL to
be sent over TLS encrypted links. You should have the "ssl" flag on the
downstream cache_peer configuration to ensure TLS on the link between
downstream and upstream.
Amos
