Search squid archive

Re: https traffic via cache peer with SSL termination enabled on downstream proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12.06.2012 11:17, Eliezer Croitoru wrote:
you can use two cache_peers fot he same host then name them
differently with a "name="  and using a CONNECT method acl to allow
access to the ssl encrypted upstream connection.


Not quite. The downstream has terminated the TLS and Squid does not wrap things in CONNECT. Squid uses "native" upstream connectivity which may be over TLS or TCP links.

The encrypted cache_peer link needs to be setup with the "ssl" flag and possibly related settings.


Eliezer

On 11/06/2012 16:00, nipun_mlist Assam wrote:
Hi All,

I have a configuration as given below:

client<------> downstream-proxy<------> upstream-proxy<-------> cloud

downstream proxy is always squid, while upstream proxy is either squid
or bluecoat.
When SSL termination enabled on downstream proxy, I noticed traffic
between down-stream and upstream-proxy is not encrypted. That results
in failures when upstream proxy is bluecoat. It returns "400 Bad
request" error.

This is a mis-configuration and possibly a bug in BlueCoat.

* Bug in the BlueCoat in that it is not accepting https:// over non-encrypted links. there are clients which need to send such and have the proxy encrypt.

* mis-configuration in that HTTPS specification require https:// URL to be sent over TLS encrypted links. You should have the "ssl" flag on the downstream cache_peer configuration to ensure TLS on the link between downstream and upstream.


Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux