Search squid archive

Re: Transparent HTTPS & Parent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/09/2012 11:48 p.m., Mike Mitchell wrote:

I have several clients that cannot be reconfigured to use a PAC file or
proxy, their traffic must be intercepted.  They are all behind a Cisco
firewall.  I've set up WCCP and am intercepting both the HTTP and
HTTPS traffic, using two different service groups and two different
proxy ports.

One problem I had with the Cisco firewall was that it insisted on having
the Squid proxy on the same network as the other clients.  Since I do
not want that network to have direct access to the Internet, I'm chaining
the local squid to another squid process on a different network.  It looks
like
     client -> squid1 -> squid2 -> internet
where the squid1 process is picking up the traffic via WCCP and squid2
is a cache_peer (parent) of squid1.

It all works well for HTTP traffic, but I have yet to get HTTPS traffic to
work.  WCCP is intercepting the traffic and squid1 is seeing it, but an
error page is returned to the client saying "Unsupported Request
Method and Protocol"
Which proxy is generating it? I suspect the squid2 has no SSL support built in or configured. 



I've tried both
    https_port 4433 cert=myCA.pem intercept
and
     https_port 4433 cert=myCA.pem intercept ssl-bump
This second one is correct. However for better results use the 3.HEAD packages and dynamic certificate generation. 


but I get the same behaviour with both.
I do have
     ssl_bump allow all
     never_direct allow all
in the configuration.

Am I missing something simple?  Is it just not possible yet with a parent
proxy?  I realize the request will have to be converted from a GET to a
CONNECT.  It would not surprise me if the conversion hasn't been
implemented yet.
The squid1 is meant to pass a regular request for https:// URL to squid2. Both squid require SSL support, squid1 to recieve HTTPS traffic and squid2 to make the outbound HTTPS connections (also sslproxy_* options configured for squid2 to make those outbound with). It is a good idea to SSL-encrypt the channel between them explicitly to ensure end-to-end security, but not mandatory. 



This is with squid 3.2.1.

Mike Mitchell
Mike.Mitchell@xxxxxxx
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux