Here is my testing config from test system. This is original
configuration, which is works well with HTTP but not with HTTPS.
I've tried to permit CONNECT access to cache_peer, config cache_peer as
ssl, splice forwarded URL's... without any result.
When I've turned URL into cache_peer -
access.log shows this:
1442336013.594 8060 127.0.0.1 TCP_TUNNEL/200 6833 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336013.924 10802 127.0.0.1 TCP_TUNNEL/200 31810 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.157 9315 127.0.0.1 TCP_TUNNEL/200 29088 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.157 8664 127.0.0.1 TCP_TUNNEL/200 22643 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.252 8677 127.0.0.1 TCP_TUNNEL/200 10701 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.256 8678 127.0.0.1 TCP_TUNNEL/200 42904 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
bit nothing happens. IP's for this URL is banned by ISP. So, CONNECT has
no answer. And - site is strict HTTPS. Note: Bump can't start because
server no answers to CONNECT.
In some variants - whenever HTTP goes into cache_peer with ssl enabled -
Squid dies:
2015/09/15 23:24:27 kid1| assertion failed: PeerConnector.cc:116:
"peer->use_ssl"
In most cases Squid simple stops working.
always_direct state has no visible effect and no matter.
Excludind/including forwarded URL to splice directive is no matter.
I can't see any other error.
So, will be interesting - is it possible to forward HTTP/HTTPS for
specified URL to cache_peer without decrypting.
And I do not understand how to make this correctly.
16.09.15 0:15, Matus UHLAR - fantomas пишет:
> On 15.09.15 23:42, Yuri Voinov wrote:
>> I asked a specific question. How does Squid as a whole - I am well
>> aware. Before asking a question - I tried everything I seemed right. And
>> I asked, hoping to get a specific answer or intelligible explanation,
>> not the common words and sentences to read the manual. I outlined the
>> position quite clear?
>
> so, have you tried cache_peer with dst acl or have you not?
>
>> If you do not know the exact answer - it is better to remain silent.
>
> you did not provide enough informations, you did not tell what you
> did, you
> did not mention basic information like using sslbump and now you are
> telling
> me not even try to help you?
>
> with this attitude I will just ignore you for next time no matter if I
> can
> help you or not.
# -------------------------------------
# ACL's
# -------------------------------------
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# No-cache ACLs
acl dont_cache dstdomain rulesofwargame.com imgur.com
# Privoxy+Tor acl
acl tor_url url_regex "C:/Squid/etc/squid/url.tor"
# -------------------------------------
# Access parameters
# -------------------------------------
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
# Rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# Cache directives
cache deny dont_cache
# Hide internal networks details outside
forwarded_for delete
via off
# Disable alternate protocols
reply_header_access Alternate-Protocol deny all
# Disable HSTS
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
# Normalize Vary to reduce duplicates
reply_header_access Vary deny all
reply_header_replace Vary Accept-Encoding
# SSL bump rules
sslproxy_cert_error allow all
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz
ssl_bump splice NoSSLIntercept
ssl_bump bump all
# Privoxy+Tor access rules
never_direct allow tor_url
always_direct deny tor_url
always_direct allow all
# And finally deny all other access to this proxy
http_access deny all
# -------------------------------------
# HTTP parameters
# -------------------------------------
# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all
# Don't cache 404 long time
negative_ttl 5 minutes
positive_dns_ttl 15 hours
negative_dns_ttl 15 minutes
# -------------------------------------
# Cache parameters
# -------------------------------------
# Squid normally listens to port 3128
# dhparams= File containing DH parameters for temporary/ephemeral
# DH key exchanges. See OpenSSL documentation for details
# on how to create this file.
# WARNING: EDH ciphers will be silently disabled if this
# option is not set.
http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/rootCA.crt key=/etc/squid/rootCA.key options=NO_SSLv3 dhparams=/etc/squid/dhparam.pem
sslproxy_cafile /etc/ssl/certs/ca-bundle.trust.crt
sslproxy_options NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid_ssldb -M 4MB
# Turn off collect per-client statistics
client_db off
# Hide internal networks details outside
via off
forwarded_for delete
# Do not show Squid version
httpd_suppress_version_string on
# Specify local DNS cache
dns_nameservers 127.0.0.1
positive_dns_ttl 15 hours
visible_hostname cthulhu_jr
dns_v4_first on
# -------------------------------------
# Store parameters
# -------------------------------------
# Uncomment and adjust the following to add a disk cache directory
cache_dir aufs D:/squid/var/cache 8192 16 256
# -------------------------------------
# Memory parameters
# -------------------------------------
cache_mem 256 Mb
maximum_object_size_in_memory 5 Mb
maximum_object_size 4 Gb
memory_pools_limit 100 MB
# -------------------------------------
# Tuning parameters
# -------------------------------------
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
# Default is 20
store_objects_per_bucket 128
# Shutdown delay before terminate connections
shutdown_lifetime 1 second
# -------------------------------------
# Process/log parameters
# -------------------------------------
# Access log
access_log daemon:D:/squid/var/logs/access.log squid
logfile_rotate 5
# Cache log
cache_log D:/squid/var/logs/cache.log
# Store log
cache_store_log none
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Buffered logs. Default is off
buffered_logs on
strip_query_terms off
# -------------------------------------
# Content parameters
# -------------------------------------
quick_abort_min 100 KB
quick_abort_max 1 MB
quick_abort_pct 80
# Keep swf in cache
refresh_pattern -i \.swf$ 10080 100% 43200 override-expire reload-into-ims ignore-private
# .NET cache
refresh_pattern -i \.((a|m)s(h|p)x?)$ 10080 100% 43200 reload-into-ims ignore-private
# Other long-lived items
refresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|svg|webp|flv|f4f|mp4|ttf|eot|woff)(\?.*)?$ 14400 99% 518400 override-expire ignore-reload reload-into-ims ignore-private ignore-must-revalidate
refresh_pattern -i \.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|(c|x|j)ss|js(t?|px)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$ 10080 90% 86400 override-expire override-lastmod reload-into-ims ignore-private ignore-must-revalidate
# Default patterns
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 10080 override-lastmod reload-into-ims ignore-private
##
^https?.*archive\.org.*
^https?.*livejournal\.com.*
#^https?.*wordpress\.com.*
#^https?.*youtube.*
#^https?.*ytimg.*
#^https?.*googlevideo.*
#^https?.*google.*
#^https?.*googleapis.*
#^https?.*googleusercontent.*
#^https?.*gstatic.*
#^https?.*gmodules.*
#^https?.*blogger.*
#^https?.*blogspot.*
#^https?.*facebook.*
#^https?.*fb.*
https?.*torproject.*
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users