Re: Is it possible to send the connection, starting with the CONNECT, to cache-peer?

[Yuri Voinov <yvoinov@xxxxxxxxx>]

17.09.15 16:18, Amos Jeffries пишет:
> On 17/09/2015 7:57 p.m., Yuri Voinov wrote:
> > 17.09.15 10:50, Amos Jeffries пишет:
> > > On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
> > > > Hm.
> > > >
> > > > If I understand correctly, the right configuration must be:
> > > >
> > > > # Privoxy+Tor access rules
> > > > never_direct allow CONNECT
> > > > never_direct allow tor_url
> > > >
> > > > # Local Privoxy is cache parent
> > > > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
> > > >
> > > > cache_peer_access 127.0.0.1 allow tor_url
> > > > cache_peer_access 127.0.0.1 deny all
> > > >
> > > > Right?
> > > >
> > > > But:
> > > >
> > > > http://i.imgur.com/UMxt2vh.png
> > > >
> > > > Is CONNECT always requires DIRECT?
> > > In the above yes. If you don't want that remove the never_direct for
> > > CONNECT as well.
> > >
> > > > I can't see FIRSTUP_PARENT for CONNECT in access log:
> > > >
> > > > 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
> > > > torproject.org:443 - HIER_DIRECT/154.35.132.70 -
> > > > 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
> > > > torproject.org:443 - HIER_DIRECT/38.229.72.16 -
> > > Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
> > > upstream. The access controls about how to pass things upstream are
> > > irrelevant for them.
> > >
> > > > Because of IP's banned by ISP, direct CONNECT got timeout.
> > > >
> > > > Also, all rot_url ACL can't connect.
> > > >
> > > > Where I'm wrong?
> > > Where is the server IP coming from?
> > Server IP comes from local DNS cache, which is got right IP via dnscrypt.
> >
> > I was in this case confused by the fact that CONNECT and does not go
> > into the tunnel.
> >
> > I've correct configuration a bit, but still no effect:
> >
> > # SSL bump rules
> > sslproxy_cert_error allow all
> > ssl_bump none localhost
> > ssl_bump none url_nobump
> > ssl_bump none dst_nobump
> > ssl_bump server-first net_bump
> Ah. Right I forget this is 3.4 you are talking about.
>
> server-first bumping requires a SSL/TLS server to get the cert details
> from. Your cache_peer is not one of those servers, and ssl-bump through
> a peer is a 3.5 feature. What happens in 3.4 is a mandatory DIRECT
> connection.
This evening will try to test this on 3.5.7 WIn64 on my notebook. 
Yesterday I can't achieve this on 3.5.7. Will try.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users