-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Squid 3.5.7 the same result: 1442420915.874 207879 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 - 1442493956.863 168528 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - 1442493957.934 168289 127.0.0.1 TAG_NONE/200 0 CONNECT torproject.org:443 - HIER_DIRECT/38.229.72.16 - Config snippet is: # SSL bump rules sslproxy_cert_error allow all acl DiscoverSNIHost at_step SslBump1 ssl_bump peek DiscoverSNIHost acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz ssl_bump splice NoSSLIntercept ssl_bump bump all # Privoxy+Tor access rules never_direct allow tor_url # And finally deny all other access to this proxy http_access deny all # ------------------------------------- # HTTP parameters # ------------------------------------- # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all Squid configuration options: http://i.imgur.com/1234E8q.png 17.09.15 16:18, Amos Jeffries пишет: > On 17/09/2015 7:57 p.m., Yuri Voinov wrote: >> >> >> 17.09.15 10:50, Amos Jeffries пишет: >>> On 17/09/2015 4:36 a.m., Yuri Voinov wrote: >>>> Hm. >>>> >>>> If I understand correctly, the right configuration must be: >>>> >>>> # Privoxy+Tor access rules >>>> never_direct allow CONNECT >>>> never_direct allow tor_url >>>> >>>> # Local Privoxy is cache parent >>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default >>>> >>>> cache_peer_access 127.0.0.1 allow tor_url >>>> cache_peer_access 127.0.0.1 deny all >>>> >>>> Right? >>>> >>>> But: >>>> >>>> http://i.imgur.com/UMxt2vh.png >>>> >>>> Is CONNECT always requires DIRECT? >>> In the above yes. If you don't want that remove the never_direct for >>> CONNECT as well. >>> >>>> I can't see FIRSTUP_PARENT for CONNECT in access log: >>>> >>>> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT >>>> torproject.org:443 - HIER_DIRECT/154.35.132.70 - >>>> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT >>>> torproject.org:443 - HIER_DIRECT/38.229.72.16 - >>>> >>> Those appear to be CONNECT requests which got ssl_bump'ed, not passed on >>> upstream. The access controls about how to pass things upstream are >>> irrelevant for them. >>> >>>> Because of IP's banned by ISP, direct CONNECT got timeout. >>>> >>>> Also, all rot_url ACL can't connect. >>>> >>>> Where I'm wrong? >>> Where is the server IP coming from? >> Server IP comes from local DNS cache, which is got right IP via dnscrypt. >> >> I was in this case confused by the fact that CONNECT and does not go >> into the tunnel. >> >> I've correct configuration a bit, but still no effect: >> >> # SSL bump rules >> sslproxy_cert_error allow all >> ssl_bump none localhost >> ssl_bump none url_nobump >> ssl_bump none dst_nobump >> ssl_bump server-first net_bump >> > > Ah. Right I forget this is 3.4 you are talking about. > > server-first bumping requires a SSL/TLS server to get the cert details > from. Your cache_peer is not one of those servers, and ssl-bump through > a peer is a 3.5 feature. What happens in 3.4 is a mandatory DIRECT > connection. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJV+rZ1AAoJENNXIZxhPexGQiAH/RLc8a0mWAV6Xi75QFM+TBnD 0FgRqYqeZCbYEgGl+pTJFMQyEo1e1eXSudRTAQGNcO3gTqhlz9n/2tee6U60a/tC jmxVtFxpqThcZjcvLP1/ODz1dclDkSJ4QBKlKlr2Z4Qya3Sd/jF8g1hm+tr7jZ31 fLp6MVxcO3fGNg1dfb7AQjRaMiOz+/nVsQD6dt3ciqLxjjTqyCMd/YceSsg9//l/ N/sfoR/Jj6lQrQBb59ssUHOGE04y1Igksx24kqF+NhQllHn2Tgc48G1R+13Zyj9s f21kzakaSqHcrATHg7VK9iNkOguqrkJx9bTRZrTr9GM0mD/1VTAmV22qjAcqxp0= =Luej -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
