|
Hi list
We're using squid 3.5.23 and trying to achieve the following: client https request (not proxy aware) -> squid1 (https NAT intercept) -> upstream squid2 (configured as a cache_peer in squid1) -> origin server (e.g. www.google.com) Amos mentioned in this thread http://lists.squid-cache.org/pipermail/squid-users/2016-March/009468.html that: > Squid can: > > A) relay CONNECT message from client to any upstream proxy. > > B) generate CONNECT message on arriving intercepted HTTPS and relay > that to upstream proxy *IF* (and only if) ssl_bump selects the 'splice' > action. > > C) relay https:// URLs to an upstream TLS proxy. > > > That is all at present. > > Squid cannot (yet) generate CONNECT messages to try and fetch TLS > details via a non-TLS cache_peer. If you are able to sponsor that > enhancement work patches are welcome, or sponsorship $$ to help pay > persons working on these things (Christos / measurement-factory) are > also welcome. Option B seems to cover what we need i.e. squid1 wraps arriving intercepted HTTPS traffic in a CONNECT and sends it upstream to squid2 which in turn tunnels it to the origin server. Unfortunately, we can't get it to work: as soon as squid1 receives a client HTTPS request it exits with "assertion failed: PeerConnector.cc:116: "peer->use_ssl"" in cache.log Relevant config for squid1: ###################################### acl localnet src 10.100.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Blocked_domains dstdomain "/etc/squid3/blocked.domains.acl" acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl MITM_TRAFFIC myportname MITM_port http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny Blocked_domains http_access allow localhost http_access allow localnet http_access deny all http_reply_access allow all https_port 8443 ssl-bump intercept cert=/etc/squid3/root_ca.combined.pem generate-host-certificates=on dynamic_cert_mem_cache_size=8MB name=MITM_port sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/squid3/ssl_db -M 4MB ssl_bump peek all ssl_bump splice all nonhierarchical_direct off never_direct allow all prefer_direct off cache_peer 192.168.0.1 parent 3128 0 no-query no-digest no-netdb-exchange name=WWW_GATEWAY Relevant config for squid2: ###################################### acl localnet src 192.168.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_port 3128 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow localnet http_access deny all http_reply_access allow all Is what we want to do currently achievable with the latest 3.5 branch or have we misunderstood what Amos was stating (some of his posts about ssl interception and cache_peer support can be fairly cryptic)? If it is achievable, does the cache_peer link itself also need to be encrypted (via the ssl flag) to make it work? Thanks, Charlie |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
