Hi,
I am setting up a transparent proxy that is doing whitelist work, and at the same time, doing the cache work.
The whitelist works fine, HTTP cache verifed work cause I see TCP_MEM_HIT using this squid.conf, but don't see any HTTPS MEM HIT related log, every time seems a new connection.
For HTTPS traffic, I am getting TCP_TUNNEL/200 all the time, the question is, how can I tell that a HTTPS traffic is actually using cache, or in this case, it's not using cache at all for HTTPS. I am using forward-proxy port in cache_peer.
I understand that there is logformat to make access.log show hostname instead of ip, but this should not effect the MEM HIT log, right?
Meanwhile, I am also trying to setup the sibling cache cluster, not sure if this related to HTTPS cache, I am also getting TCP_DENIED/403 for squid-internal-dynamic/netdb - HIER_NONE/- text/html. I do see sibling hit for HTTP site.
Here is my squid version:
Squid Cache: Version 3.5.25
Service Name: squid
configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--srcdir=.' '--without-libcap' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io' '--enable-icmp' '--enable-useragent-log' '--enable-snmp' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-storeio=aufs' '--enable-removal-policies=heap,lru' '--with-maxfd=16384' '--enable-poll' '--disable-ident-lookups' '--with-openssl' '--enable-ssl-crtd' '--with-default-user=proxy' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--enable-linux-netfilter'
And my squid.conf
# Squid normally listens to port 3128
http_port 3130
http_port 3128 intercept
acl allowed_http_sites dstdomain "/etc/squid3/whitelist.txt"
http_access allow allowed_http_sites
https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"
#sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
acl container_net src 172.18.0.0/24
tcp_outgoing_address 10.0.8.41 container_net
udp_outgoing_address 10.0.8.41 container_net
http_access allow container_net
icp_port 3131
icp_access allow all
#never_direct allow all
cache_peer 10.0.8.48 sibling 3128 3131 proxy-only
#cache_peer_access 10.0.8.48 allow all
# Uncomment and adjust the following to add a disk cache directory.
hosts_file /etc/hosts
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid3 4000 16 256
log_icp_queries off
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
#refresh_pattern ^https://.*\.raw.githubusercontent\.com/ 120000 100% 43200
refresh_pattern . 12000 90% 43200
http_access deny all
Thanks,
Lei
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
