Thank you!
I reverted back to:
ssl_bump peek step1
ssl_bump bump all
And then based on that first link you sent me I rebuilt my Squid instance from https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump
Then tested and I think it's working now?
From my access log:
# testing https
# first request
I reverted back to:
ssl_bump peek step1
ssl_bump bump all
And then based on that first link you sent me I rebuilt my Squid instance from https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump
Then tested and I think it's working now?
From my access log:
# testing https
# first request
1537477895.645 797 172.27.0.3 TCP_MISS/200 32374 GET https://foo.com/js/bootstrap.min.js - FIRSTUP_PARENT/64.58.117.175 application/_javascript_
# second request
# second request
1537477899.009 336 172.27.0.3 NONE/200 0 CONNECT foo.com:443 - FIRSTUP_PARENT/64.58.117.175 -
1537477899.019 0 172.27.0.3 TCP_MEM_HIT/200 32384 GET https://foo.com/js/bootstrap.min.js - HIER_NONE/- application/_javascript_
# testing http
# first request
# testing http
# first request
1537477956.088 1051 172.27.0.3 TCP_MISS/200 28203 GET http://websites.web.com/ - FIRSTUP_PARENT/64.58.117.175 text/html
# second request
# second request
1537477957.888 2 172.27.0.3 TCP_MEM_HIT/200 28198 GET http://websites.web.com/ - HIER_NONE/- text/html
Should I change anything else for more improvement? Should I build from the master or a more recent branch of https://github.com/measurement-factory?
Thanks again!
B.
Should I change anything else for more improvement? Should I build from the master or a more recent branch of https://github.com/measurement-factory?
Thanks again!
B.
On Thu, Sep 20, 2018 at 12:47 PM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 09/20/2018 12:36 PM, Brett wrote:
> I currently have squid setup to use a self-signed certificate for MITM to
> cache HTTPS requests. This works. [...]
> Is there a way I can configure squid so I can specify
> it as a proxy for an https request and then have it act as a cache or
> forward to an HTTP proxy (that supports CONNECT)?
AFAICT, you are asking about the missing "SslBump with cache_peer"
feature, which was covered in several recent threads, including this email:
http://lists.squid-cache.org/pipermail/squid-users/2018-July/018653.html
> ssl_bump peek step1
> ssl_bump bump all
This configuration bumps everything at step2.
> If I change the ssl_bump directives above to the following:
> ssl_bump stare step2
> ssl_bump bump step3
This (misleading!) configuration should splice everything at step1. In
other words, it should be equivalent to this (clear) configuration:
ssl_bump splice all
or a disabled SslBump. According to your tests, that is exactly what
happens (and the lack of non-trivial SslBump involvement probably
explains why peering works in this corner case).
If you need more information about the equivalence of the last two
configurations, please consider studying the following wiki page and a
related recent email thread:
* https://wiki.squid-cache.org/Features/SslPeekAndSplice
*
http://lists.squid-cache.org/pipermail/squid-users/2018-September/019162.html
HTH,
Alex.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
