Hello all, I'm pretty sure this has been asked and answered more than once, but I've been over the emails and the docs, and I still can't figure out how to make this work. Might one of you be able to guide me here? We have the following setup in our network: Client ---- Squid1 ---- Squid2 ---- Internet Squid1 is running Squid 3.5.28. Squid2 is running Squid 3.5.23. We do not do transparent proxying. Each user sets their proxy server in their browser to use Squid1. The browser authenticates to Squid1. Squid1 passes the authenticated request to Squid2. Squid2 rewrites the request based on the authenticated user. It all works except for peered https traffic. Both squid1 and squid2 work separately for https traffic. Cache_peer works if I remove SSL from it. It's just the peered https that does not. Here are the relevant lines in Squid1 squid.conf: # START SQUID1 CONF http_port 3128 http_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl/myCA.pem name=bumped options=ALL acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl NoBump ssl::server_name "/etc/squid/nobump/domains" ssl_bump peek step1 all ssl_bump peek step2 NoBump ssl_bump splice step3 NoBump ssl_bump stare step2 ssl_bump bump step3 sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 request_header_access Surrogate-Capability deny all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER cache_peer proxy2.ourserver.com parent 3130 0 no-query no-digest login=PASSTHRU default ssl sslcert=/etc/squid/ssl/myCA.pem never_direct allow all # END SQUID1 CONF Here are the relevant lines in Squid2 squid.conf: # START SQUID2 CONF http_port 3128 name=non-bumped http_port 3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl/myCA.pem name=bumped options=ALL acl non-bumped myportname non-bumped acl bumped myportname bumped acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl NoBump ssl::server_name "/etc/squid/nobump/domains" ssl_bump peek step1 all ssl_bump peek step2 NoBump ssl_bump splice step3 NoBump ssl_bump stare step2 ssl_bump bump step3 sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER # END SQUID2 CONF Squid1 cache.log shows lots of this: 2019/03/20 16:22:14 kid1| TCP connection to proxy2.ourserver.com/3130 failed 2019/03/20 16:22:14 kid1| Error negotiating SSL on FD 14: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Here are my questions: 1. Does squid 3.5 even allow sending https between peers? I've read conflicting emails, but I'm pretty sure it does. (Do I have to comment out some source code?) 2. What file goes into the cache_peer directive sslcert? I'm using the same PEM file for cahe_peer on Squid1 and http_port on Squid2. Is that a mistake? 3. What else am I doing wrong? Thanks for your time and help! _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
