CONNECT d.qqq.win HTTP/1.1 (bad format: without port)
0040 d1 d8 43 4f 4e 4e 45 43 54 20 64 2e 71 71 71 2e ..CONNECT d.qqq.
0050 77 69 6e 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73 win HTTP/1.1
2020/09/28 17:19:58 forward.go:118: [forwarder] DIRECT recorded 1 failures, maxfailures: 0
2020/09/28 17:19:58 server.go:98: [http] *.*.*.*:53848 <-> d.qqq.win [c] via DIRECT, error in dial: dial tcp: address d.qqq.win: missing port in address
Yes, I've tried all of these combinations.### 0x00 cache_peer no ssl> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 【no ssl】curl http://google.com -x http://admin:squid@localhost:3128 -v -k 【it is ok】curl https://google.com -x https://admin:squid@localhost:3128 -v -k 【Get 502】curl https://google.com -x http://admin:squid@localhost:3128 -v -k 【Get 502】< HTTP/1.1 502 Bad Gateway
< X-Cache: MISS from example.com
< Transfer-Encoding: chunked
< Connection: keep-alivelog json:{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443", "httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }
{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/", "httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }
### 0x01 cache_peer with ssl> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 sskcurl http://google.com -x http://admin:squid@localhost:3128 -v -k 【Get 502】curl https://google.com -x https://admin:squid@localhost:3128 -v -k 【Get 502】< HTTP/1.1 503 Service Unavailable
< Server: squid/5.0.4
< Mime-Version: 1.0
< Date: Mon, 28 Sep 2020 04:21:00 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1649
< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
<p>The system returned:</p>
<blockquote id="data">
<pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>
<p>Handshake with SSL server failed: [No Error]</p>
</blockquote>
### 0x02 how to outgoing https request by cache_peer (on squid 5.0.4/Chains proxy)Similar features to Charles OR Fiddler. ( open http(s) proxy on 8080, then capture the request , outgoing on another http(s)/socks4/5 proxy.)1. Fiddler gateway: https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gatewaycurl https://google.com -x http://squid:3128 --> outgoing(cache_peer: like Fiddler gateway) --> google.com:443The cache_peer should be ignore ssl VERIFY. !!! like other software.On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> 于2020年9月28日周一 上午6:48写道:On 9/27/20 12:07 PM, sec wrote:
> http_port 3128 ssl-bump ...
> curl http://google.com -x https://admin:squid@localhost:3128 -v -k
The above two lines do not match AFAICT: You tell curl to use an HTTPS
proxy, but you tell Squid to expect plain HTTP proxy requests.
Also, please note that if you fix the above problem by moving "https"
from "-x" to the origin server URL, then you will probably face another
problem:
curl https://google.com -x http://admin:squid@localhost:3128 -v -k
> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 ssl
Squid does not (yet) support "TLS inside TLS": Talking TLS with the
origin server through a cache_peer that also expects a TLS connection.
HTH,
Alex.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
