I am trying to have a setup where Squid is going to act as a transparent forward proxy, with caching enabled. I am leaning on a setup like here: https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/ (though I've tried a few similar ones as well).
The requirement is to have a transparent caching proxy on AWS, that will be used to reduce the traffic that is being pulled from a remote company (the data is being pulled on a schedule, while there are not many changes that often). This traffic causes additional cost, and caching that on our proxy on AWS could help us out a lot.
The issue I have is, when I configure everything, the test server
that is going through proxy is not actually caching anything, while if I
try a test from the proxy itself (using squidclient) it does.
So when the test server goes for a picture I have stored somewhere in
the cloud, the squid access log shows "TCP_TUNNEL/200".
But when I try from the proxy itself with squidclient tool, I get
"TCP_MEM_HIT/200" (the first time it was MISS, before it was cached), so
caching works properly - I even see the new folder being created or the cached content.
I have the rerouting rules added to IP tables, source and destination check
is disabled (AWS setup), and overall, traffic is going as it should. I
assume I need to make some changes in the configuration, as that part is
where I had to copy most of the stuff, and have least experience with.
I've generated the certificate as per the doc, and my config is mostly
the same as the one there:
(note, I have tried with multiple changes to this config, without success)
visible_hostname squid
cache_dir ufs /squid/cache 10000 16 256
# Handle HTTP requests
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
http_access allow allowed_http_sites
# Handle HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step3 all
http_access deny all
The cert and everything else is generated as per the guide (and a few guides are very similar here when it comes to this part).
The whitelisting works, mostly everything else works too, so the only
thing missing is squid not caching things that are requested by the test
server and is instead only passing it through.
Any idea what configuration changes I need in order to fix this? I guess I am doing something wrong with ssl bump.
Thanks!
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users