I have redeployed everything, with most basic configuration, and use the proposed config for ssl_bump.
The test server that goes through Squid now doesn't get tunneled, and instead checks the cache. I get something like this
NONE/200
TCP_MISS/200
TCP_MISS/200
But I have noticed that the test server also doesn't cache anything, and instead only looks at the cache.
So if I try to go for a file in S3, it says MISS, and after that, MISS again, and I see no new objects in cache being created.
If I try the same thing from the proxy itself, I get the MISS, and the object gets cached, as it should.
When I go back to the test server, and try again, it sees the object in cache and returns TCP_MEM_HIT/200 instead.
Is
there a specific configuration that I need to add/enable, in order to
have the server cache the objects, or am I making a mistake elsewhere
perhaps?
This is the entire config file:
visible_hostname squid
cache_dir ufs /test/cache/squid 10000 16 256
cache_dir ufs /test/cache/squid 10000 16 256
http_access allow localhost
http_access alow all
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
http_access allow allowed_http_sites
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com
ssl_bump stare all
ssl_bump bump allowed_https_sites
ssl_bump terminate all
http_access alow all
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
http_access allow allowed_http_sites
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com
ssl_bump stare all
ssl_bump bump allowed_https_sites
ssl_bump terminate all
Thanks!
On Tue, Jan 26, 2021 at 9:14 PM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 1/26/21 1:54 PM, Milos Dodic wrote:
> when the test server goes for a picture I have stored somewhere in
> the cloud, the squid access log shows "TCP_TUNNEL/200". But when I
> try from the proxy itself with squidclient tool, I get
> "TCP_MEM_HIT/200"
Given the very limited information you have provided, I am guessing that
* the primary tests opens a CONNECT tunnel through Squid
* the squidclient test sends a plain text HTTP request to Squid
The final origin server destination may be the same in both tests, but
the two transactions are completely different from Squid point of view.
> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step3 all
AFAICT, this configuration is splicing or terminating all TLS traffic.
No bumping at all. If you want your Squid to bump TLS tunnels, then you
have to have at least one "bump" rule!
I do not know what your overall SslBump needs are, but perhaps you meant
something like the following?
acl shouldBeBumped ssl::server_name .amazonaws.com
ssl_bump stare all
ssl_bump bump shouldBeBumped
ssl_bump terminate all
Please do not use the configuration above until you understand what it
does. Please see https://wiki.squid-cache.org/Features/SslPeekAndSplice
for details.
Depending on your environment, the http_access rules may need to be
adjusted to allow CONNECT requests (to TLS-safe ports) to IP addresses
that do not result in .amazonaws.com in reverse DNS lookups.
HTH,
Alex.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
