[squid-users] Transparent HTTPS Squid proxy with upstream parent
Amos Jeffries
squid3 at treenet.co.nz
Sat Nov 7 14:27:08 UTC 2015
On 8/11/2015 12:20 a.m., Michael Ludvig wrote:
> Hi again
>
> Does anyone have any idea how to fix the below described problem? Please :)
>
You are taking secured traffic. Removing the decryption. Then ...
>> i.e. auto-generates a fake SSL cert and makes a
>> direct connection to the target.
Except when the target is a peer receiving plain-text TCP connections
(not TLS encrypted connections) ...
>>
>> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443
>> - HIER_NONE/- -
>> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET
>> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html
>>
... splat.
Clear enough? If not the assertion below should make it clearer.
>> Alternatively if I change the ssl_bumpsetup to this:
>>
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>>
>> I get a crash message in cache.log:
>>
>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
>> "peer->use_ssl"
Attempting to connect and send encryption to a non-encryted peer.
Using a current version of Squid should fix that assertion and just not
let the peer be used. Your Squid is a whole 2 months old. In the arms
race that is SSL-Bump a few months is a long time.
Squid still will not generate new CONNECT to non-encrypted peers though.
So you will need to TLS enable the cache_peer link.
Amos
More information about the squid-users
mailing list