[squid-users] Transparent HTTPS Squid proxy with upstream parent

Michael Ludvig michael.ludvig at enterpriseit.co.nz
Sun Nov 8 22:55:44 UTC 2015

Hi Amos

thanks for your reply.

On 08/11/15 03:27, Amos Jeffries wrote:
> You are taking secured traffic. Removing the decryption. Then ...

Yes. Then ... I expected it would make a CONNECT to the upstream proxy 
that would in turn do HTTPS to the target.

I'm happy with the certificate mismatch.

>> I get a crash message in cache.log:
>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
>> "peer->use_ssl"
> Attempting to connect and send encryption to a non-encryted peer.
> Using a current version of Squid should fix that assertion and just not
> let the peer be used. Your Squid is a whole 2 months old. In the arms
> race that is SSL-Bump a few months is a long time.
> Squid still will not generate new CONNECT to non-encrypted peers though.
> So you will need to TLS enable the cache_peer link.

If my proxy talks TLS with the upstream one - will that do the trick? I 
can upgrade to the latest Squid if that should fix the problem.

However I'm a bit confused with the protocols / certificates involved..

[client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS -> 

What protocol is used between [my_proxy] and [upstream_proxy]? It's not 
CONNECT, is it? Is it TLS connection with something like "GET 
https://example.com/ HTTP/1.." passing through?

Does that also mean the upstream one will have to ssl_bump the 
connection again and re-encrypt with yet another certificate to be able 
to read the target URL? And also - can I pass non-SSL traffic between my 
proxy and the upstream as well?

Can you provide some config hints for both proxies please? The 
SSL-related bits only as that's the unclear part.

Thanks in advance!


More information about the squid-users mailing list