[squid-users] cache peer only forward http , not https !!!
Ahmad Alzaeem
ahmed.zaeem at netstream.ps
Tue Nov 10 19:45:19 UTC 2015
Hi I don’t have ssl pump
All my users user ip:port to have internet
I already have ISA windows server and it works with http and https
Im wondering why all complexity needed for peer https
!!!
Anyway hnere is squid.conf
# This file is automatically generated by pfSense
# Do not edit manually !
http_port 172.23.101.253:3128
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
visible_hostname mne
cache_mgr azaeem at mne.ps <mailto:azaeem at mne.ps>
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable off
pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
logfile_rotate 2
debug_options rotate=2
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 172.23.101.0/24
forwarded_for off
via off
httpd_suppress_version_string on
uri_whitespace strip
acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic
cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
#Remote proxies
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535
acl sslports port 443 563
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost
request_body_max_size 0 KB
delay_access 1 allow allsrc
# Reverse Proxy settings
# Custom options before auth
dns_nameservers 8.8.8.8 10.12.0.33
cache_peer 10.12.0.32 parent 80 0 no-query no-digest no-tproxy proxy-only
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny allsrc
cheers
From: Yuri Voinov [mailto:yvoinov at gmail.com]
Sent: Tuesday, November 10, 2015 9:43 PM
To: Ahmad Alzaeem
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] cache peer only forward http , not https !!!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I think, we need to take a look on your squid.conf first.
10.11.15 23:18, Ahmad Alzaeem пишет:
> Thank you ,
>
>
>
> Can you just guide me for the https peer directive plz ?
>
> I can take care of https intercept
>
>
>
> So with http , we have directive cache_peer 10.12.0.32
parent 8080 0 no-query no-digest
>
>
>
> As ok
>
>
>
> Now what about https directive ?
>
> Can u help me
>
>
>
> Thanks a lot a lot a lot for your help
>
>
>
> cheers
>
>
>
>
>
> From: squid-users
[mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of
Yuri Voinov
> Sent: Tuesday, November 10, 2015 8:49 PM
> To: squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> Subject: Re: [squid-users] cache peer only forward http , not
https !!!
>
>
>
>
> 1. You need to configure Squid with SSL Bump to capture HTTPS
traffic.
> 2. You need to configure forwarded requests with splice/no
bump. :)
>
> 10.11.15 22:42, Ahmad Alzaeem пишет:
> > Hi Guys I want proxy and I
>
> want it to forward http & https to remote proxy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Does the command below enogh ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > cache_peer 10.12.0.32 parent 8080 0 no-query
no-digest
>
> no-tproxy
>
>
>
> > proxy-only
> No.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > or I need to add other line for https ??
> No.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > BTW the command line above work only for http not
for https
> Sure.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Any help ?
>
> *** DISCLAMER: THIS IS MY OWN CONFIG SNIPPET. DON'T BLIND
COPY-N-PASTE IT IN YOUR ENVIRONMENT! ***
>
> # Privoxy+Tor acl
> acl tor_url dstdom_regex "C:/Squid/etc/squid/url.tor"
>
> # SSL bump rules
> sslproxy_cert_error allow all
> acl DiscoverSNIHost at_step SslBump1
> ssl_bump peek DiscoverSNIHost
> acl NoSSLIntercept ssl::server_name_regex -i
"C:/Squid/etc/squid/url.nobump"
> acl NoSSLIntercept ssl::server_name_regex -i
"C:/Squid/etc/squid/url.tor"
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> # Privoxy+Tor access rules
> never_direct allow tor_url
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> As you can see, this is just example. The idea described with
first two lines of my answer above.
> This snippet works for torified sites described in tor_url
acl.
> NB: I do not guarantee this will work on your environment!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > _______________________________________________
>
>
>
> > squid-users mailing list
>
>
>
> > squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org> <mailto:squid-users at lists.squid-cache.org>
>
>
>
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWQjqaAAoJENNXIZxhPexGHLsH/A8M2GrcOrOTu+k4+iRHhH21
q0muY8vTpdGW6/keFek7r/df05NF8NJ4rg1a+j/RRFtdy0NEJWf663Xhg3Z5UT7K
6tLqF/8kjW0u3osuD6BCxjvWIe1elGJKIdBlBbIukIiK50ErdPBbAF26g4wdS1RG
hMQHDWjbZsBPSuhKDYWgGoddpozVUWrnMRM/YSY98LgnC738fUzJgWUXR0pjsF1p
EgkYPrawkkUzbJ6SqQA2MFZuQyqPl3nNYFvQVnwg9sGqrKU2f+cy/hv0Mj0O0rjI
7Gs7kHI9fT63dmkkiFDsaw6yRDXRak1qrb7htHoNkbrPrVm7eVXMTUy5ukWawOA=
=okeQ
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151110/b110e2f5/attachment-0001.html>
More information about the squid-users
mailing list