[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Yuri Voinov yvoinov at gmail.com
Tue Sep 15 17:56:02 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Hi Antony,

thank your for answer.

My problem is a bit specific.

I have some permanently ISP-banned sites. I need to pass-through it from
transparent interception Squid to cache_peer - both plain HTTP and HTTPS
tunnels without decryption. Sites defined in ACL.

HTTP-only sessions forwarded correctly, but HTTPS is not. They goes
directly.

I can't pass all connections via tunnel. Just some specific sites.

Example: torproject.org is permanently HTTPS now. Session starts with
CONNECT method.
If IP's banned by ISP, forwarding into parent (with Tor) does not work.

I've tried to solve this, but unseccessful.

Yes, I can use Tor browser itself. But via Squid+Privoxy+Tor - doesn't work.

15.09.15 23:49, Antony Stone пишет:
> On Tuesday 15 September 2015 at 19:45:05, Yuri Voinov wrote:
>
>> I want to get the answer the people who did it. And not those that
>> suggest that they could do it.
>
> I have a suggestion which I hope may help - show us a configuration
you have
> tried, following the documentation, and tell us in what way it fails
to work
> as expected - then we may be able to show you where the error is.
>
> It's quite significant that in your original question, you did not
mention you
> were using Squid in transparent SSL Bump mode, therefore the answer you
> received did not take this into account.
>
> The more information you give us about what you want to achieve, what
you've
> done so far, and what goes wrong, the more we are able to help you
debug the
> problem.
>
>
> Regards,
>
>
> Antony.
>
>> 15.09.15 23:42, Matus UHLAR - fantomas пишет:
>>>>> On 15.09.15 22:45, Yuri Voinov wrote:
>>>>>> Does anyone know - is it possible to send the connection, starting
>>>>>> with the CONNECT, to cache-peer?
>>>>
>>>> 15.09.15 23:17, Matus UHLAR - fantomas пишет:
>>>>> cache_peer_access with proper ACLs should do that.
>>>>> note that always_direct can avoid it.
>>>
>>> On 15.09.15 23:33, Yuri Voinov wrote:
>>>> Squid working in transparent SSL Bump mode.
>>>>
>>>> AFAIK, here is SSL decrypts. AFAIK, decrypted tunnel denied to be
>>>> forwarded to parent.
>>>>
>>>> I need to forward some URLs without decryption to peer. Whole session
>>>> starting with CONNECT.
>>>>
>>>> Problem: Peer must accepts both HTTP and HTTPS connections. Yes, there
>>>> is Privoxy, which can tunnel CONNECT. How to tell Squid - "Forward this
>>>> URL and this URL into peer, whenever HTTP or HTTPS"?
>>>
>>> disable sslbump (enable "splice") with proper ACLs:
>>> http://www.squid-cache.org/Doc/config/ssl_bump/
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJV+FuyAAoJENNXIZxhPexGH4UH/i2tix795ui5wyJYud2dri4X
aNvxYHDEKY0fT94y7CKZm2uHAXv1UxY/GWT3DCXkF63jFIrXKvLlm+pfQT7cvpos
O2up5jrgXVg86/8MoTuFH5A3MSNYH01N0qfG85+YW/qGpVRvXdpfDZFrj/dBtefA
t2+geOcPZ7LIcwzqCuuoJ8VVJMTmYBVDcpSFFdGcieVPUq3kuMP++kRC/Gn7znGh
L9NgHCuUcQ7g7CUQViX5I3a8rU6SDhl0gLj9KUvkp0zqUO9cSifZakmFowTBzTyd
Ix8AgE0R5puGpLv4PyGyuI6Be3cSQCpitQYlB0jrvsfqOqO2v3LMIDZAlh1yj5M=
=GK+k
-----END PGP SIGNATURE-----



More information about the squid-users mailing list