[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Yuri Voinov yvoinov at gmail.com
Tue Sep 15 19:24:21 UTC 2015 

Here is my testing config from test system. This is original
configuration, which is works well with HTTP but not with HTTPS.

I've tried to permit CONNECT access to cache_peer, config cache_peer as
ssl, splice forwarded URL's... without any result.

When I've turned URL into cache_peer -
access.log shows this:

1442336013.594   8060 127.0.0.1 TCP_TUNNEL/200 6833 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336013.924  10802 127.0.0.1 TCP_TUNNEL/200 31810 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.157   9315 127.0.0.1 TCP_TUNNEL/200 29088 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.157   8664 127.0.0.1 TCP_TUNNEL/200 22643 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.252   8677 127.0.0.1 TCP_TUNNEL/200 10701 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.256   8678 127.0.0.1 TCP_TUNNEL/200 42904 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -

bit nothing happens. IP's for this URL is banned by ISP. So, CONNECT has
no answer. And - site is strict HTTPS. Note: Bump can't start because
server no answers to CONNECT.

In some variants - whenever HTTP goes into cache_peer with ssl enabled -
Squid dies:

2015/09/15 23:24:27 kid1| assertion failed: PeerConnector.cc:116:
"peer->use_ssl"

In most cases Squid simple stops working.

always_direct state has no visible effect and no matter.
Excludind/including forwarded URL to splice directive is no matter.

I can't see any other error.

So, will be interesting - is it possible to forward HTTP/HTTPS for
specified URL to cache_peer without decrypting.

And I do not understand how to make this correctly.

16.09.15 0:15, Matus UHLAR - fantomas пишет:
> On 15.09.15 23:42, Yuri Voinov wrote:
>> I asked a specific question. How does Squid as a whole - I am well
>> aware. Before asking a question - I tried everything I seemed right. And
>> I asked, hoping to get a specific answer or intelligible explanation,
>> not the common words and sentences to read the manual. I outlined the
>> position quite clear?
>
> so, have you tried cache_peer with dst acl or have you not?
>
>> If you do not know the exact answer - it is better to remain silent.
>
> you did not provide enough informations, you did not tell what you
> did, you
> did not mention basic information like using sslbump and now you are
> telling
> me not even try to help you?
>
> with this attitude I will just ignore you for next time no matter if I
> can
> help you or not.

-------------- next part --------------
# -------------------------------------
# ACL's
# -------------------------------------
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

# No-cache ACLs
acl dont_cache dstdomain rulesofwargame.com imgur.com

# Privoxy+Tor acl
acl tor_url url_regex "C:/Squid/etc/squid/url.tor"

# -------------------------------------
# Access parameters
# -------------------------------------
# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

# Rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# Cache directives
cache deny dont_cache

# Hide internal networks details outside
forwarded_for delete
via off

# Disable alternate protocols
reply_header_access Alternate-Protocol deny all
# Disable HSTS
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
# Normalize Vary to reduce duplicates
reply_header_access Vary deny all
reply_header_replace Vary Accept-Encoding

# SSL bump rules
sslproxy_cert_error allow all
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz
ssl_bump splice NoSSLIntercept
ssl_bump bump all

# Privoxy+Tor access rules
never_direct allow tor_url
always_direct deny tor_url
always_direct allow all

# And finally deny all other access to this proxy
http_access deny all

# -------------------------------------
# HTTP parameters
# -------------------------------------

# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

# Don't cache 404 long time
negative_ttl 5 minutes
positive_dns_ttl 15 hours
negative_dns_ttl 15 minutes

# -------------------------------------
# Cache parameters
# -------------------------------------
# Squid normally listens to port 3128
#	   dhparams=	File containing DH parameters for temporary/ephemeral
#			DH key exchanges. See OpenSSL documentation for details
#			on how to create this file.
#			WARNING: EDH ciphers will be silently disabled if this
#				 option is not set.
http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/rootCA.crt key=/etc/squid/rootCA.key options=NO_SSLv3 dhparams=/etc/squid/dhparam.pem
sslproxy_cafile /etc/ssl/certs/ca-bundle.trust.crt
sslproxy_options NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid_ssldb -M 4MB

# Turn off collect per-client statistics
client_db off

# Hide internal networks details outside
via off
forwarded_for delete

# Do not show Squid version
httpd_suppress_version_string on

# Specify local DNS cache
dns_nameservers 127.0.0.1
positive_dns_ttl 15 hours

visible_hostname cthulhu_jr

dns_v4_first on

# -------------------------------------
# Store parameters
# -------------------------------------
# Uncomment and adjust the following to add a disk cache directory
cache_dir aufs D:/squid/var/cache 8192 16 256

# -------------------------------------
# Memory parameters
# -------------------------------------
cache_mem 256 Mb
maximum_object_size_in_memory 5 Mb
maximum_object_size 4 Gb
memory_pools_limit 100 MB

# -------------------------------------
# Tuning parameters
# -------------------------------------
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA

# Default is 20
store_objects_per_bucket 128

# Shutdown delay before terminate connections
shutdown_lifetime 1 second

# -------------------------------------
# Process/log parameters
# -------------------------------------
# Access log
access_log daemon:D:/squid/var/logs/access.log squid

logfile_rotate 5

# Cache log
cache_log D:/squid/var/logs/cache.log

# Store log
cache_store_log none

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Buffered logs. Default is off
buffered_logs on

strip_query_terms off

# -------------------------------------
# Content parameters
# -------------------------------------
quick_abort_min 100 KB
quick_abort_max 1 MB
quick_abort_pct 80

# Keep swf in cache
refresh_pattern -i \.swf$	10080	100%	43200	override-expire reload-into-ims ignore-private
# .NET cache
refresh_pattern -i \.((a|m)s(h|p)x?)$		10080	100%	43200	reload-into-ims ignore-private
# Other long-lived items
refresh_pattern -i \.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|svg|webp|flv|f4f|mp4|ttf|eot|woff)(\?.*)?$	14400	99%	518400	 override-expire ignore-reload reload-into-ims ignore-private ignore-must-revalidate
refresh_pattern -i \.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|(c|x|j)ss|js(t?|px)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$	10080	90%	86400	override-expire override-lastmod reload-into-ims ignore-private ignore-must-revalidate
# Default patterns
refresh_pattern -i (/cgi-bin/|\?)	0	0%	0
refresh_pattern	.	0	20%	10080	override-lastmod reload-into-ims ignore-private
##
-------------- next part --------------
^https?.*archive\.org.*
^https?.*livejournal\.com.*
#^https?.*wordpress\.com.*
#^https?.*youtube.*
#^https?.*ytimg.*
#^https?.*googlevideo.*
#^https?.*google.*
#^https?.*googleapis.*
#^https?.*googleusercontent.*
#^https?.*gstatic.*
#^https?.*gmodules.*
#^https?.*blogger.*
#^https?.*blogspot.*
#^https?.*facebook.*
#^https?.*fb.*
https?.*torproject.*

More information about the squid-users mailing list