[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Yuri Voinov yvoinov at gmail.com
Thu Sep 17 07:57:59 UTC 2015



17.09.15 10:50, Amos Jeffries пишет:
> On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
>> Hm.
>>
>> If I understand correctly, the right configuration must be:
>>
>> # Privoxy+Tor access rules
>> never_direct allow CONNECT
>> never_direct allow tor_url
>>
>> # Local Privoxy is cache parent
>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>
>> cache_peer_access 127.0.0.1 allow tor_url
>> cache_peer_access 127.0.0.1 deny all
>>
>> Right?
>>
>> But:
>>
>> http://i.imgur.com/UMxt2vh.png
>>
>> Is CONNECT always requires DIRECT?
> In the above yes. If you don't want that remove the never_direct for
> CONNECT as well.
>
>> I can't see FIRSTUP_PARENT for CONNECT in access log:
>>
>> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
>> torproject.org:443 - HIER_DIRECT/154.35.132.70 -
>> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
>> torproject.org:443 - HIER_DIRECT/38.229.72.16 -
>>
> Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
> upstream. The access controls about how to pass things upstream are
> irrelevant for them.
>
>> Because of IP's banned by ISP, direct CONNECT got timeout.
>>
>> Also, all rot_url ACL can't connect.
>>
>> Where I'm wrong?
> Where is the server IP coming from?
Server IP comes from local DNS cache, which is got right IP via dnscrypt.

I was in this case confused by the fact that CONNECT and does not go 
into the tunnel.

I've correct configuration a bit, but still no effect:

# SSL bump rules
sslproxy_cert_error allow all
ssl_bump none localhost
ssl_bump none url_nobump
ssl_bump none dst_nobump
ssl_bump server-first net_bump

# Privoxy+Tor access rules
never_direct allow tor_url

# And finally deny all other access to this proxy
http_access deny all

# -------------------------------------
# HTTP parameters
# -------------------------------------
# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list