[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Yuri Voinov yvoinov at gmail.com
Thu Sep 17 11:13:33 UTC 2015



17.09.15 16:18, Amos Jeffries пишет:
> On 17/09/2015 7:57 p.m., Yuri Voinov wrote:
>>
>> 17.09.15 10:50, Amos Jeffries пишет:
>>> On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
>>>> Hm.
>>>>
>>>> If I understand correctly, the right configuration must be:
>>>>
>>>> # Privoxy+Tor access rules
>>>> never_direct allow CONNECT
>>>> never_direct allow tor_url
>>>>
>>>> # Local Privoxy is cache parent
>>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>>>
>>>> cache_peer_access 127.0.0.1 allow tor_url
>>>> cache_peer_access 127.0.0.1 deny all
>>>>
>>>> Right?
>>>>
>>>> But:
>>>>
>>>> http://i.imgur.com/UMxt2vh.png
>>>>
>>>> Is CONNECT always requires DIRECT?
>>> In the above yes. If you don't want that remove the never_direct for
>>> CONNECT as well.
>>>
>>>> I can't see FIRSTUP_PARENT for CONNECT in access log:
>>>>
>>>> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
>>>> torproject.org:443 - HIER_DIRECT/154.35.132.70 -
>>>> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
>>>> torproject.org:443 - HIER_DIRECT/38.229.72.16 -
>>>>
>>> Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
>>> upstream. The access controls about how to pass things upstream are
>>> irrelevant for them.
>>>
>>>> Because of IP's banned by ISP, direct CONNECT got timeout.
>>>>
>>>> Also, all rot_url ACL can't connect.
>>>>
>>>> Where I'm wrong?
>>> Where is the server IP coming from?
>> Server IP comes from local DNS cache, which is got right IP via dnscrypt.
>>
>> I was in this case confused by the fact that CONNECT and does not go
>> into the tunnel.
>>
>> I've correct configuration a bit, but still no effect:
>>
>> # SSL bump rules
>> sslproxy_cert_error allow all
>> ssl_bump none localhost
>> ssl_bump none url_nobump
>> ssl_bump none dst_nobump
>> ssl_bump server-first net_bump
>>
> Ah. Right I forget this is 3.4 you are talking about.
>
> server-first bumping requires a SSL/TLS server to get the cert details
> from. Your cache_peer is not one of those servers, and ssl-bump through
> a peer is a 3.5 feature. What happens in 3.4 is a mandatory DIRECT
> connection.
This evening will try to test this on 3.5.7 WIn64 on my notebook. 
Yesterday I can't achieve this on 3.5.7. Will try.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list