[squid-users] Squid 4.x: Intermediate certificates downloader

Yuri Voinov yvoinov at gmail.com
Tue Jan 24 18:22:24 UTC 2017


May be, this feature is mutually exclusive with
sslproxy_foreign_intermediate_certs option?


25.01.2017 0:19, Yuri Voinov пишет:
> Mmmmmm, hardly.
>
> It is downloads directly via proxy from localhost:
>
> root @ khorne /patch # http_proxy=localhost:3128 curl
> http://repository.certum.pl/ca.cer
> 0
> 0>1     *H
>    0    UPL1U
> 270611104639Z0>1o.10U   Certum CA0
>                 0       UPL1U
> 0       *H. z o.o.10U   Certum CA0"0
> AK°jk̘󽢟gŭ&_O𣕨Ώ¸솶n줝ªn9¾䑯؇ r캦[¯ɓ?㆖͡Vn𨦩S    ^Ucը𐳱.0h³¼جnZN4ڶP·mB      𗕃
> ºO)¥B^¶
> ¸ϯ唺Ю°Dl´9>¢n­¸!wӔw䟁·cϗ7¾v֫$L齪go-Սþe1pÂ
> {mXIþc2
>        kỀ¬«;°鑠   QĴძ󾚶`'l2w¼²rЍʿ¹ƤB՗񃧝倐̃T(>򀔸M
> :;#c?ч'y䋑ၭ];±Գ¤Բ¼nd𙖐¨ƌt.q;爴io𐞃|R®𒧙gۼpݛ±i큎@Hj5ȩf!,瞪J@򫈤ꄖ,s
>
> root @ khorne /patch #
>
> root @ khorne /patch # wget -S http://repository.certum.pl/ca.cer
> --2017-01-24 23:59:54--  http://repository.certum.pl/ca.cer
> Connecting to 127.0.0.1:3128... connected.
> Proxy request sent, awaiting response...
>   HTTP/1.1 200 OK
>   Content-Type: text/plain; charset=UTF-8
>   Content-Length: 784
>   Last-Modified: Fri, 07 Mar 2014 10:05:14 GMT
>   ETag: "34231-310-63d6aa80"
>   X-Cached: MISS
>   Server: NetDNA-cache/2.2
>   X-Cache: HIT
>   Accept-Ranges: bytes
>   X-Origin-Date: Mon, 23 Jan 2017 06:12:38 GMT
>   Date: Tue, 24 Jan 2017 17:59:54 GMT
>   X-Cache-Age: 128836
>   X-Cache: HIT from khorne
>   X-Cache-Lookup: HIT from khorne:3128
>   Connection: keep-alive
> Length: 784 [text/plain]
> Saving to: 'ca.cer'
>
> ca.cer              100%[==================>]     784  --.-KB/s    in
> 0s     
>
> 2017-01-24 23:59:54 (86.2 MB/s) - 'ca.cer' saved [784/784]
>
> As I understand, downloader also access via localhost, right? So, it
> should work.
>
> Either from localnet, or from localhost download occurs.
>
>
> 25.01.2017 0:16, Alex Rousskov пишет:
>> On 01/24/2017 10:48 AM, Yuri Voinov wrote:
>>
>>> It seems 4.0.17 tries to download certs but gives deny somewhere.
>>> However, same URL with wget via same proxy works
>>> Why?
>> Most likely, your http_access or similar rules deny internal download
>> transactions but allow external ones. This is possible, for example, if
>> your access rules use client information. Internal transactions (ESI,
>> missing certificate fetching, Cache Digests, etc.) do not have an
>> associated client.
>>
>> The standard denial troubleshooting procedure applies here: Start with
>> finding out which directive/ACL denies access. I am _not_ implying that
>> this is easy to do.
>>
>>
>> HTH,
>>
>> Alex.
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170125/0b217275/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170125/0b217275/attachment-0001.sig>


More information about the squid-users mailing list