[squid-users] Clarity on sending intercepted HTTPS traffic upstream to a cache_peer
Alex Rousskov
rousskov at measurement-factory.com
Sat Jan 28 17:47:00 UTC 2017
On 01/27/2017 05:32 PM, Charlie Orford wrote:
> Obviously it makes no sense
> intercepting ssl traffic if we're going to splice everything.
It actually does make a lot of sense in many environments, but not
necessarily yours.
> Our design goal is: intercept and bump local client https traffic on
> squid1 (so we can filter certain urls, cache content etc.) and then
> forward the request on to the origin server via an upstream squid2
> (which has internet access).
Understood. Squid can be enhanced to do what you want. There is nothing
fundamentally impossible in what you are describing AFAICT. We need to
add an insecure peer connector, and then using that connector code on
the regular request forwarding path. The low-level code to do that
already exists in tunnel.cc, but needs to be refactored/moved. This is
an architecturally challenging work, but it is certainly doable.
After those Squid modifications, in the simplest case (ignoring that you
cannot bump some sites and that you may not want to bump some of the
clients either), your squid1 configuration would be something like this:
ssl_bump stare all
ssl_bump bump all
Your squid2 will not do SslBump. In fact, to achieve the stated goal,
squid2 does not need to support SSL at all -- it can blindly forward
[encrypted] traffic from squid1 to the internet.
Your next steps to make the above happen are outlined at
http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
> http://lists.squid-cache.org/pipermail/squid-users/2015-November/007955.html
> seems to have successfully done this but I can't replicate it.
The configuration posted at the above URL is broken because it does not
tell Squid what to do after step1. If it did work, it was a bug like,
for example, bug 3209. Most likely, Squid just spliced everything (as
you suspect). Ignore that email. To learn why that configuration makes
no sense, study http://wiki.squid-cache.org/Features/SslPeekAndSplice
HTH,
Alex.
More information about the squid-users
mailing list