[squid-users] Clarity on sending intercepted HTTPS traffic upstream to a cache_peer
Charlie Orford
charlie at charlie.is
Sun Jan 29 11:34:25 UTC 2017
On 28/01/2017 17:47, Alex Rousskov wrote:
>
>> Our design goal is: intercept and bump local client https traffic on
>> squid1 (so we can filter certain urls, cache content etc.) and then
>> forward the request on to the origin server via an upstream squid2
>> (which has internet access).
> Understood. Squid can be enhanced to do what you want. There is nothing
> fundamentally impossible in what you are describing AFAICT. We need to
> add an insecure peer connector, and then using that connector code on
> the regular request forwarding path. The low-level code to do that
> already exists in tunnel.cc, but needs to be refactored/moved. This is
> an architecturally challenging work, but it is certainly doable.
>
> After those Squid modifications, in the simplest case (ignoring that you
> cannot bump some sites and that you may not want to bump some of the
> clients either), your squid1 configuration would be something like this:
>
> ssl_bump stare all
> ssl_bump bump all
>
> Your squid2 will not do SslBump. In fact, to achieve the stated goal,
> squid2 does not need to support SSL at all -- it can blindly forward
> [encrypted] traffic from squid1 to the internet.
>
> Your next steps to make the above happen are outlined at
> http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
>
>
>> http://lists.squid-cache.org/pipermail/squid-users/2015-November/007955.html
>> seems to have successfully done this but I can't replicate it.
> The configuration posted at the above URL is broken because it does not
> tell Squid what to do after step1. If it did work, it was a bug like,
> for example, bug 3209. Most likely, Squid just spliced everything (as
> you suspect). Ignore that email. To learn why that configuration makes
> no sense, study http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
>
> HTH,
>
> Alex.
>
Thanks Alex and Amos for your thoughtful replies, they've given me the
clarity I was seeking.
In terms of next steps, patching this functionality in to squid is
certainly well beyond my skill level. Sponsorship of the work may be
possible but not something I could arrange quickly. I'll see how viable
this is and get in contact with Measurement Factory directly if I'm able
to secure the budget.
Kind regards,
Charlie
More information about the squid-users
mailing list