[squid-users] FW: squid proxy 3.5 redhat 7.3

[Madonna, A. (spir-it)]

Hello Alex,

Our setup is as follows:

Clients -> squid proxy -> internet.
This works with the config as previously mentioned.

Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid) -> internet

Does not work.

However I've also setup the following:

Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy) -> internet

This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).

Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?


Kind regards,

-----Oorspronkelijk bericht-----
Van: Alex Rousskov [mailto:rousskov at measurement-factory.com]
Verzonden: donderdag 1 juni 2017 18:49
Aan: Madonna, A. (spir-it) <A.Madonna at rechtspraak.nl>; squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3

On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).

IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).


> ssl_bump peek step1
> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest

Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.


I recommend that you make everything work without a cache_peer and then add a cache_peer.

Alex.


________________________________

Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.