[squid-users] Problems with peek and slice through parent proxy
Kedar K
mailbox.kedar at gmail.com
Wed Jul 11 13:43:55 UTC 2018
On Wed, Jul 11, 2018 at 7:03 PM Hess, Niklas <Niklas.Hess at webit-wetterau.de>
wrote:
> Hello list,
>
>
>
> I´m setting up a Squid proxy specifically to scan the incoming traffic
> from a cloud platform.
>
> ClamAV should scan the incoming traffic.
>
>
>
> So far so good.
>
>
>
> The cloud uses WebDAV over HTTPS, so I have to SSL-Bump the incoming
> traffic via Peek and Splice Feature.
>
> That works indeed with the CA signed internal Certificate.
>
>
>
> But as soon as I add a cache_peer as a “parent proxy” it does not work.
> (This request could not be forwarded to the origin server or to any parent
> caches.)
>
> I just get “FwdState.cc(813) connectStart: fwdConnectStart: Ssl bumped
> connections through parent proxy are not allowed” in the cache.log
>
>
>
> And yes I know ssl-bump through a parent proxy is an security issue and
> might be unsecure, but the connection to the parent is internal, save and
> secure.
>
> I don’t know how, but could there be a way to “comment out” the section in
> fwdConnectStart source file?
>
>
>
> Squid Cache: Version 3.5.27
>
> Service Name: squid
>
> configure options: '--with-openssl' '--enable-ssl-crtd'
>
>
>
>
>
> Here´s my “minimal” SSL-Bump config:
>
>
>
> ### Start config
>
>
>
> debug_options ALL,6
>
> shutdown_lifetime 1 seconds
>
>
>
> http_port 8080 ssl-bump cert=/usr/local/squid/etc/ssl_cert/Squidtest.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>
>
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> sslcrtd_children 25 startup=5 idle=10
>
>
>
> cache_peer 10.106.3.66 parent 8080 0 no-query no-digest name=parent
>
>
>
> never_direct allow all
>
>
>
> sslproxy_cert_error allow all
>
> sslproxy_flags DONT_VERIFY_PEER
>
>
>
> ssl_bump bump all
>
Did you forget to copy at_step acls?
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
>
>
> http_access allow all
>
>
>
>
>
> ### End config
>
>
>
> Thanks for any help!
>
> Niklas
>
>
>
> Azubi Niklas Hess
> *Team Applikation-Management*
>
> *Eigenbetrieb Informationstechnologie des Wetteraukreises*
> 61169 Friedberg
> Europaplatz
> Gebäude B
> Tel.: 06031 83-6526
> Mobil:
> Fax.: 06031 83-916526
> www.wetteraukreis.de
>
> Informationen zum Datenschutz erhalten sie über unsere Datenschutzseite
> www.datenschutz.wetterau.de
> Diese E-Mail enth
> ält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie
> nicht der richtige Adressat sind, informieren Sie bitte sofort den Absender
> und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die
> unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
- Kedar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180711/7f8c3f9a/attachment.html>
More information about the squid-users
mailing list