[squid-users] HTTPS cache for Java application - only getting TCP_MISS

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 14 11:33:36 UTC 2018

On 14/06/18 07:44, Antony Stone wrote:
> On Wednesday 13 June 2018 at 21:28:27, baretomas wrote:
>> The calls from the application is done using ssl / https by telling java to
>> use Squid as a proxy (-Dhttps.proxyHost and -Dhttp.proxyHost).
> Okay, but...
>> http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> cert=/cygdrive/c/squid/etc/squid/proxyCAx.pem
>> key=/cygdrive/c/squid/etc/squid/proxyCA.pem
>> # certificate generation program
>> sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s
>> /cygdrive/c/squid/var/cache/squid_ssldb -M 4MB
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
> Surely all this peeking and bumping is only needed if you're running Squid in 
> interception mode,

Not quite. SSL-Bump is interception of the TLS layer. Regular / forward
/ explicit proxies use it to decrypt the CONNECT messages transporting
HTTPS traffic through tunnels.

> whereas you've said that you've configured your Java 
> application to explicitly use Squid as a proxy?

The proxy port and SSL-Bump config is consistent with a SSL-Bumping
forward proxy.

I suspect the -Dhttp.proxyHost is probably the Java apps equivalent to
the Linux http_proxy environment variables we are more familiar with
seeing applications use to connect to that type of proxy.

> Have you tried your Squid configuration with a plain browser, configured to use 
> the proxy, with (a) a few random websites, and (b) the specific resource you're 
> trying to access from your Java application, to see whether it is actually 
> working as a caching proxy?

Good idea.


More information about the squid-users mailing list