[squid-users] Is there any way to cache or forward https requests to an http proxy using Squid?
Brett Anderson
brett.anderson.ftw at gmail.com
Thu Sep 20 21:26:09 UTC 2018
Thank you!
I reverted back to:
ssl_bump peek step1
ssl_bump bump all
And then based on that first link you sent me I rebuilt my Squid instance
from
https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump
Then tested and I think it's working now?
>From my access log:
# testing https
# first request
1537477894.828 310 172.27.0.3 NONE/200 0 CONNECT foo.com:443 -
FIRSTUP_PARENT/64.58.117.175 -
1537477895.645 797 172.27.0.3 TCP_MISS/200 32374 GET
https://foo.com/js/bootstrap.min.js - FIRSTUP_PARENT/64.58.117.175
application/javascript
# second request
1537477899.009 336 172.27.0.3 NONE/200 0 CONNECT foo.com:443 -
FIRSTUP_PARENT/64.58.117.175 -
1537477899.019 0 172.27.0.3 TCP_MEM_HIT/200 32384 GET
https://foo.com/js/bootstrap.min.js - HIER_NONE/- application/javascript
# testing http
# first request
1537477956.088 1051 172.27.0.3 TCP_MISS/200 28203 GET
http://websites.web.com/ - FIRSTUP_PARENT/64.58.117.175 text/html
# second request
1537477957.888 2 172.27.0.3 TCP_MEM_HIT/200 28198 GET
http://websites.web.com/ - HIER_NONE/- text/html
Should I change anything else for more improvement? Should I build from the
master or a more recent branch of https://github.com/measurement-factory
<https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump>
?
Thanks again!
B.
On Thu, Sep 20, 2018 at 12:47 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 09/20/2018 12:36 PM, Brett wrote:
> > I currently have squid setup to use a self-signed certificate for MITM to
> > cache HTTPS requests. This works. [...]
>
> > Is there a way I can configure squid so I can specify
> > it as a proxy for an https request and then have it act as a cache or
> > forward to an HTTP proxy (that supports CONNECT)?
>
> AFAICT, you are asking about the missing "SslBump with cache_peer"
> feature, which was covered in several recent threads, including this email:
>
> http://lists.squid-cache.org/pipermail/squid-users/2018-July/018653.html
>
>
> > ssl_bump peek step1
> > ssl_bump bump all
>
> This configuration bumps everything at step2.
>
>
> > If I change the ssl_bump directives above to the following:
>
> > ssl_bump stare step2
> > ssl_bump bump step3
>
> This (misleading!) configuration should splice everything at step1. In
> other words, it should be equivalent to this (clear) configuration:
>
> ssl_bump splice all
>
> or a disabled SslBump. According to your tests, that is exactly what
> happens (and the lack of non-trivial SslBump involvement probably
> explains why peering works in this corner case).
>
>
> If you need more information about the equivalence of the last two
> configurations, please consider studying the following wiki page and a
> related recent email thread:
>
> * https://wiki.squid-cache.org/Features/SslPeekAndSplice
> *
>
> http://lists.squid-cache.org/pipermail/squid-users/2018-September/019162.html
>
>
> HTH,
>
> Alex.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180920/c87aa33f/attachment-0001.html>
More information about the squid-users
mailing list