[squid-users] Fixing Squid configuration for caching proxy?

Tue Jan 26 18:54:50 UTC 2021

I am trying to have a setup where Squid is going to act as a transparent
forward proxy, with caching enabled. I am leaning on a setup like here:
https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/
(though I've tried a few similar ones as well).

The requirement is to have a transparent caching proxy on AWS, that will be
used to reduce the traffic that is being pulled from a remote company (the
data is being pulled on a schedule, while there are not many changes that
often). This traffic causes additional cost, and caching that on our proxy
on AWS could help us out a lot.

The issue I have is, when I configure everything, the test server that is
going through proxy is not actually caching anything, while if I try a test
from the proxy itself (using squidclient) it does. So when the test server
goes for a picture I have stored somewhere in the cloud, the squid access
log shows "TCP_TUNNEL/200". But when I try from the proxy itself with
squidclient tool, I get "TCP_MEM_HIT/200" (the first time it was MISS,
before it was cached), so caching works properly - I even see the new
folder being created or the cached content.

I have the rerouting rules added to IP tables, source and destination check
is disabled (AWS setup), and overall, traffic is going as it should. I
assume I need to make some changes in the configuration, as that part is
where I had to copy most of the stuff, and have least experience with. I've
generated the certificate as per the doc, and my config is mostly the same
as the one there:

(note, I have tried with multiple changes to this config, without success)

visible_hostname squid
cache_dir ufs /squid/cache 10000 16 256

# Handle HTTP requests
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
http_access allow allowed_http_sites

# Handle HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step3 all

http_access deny all

The cert and everything else is generated as per the guide (and a few
guides are very similar here when it comes to this part).
The whitelisting works, mostly everything else works too, so the only thing
missing is squid not caching things that are requested by the test server
and is instead only passing it through. Any idea what configuration changes
I need in order to fix this? I guess I am doing something wrong with ssl
bump.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210126/c6681740/attachment.htm>