[squid-users] Fixing Squid configuration for caching proxy?

Milos Dodic 2bearqloza at gmail.com
Thu Jan 28 18:34:34 UTC 2021 

I have redeployed everything, with most basic configuration, and use the
proposed config for ssl_bump.
The test server that goes through Squid now doesn't get tunneled, and
instead checks the cache. I get something like this
NONE/200
TCP_MISS/200

But I have noticed that the test server also doesn't cache anything, and
instead only looks at the cache.
So if I try to go for a file in S3, it says MISS, and after that, MISS
again, and I see no new objects in cache being created.
If I try the same thing from the proxy itself, I get the MISS, and the
object gets cached, as it should.
When I go back to the test server, and try again, it sees the object in
cache and returns TCP_MEM_HIT/200 instead.

Is there a specific configuration that I need to add/enable, in order to
have the server cache the objects, or am I making a mistake elsewhere
perhaps?
This is the entire config file:


visible_hostname squid
cache_dir ufs /test/cache/squid 10000 16 256

http_access allow localhost
http_access alow all

http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain .amazonaws.com
http_access allow allowed_http_sites

https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name .amazonaws.com

ssl_bump stare all
ssl_bump bump allowed_https_sites
ssl_bump terminate all




Thanks!

On Tue, Jan 26, 2021 at 9:14 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 1/26/21 1:54 PM, Milos Dodic wrote:
>
> > when the test server goes for a picture I have stored somewhere in
> > the cloud, the squid access log shows "TCP_TUNNEL/200". But when I
> > try from the proxy itself with squidclient tool, I get
> > "TCP_MEM_HIT/200"
>
>
> Given the very limited information you have provided, I am guessing that
>
> * the primary tests opens a CONNECT tunnel through Squid
> * the squidclient test sends a plain text HTTP request to Squid
>
> The final origin server destination may be the same in both tests, but
> the two transactions are completely different from Squid point of view.
>
>
> > ssl_bump peek step1 all
> > ssl_bump peek step2 allowed_https_sites
> > ssl_bump splice step3 allowed_https_sites
> > ssl_bump terminate step3 all
>
>
> AFAICT, this configuration is splicing or terminating all TLS traffic.
> No bumping at all. If you want your Squid to bump TLS tunnels, then you
> have to have at least one "bump" rule!
>
> I do not know what your overall SslBump needs are, but perhaps you meant
> something like the following?
>
>     acl shouldBeBumped ssl::server_name .amazonaws.com
>
>     ssl_bump stare all
>     ssl_bump bump shouldBeBumped
>     ssl_bump terminate all
>
> Please do not use the configuration above until you understand what it
> does. Please see https://wiki.squid-cache.org/Features/SslPeekAndSplice
> for details.
>
> Depending on your environment, the http_access rules may need to be
> adjusted to allow CONNECT requests (to TLS-safe ports) to IP addresses
> that do not result in .amazonaws.com in reverse DNS lookups.
>
>
> HTH,
>
> Alex.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210128/b9ac4629/attachment.htm>

More information about the squid-users mailing list