[squid-users] Trying to set up SSL cache - solved!

[Dave Blanchard]

On Thu, 24 Feb 2022 11:08:48 -0500
Alex Rousskov <rousskov at measurement-factory.com> wrote:

> On 2/23/22 22:09, Dave Blanchard wrote:
> > OK--I solved the problem by removing the "ssl_bump bump all" line.
> > Works fine now.
> 
> > Damn, this proxy is a TOTAL PAIN IN THE ASS!! to configure. It seems
> > like 90% of the tutorials out there are junk, largely because things
> > keep changing from version to version, obsoleting them.
> 
> This email thread is a good example. The original ssl_bump config shared 
> in the beginning of the thread did not make sense at all. Squid bugs 
> notwithstanding, the implied second config (the one with "ssl_bump bump 
> all" line removed) should not cache any HTTPS transactions either. 
> However, folks will read this thread, copy the original config, maybe 
> remove the "bump" line, and expect things to "work" because the 
> "problem" was "solved" for somebody else.
> 

Sorry, it was irresponsible of me to forget to mention that I changed the 'peek' line to 'stare', and added in another line. The final config, not counting the other default config items which were left unchanged, is as follows:

http_port 3128 ssl-bump \
               generate-host-certificates=on \
               dynamic_cert_mem_cache_size=32MB \
               cert=/path/to/cert.pem \
               key=/path/to/cert.pem

sslcrtd_program /usr/libexec/security_file_certgen -s /path/to/ssl_database -M 32MB

ssl_bump client-first all
ssl_bump stare all
ssl_bump splice localhost

(Note for any other confused noobs reading this: this configuration apparently requires Squid to be compiled with --with openssl and --with-ssl-crtd options on the 'configure' command line; or at least it did in older versions, and presumably still does.)

This final config works perfectly to cache SSL items, and has greatly increased the utility of my slow connection.

> 
> > Please add more concrete examples to the Wiki reference pages!
> 
> IMHO, SslBump is too nuanced/complex to be able to reuse simple 
> configurations without understanding their meaning. We should improve 
> documentation a lot, but it takes a village to do that, and "more 
> examples" is hardly the answer.
> 
> Alex.

Although I am sure the reference material is extremely valuable, as a non-expert I found it frustrating, as there almost NO concrete examples on each reference page, which SHOW the given config option being used in real world configurations. This is a common problem to a lot of 'man' pages in the Linux world for example which have page after page of information that is essentially useless unless one is already an expert, or extremely tedious to parse through, because it does not give concrete examples. 

On other sections of the wiki there are more explanatory texts showing various how-to scenarios, but again, I couldn't find a single one that showed this exact configuration here and briefly explained why/how it works, step by step according to what Squid is doing at each step. I ended up finding the key parts of the above config on a third party tutorial page ("How I saved countless gigabytes of data with Squid caching" or something like that), while deleting several lines from that config which were apparently unneeded/outdated. Actually I thought I had read somewhere that the 'client-first' line is itself outdated, but Squid doesn't complain about it, so maybe not. Anyhow, it works. 

I don't understand exactly *how* it works, because I don't have time to study all the internal workings of Squid at this time; just needed to quickly get a proxy up and running to solve this problem and move on to other work. As it was, I had like two dozen browser tabs open reading different things, only to slowly and painfully piece together what turns out to be a very simple config.

-- 
Dave Blanchard <dave at killthe.net>