<div dir="ltr"><p class="MsoNormal">Hi,<span></span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal">I am setting up a transparent proxy that is doing whitelist
work, and at the same time, doing the cache work.<span></span></p><p class="MsoNormal"><br></p><p class="MsoNormal">The whitelist works fine, HTTP cache verifed work cause I see TCP_MEM_HIT using this squid.conf, but don't see any HTTPS MEM HIT related log, every time seems a new connection.</p><p class="MsoNormal"><br></p>
<p class="MsoNormal">For HTTPS traffic, I am getting TCP_TUNNEL/200 all the time,
the question is, how can I tell that a HTTPS traffic is actually using cache, or in this case, it's not using cache at all for HTTPS. I am using forward-proxy port in cache_peer.<span></span></p><p class="MsoNormal"><br></p><p class="MsoNormal">I understand that there is logformat to make access.log show hostname instead of ip, but this should not effect the MEM HIT log, right?</p>
<p class="MsoNormal"><span> </span></p><p class="MsoNormal"><span>Meanwhile, I am also trying to setup the sibling cache cluster, not sure if this related to HTTPS cache, I am also getting </span>TCP_DENIED/403 for squid-internal-dynamic/netdb - HIER_NONE/- text/html. I do see sibling hit for HTTP site.</p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span><br></span></p>
<p class="MsoNormal">Here is my squid version:<span></span></p>
<p class="MsoNormal">Squid Cache: Version 3.5.25<span></span></p>
<p class="MsoNormal">Service Name: squid<span></span></p>
<p class="MsoNormal">configure options: '--prefix=/usr'
'--includedir=/include' '--mandir=/share/man' '--infodir=/share/info'
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3'
'--srcdir=.' '--without-libcap' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--enable-inline' '--enable-async-io' '--enable-icmp' '--enable-useragent-log'
'--enable-snmp' '--enable-cache-digests' '--enable-follow-x-forwarded-for'
'--enable-storeio=aufs' '--enable-removal-policies=heap,lru'
'--with-maxfd=16384' '--enable-poll' '--disable-ident-lookups' '--with-openssl'
'--enable-ssl-crtd' '--with-default-user=proxy'
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--enable-linux-netfilter'<span></span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal">And my squid.conf<span></span></p>
<p class="MsoNormal"># Squid normally listens to port 3128</p><p class="MsoNormal">http_port 3130</p><p class="MsoNormal"><br></p><p class="MsoNormal">http_port 3128 intercept</p><p class="MsoNormal">acl allowed_http_sites dstdomain "/etc/squid3/whitelist.txt"</p><p class="MsoNormal">http_access allow allowed_http_sites</p><p class="MsoNormal"><br></p><p class="MsoNormal">https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB</p><p class="MsoNormal">acl SSL_port port 443</p><p class="MsoNormal">http_access allow SSL_port</p><p class="MsoNormal">acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"</p>
<p class="MsoNormal"><span> </span></p><p class="MsoNormal">#sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB</p><p class="MsoNormal">sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB</p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal">acl step1 at_step SslBump1</p><p class="MsoNormal">acl step2 at_step SslBump2</p><p class="MsoNormal">acl step3 at_step SslBump3</p><p class="MsoNormal">ssl_bump peek step1 all</p><p class="MsoNormal">ssl_bump peek step2 allowed_https_sites</p><p class="MsoNormal">ssl_bump splice step3 allowed_https_sites</p><p class="MsoNormal">ssl_bump terminate step2 all</p><p class="MsoNormal"><br></p><p class="MsoNormal">acl container_net src <a href="http://172.18.0.0/24">172.18.0.0/24</a></p><p class="MsoNormal">tcp_outgoing_address 10.0.8.41 container_net</p><p class="MsoNormal">udp_outgoing_address 10.0.8.41 container_net</p><p class="MsoNormal"></p><p class="MsoNormal">http_access allow container_net</p><p class="MsoNormal"><span><br></span></p><p class="MsoNormal">icp_port 3131</p><p class="MsoNormal">icp_access allow all</p><p class="MsoNormal">#never_direct allow all</p><p class="MsoNormal">cache_peer 10.0.8.48 sibling 3128 3131 proxy-only</p><p class="MsoNormal">#cache_peer_access 10.0.8.48 allow all</p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal"># Uncomment and adjust the following to add a disk cache directory.</p><p class="MsoNormal">hosts_file /etc/hosts</p><p class="MsoNormal">cache_replacement_policy heap LFUDA</p><p class="MsoNormal"><br></p><p class="MsoNormal">cache_dir aufs /var/spool/squid3 4000 16 256</p><p class="MsoNormal"></p><p class="MsoNormal">log_icp_queries off</p><p class="MsoNormal"><br></p><p class="MsoNormal"># Leave coredumps in the first cache dir</p><p class="MsoNormal">coredump_dir /var/spool/squid3</p><p class="MsoNormal"><br></p><p class="MsoNormal">#refresh_pattern ^https://.*\.raw.githubusercontent\.com/ 120000 100% 43200</p><p class="MsoNormal">refresh_pattern . 12000 90% 43200</p><p class="MsoNormal"><br></p><p class="MsoNormal">http_access deny all<br></p><p class="MsoNormal"><br></p><p class="MsoNormal"><br></p><p class="MsoNormal"><span><br></span></p>
<p class="MsoNormal">Thanks,<span></span></p>
<p class="MsoNormal">Lei<span></span></p></div>