<div dir="ltr"><div dir="ltr">Thank you!<br><br>I reverted back to:<br><br><span style="color:rgb(80,0,80)">ssl_bump peek step1<br></span><span style="color:rgb(80,0,80)">ssl_bump bump all<br></span><br>And then based on that first link you sent me I rebuilt my Squid instance from <a href="https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump" style="white-space:pre-wrap">https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump</a><br><br>Then tested and I think it's working now?<br><br>From my access log:<br># testing https<br># first request<br><div>1537477894.828 310 172.27.0.3 NONE/200 0 CONNECT <a href="http://foo.com:443">foo.com:443</a> - FIRSTUP_PARENT/<a href="http://64.58.117.175">64.58.117.175</a> -<br></div><div>1537477895.645 797 172.27.0.3 TCP_MISS/200 32374 GET <a href="https://foo.com/js/bootstrap.min.js">https://foo.com/js/bootstrap.min.js</a> - FIRSTUP_PARENT/<a href="http://64.58.117.175">64.58.117.175</a> application/javascript<br># second request</div><div>1537477899.009 336 172.27.0.3 NONE/200 0 CONNECT <a href="http://foo.com:443">foo.com:443</a> - FIRSTUP_PARENT/<a href="http://64.58.117.175">64.58.117.175</a> -</div><div>1537477899.019 0 172.27.0.3 TCP_MEM_HIT/200 32384 GET <a href="https://foo.com/js/bootstrap.min.js">https://foo.com/js/bootstrap.min.js</a> - HIER_NONE/- application/javascript<br><br># testing http<br># first request<br></div><div>1537477956.088 1051 172.27.0.3 TCP_MISS/200 28203 GET <a href="http://websites.web.com/">http://websites.web.com/</a> - FIRSTUP_PARENT/<a href="http://64.58.117.175">64.58.117.175</a> text/html<br># second request<br></div><div>1537477957.888 2 172.27.0.3 TCP_MEM_HIT/200 28198 GET <a href="http://websites.web.com/">http://websites.web.com/</a> - HIER_NONE/- text/html<br><br>Should I change anything else for more improvement? Should I build from the master or a more recent branch of <a href="https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump" style="white-space:pre-wrap">https://github.com/measurement-factory</a>?<br><br>Thanks again!<br>B.</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Sep 20, 2018 at 12:47 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 09/20/2018 12:36 PM, Brett wrote:<br>
> I currently have squid setup to use a self-signed certificate for MITM to<br>
> cache HTTPS requests. This works. [...]<br>
<br>
> Is there a way I can configure squid so I can specify<br>
> it as a proxy for an https request and then have it act as a cache or<br>
> forward to an HTTP proxy (that supports CONNECT)?<br>
<br>
AFAICT, you are asking about the missing "SslBump with cache_peer"<br>
feature, which was covered in several recent threads, including this email:<br>
<br>
<a href="http://lists.squid-cache.org/pipermail/squid-users/2018-July/018653.html" rel="noreferrer" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/2018-July/018653.html</a><br>
<br>
<br>
> ssl_bump peek step1<br>
> ssl_bump bump all<br>
<br>
This configuration bumps everything at step2.<br>
<br>
<br>
> If I change the ssl_bump directives above to the following:<br>
<br>
> ssl_bump stare step2<br>
> ssl_bump bump step3<br>
<br>
This (misleading!) configuration should splice everything at step1. In<br>
other words, it should be equivalent to this (clear) configuration:<br>
<br>
ssl_bump splice all<br>
<br>
or a disabled SslBump. According to your tests, that is exactly what<br>
happens (and the lack of non-trivial SslBump involvement probably<br>
explains why peering works in this corner case).<br>
<br>
<br>
If you need more information about the equivalence of the last two<br>
configurations, please consider studying the following wiki page and a<br>
related recent email thread:<br>
<br>
* <a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
*<br>
<a href="http://lists.squid-cache.org/pipermail/squid-users/2018-September/019162.html" rel="noreferrer" target="_blank">http://lists.squid-cache.org/pipermail/squid-users/2018-September/019162.html</a><br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
</blockquote></div>