<div dir="ltr">Hi Alex,<div><br></div><div>We have just started to integrate squid proxy in our project, thanks for your reply and support.
</div><div><br></div><div>Previously we were seeing TCP_TUNNEL for <a href="https://www.google.com">https://www.google.com</a>.<br></div><div>Now, we are able to see the TCP_MISS transactions for <a href="https://www.google.com">https://www.google.com</a>. </div><div>As <a href="https://www.google.com">https://www.google.com</a> does not contain a cache-control header in response, the response cannot be cached which we are aware of.</div><div><br></div><div><br></div><div>1616580079.857 73 ::1 NONE/200 0 CONNECT <a href="http://www.google.com:443">www.google.com:443</a> - HIER_DIRECT/<a href="http://172.217.163.68">172.217.163.68</a> -<br>1616580079.945 44 ::1 TCP_MISS/200 967 HEAD <a href="https://www.google.com/">https://www.google.com/</a> - HIER_DIRECT/<a href="http://172.217.163.68">172.217.163.68</a> text/html<br></div><div><br></div><div>I generated key.pem and cert.pem files using openssl and when i tried to connect a local python https web server which has cache-control headers in https response, got the below error,</div><div><br></div><div>root@raspberrypi-rdk-hybrid:~# curl -I <a href="https://192.168.1.41:443">https://192.168.1.41:443</a> --proxy-cacert cert.pem --proxy <a href="http://localhost:3128">http://localhost:3128</a><br>HTTP/1.1 200 Connection established<br><br>curl: (60) SSL certificate problem: unable to get local issuer certificate<br>More details here: <a href="https://curl.haxx.se/docs/sslcerts.html">https://curl.haxx.se/docs/sslcerts.html</a><br><br>curl failed to verify the legitimacy of the server and therefore could not<br>establish a secure connection to it. To learn more about this situation and<br>how to fix it, please visit the web page mentioned above.<br></div><div><br></div><div>Have attached the squid.conf file for your reference. Can you please check and let me know if I am missing something ?</div><div><br></div><div>Regards,</div><div>Vignesh </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 23, 2021 at 7:44 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 3/23/21 2:10 AM, Vignesh Ramessh wrote:<br>
<br>
> Currently am running squid version 4.14 on RPi3.<br>
> Trying to cache https responses with cache-control:max-age headers<br>
> available,<br>
> using ssl bump - peek n splice feature with examples available in this<br>
> link :- <a href="https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/" rel="noreferrer" target="_blank">https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/</a><br>
<br>
<br>
ssl_bump peek step1<br>
ssl_bump bump all<br>
ssl_bump splice all<br>
<br>
AFAICT, the above "bump all during step2" configuration (the last line<br>
does not do anything and should be removed) should bump all traffic. Is<br>
that your configuration?<br>
<br>
<br>
> But the https caching doesnt seem to work, https connections are getting<br>
> established as TCP_TUNNEL/200 in squid access logs.<br>
<br>
Do you see non-CONNECT HTTP traffic (e.g. GET, POST, etc.) in access<br>
log? If not, then Squid is not bumping traffic OR the client does not<br>
like what Squid is doing. Please post your http*_port and ssl_bump<br>
configuration with access.log lines corresponding to a single test<br>
transaction that you think should be bumped.<br>
<br>
Also, does the client (e.g. curl, wget, or browser) get an error from<br>
Squid? Does the client display any kind of warning or error at all? What<br>
certificate does the client show for the test connection?<br>
<br>
<br>
> I wasnt able to find any proper documentation on https caching using squid.<br>
<br>
What you call "HTTPS caching" consists of two virtually independent<br>
actions: Bumping HTTPS connections and caching. Documentation exists for<br>
each action. Currently, it sounds like the first action (bumping) is not<br>
working in your setup. Until that is addressed, you can ignore the<br>
caching part.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
</blockquote></div>