
<div dir="ltr">Hi, thanks so much for the detailed response.  I chose to test option 2 from your recommendations as I am new to squid and I do not understand how to set it up as a reverse proxy anyway.  I made the change to my squid.conf :<div><span id="gmail-docs-internal-guid-f15790a3-7fff-1caa-077b-f79846f5189a"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">#ssl_bump peek step1 </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">ssl_bump bump step1</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">ssl_bump bump all</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small">This made it work - which is great news.   My curl requests now are satisfied by the cache when the pc is offline!</span><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"><br></span></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small">I do have 1 followup question which I think is unrelated, let me know if etiquette demands I create a new post for this.  </span></span><span style="background-color:transparent">When I test using chromium browser, chromium sends </span>OPTION requests<span style="background-color:transparent"> - which I think is something to do with CORS.   These always cause cache </span>MISS <span style="background-color:transparent"> from squid,.. I think because the return code is 204...?</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"><br></span></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">1705669236.776    113 ::1 TCP_MISS/204 680 OPTIONS <a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a> - HIER_DIRECT/<a href="http://3.135.146.17">3.135.146.17</a> application/json<span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"><br></span></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"><br></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:8pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"></span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">I can prevent my chromium instance from making these (pointless?) OPTIONS calls using the following args, but I would rather not have to do this.</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">--disable-web-security  --disable-features=IsolateOrigins,site-per-process<br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Any way I can get squid to cache these calls?</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Thanks again and all the best,</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt">Robin</p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><br></p></span><br class="gmail-Apple-interchange-newline"></div></div><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 18 Jan 2024 at 16:03, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2024-01-18 09:53, Robin Carlisle wrote:<br>

<br>

> My expectation/hope is that squid would return the cached object on<br>

> any network failure in between ubuntu-pc and the AWS endpoint - and<br>

> continue to return this cached object forever.   Is this something<br>

> squid can do? It would seem that offline_mode should do this?<br>

<br>

Yes and yes. The reason you are getting errors are not related to cache <br>

hits or misses. Those errors happen _before_ Squid gets the requested <br>

resource URL and looks up that resource in Squid cache.<br>

<br>

> ssl_bump peek step1<br>

> ssl_bump bump all <br>

<br>

To get that URL (in your configuration), Squid must bump the connection. <br>

To bump the connection at step2, Squid must contact the origin server. <br>

When the cable is unplugged, Squid obviously cannot do that: The attempt <br>

to open a Squid-AWS connection fails.<br>

<br>

 > .../200 0 CONNECT <a href="http://stuff.amazonaws.com:443" rel="noreferrer" target="_blank">stuff.amazonaws.com:443</a> - HIER_DIRECT<br>

 > .../503 4087 GET <a href="https://stuff.amazonaws.com/api/." rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/.</a>.. - HIER_NONE<br>

<br>

Squid reports bumping errors to the client using HTTP responses. To do <br>

that, Squid remembers the error response, bumps the client connection, <br>

receives GET from the client on that bumped connection, and sends that <br>

error response to the client. This is why you see both CONNECT/200 and <br>

GET/503 access.log records. Note that Squid does not check whether the <br>

received GET request would have been a cache hit in this case -- the <br>

response to that request has been preordained by the earlier bumping <br>

failure.<br>

<br>

<br>

Solution candidates to consider include:<br>

<br>

* Stop bumping: https_port 443 cert=/etc/squid/stuff.pem<br>

<br>

Configure Squid as (a reverse HTTPS proxy for) the AWS service. Use <br>

https_port. No SslBump rules/options! The client would think that it is <br>

sending HTTPS requests directly to the service. Squid will forward <br>

client requests to the service. If this works (and I do not have enough <br>

information to know that this will work in your specific environment), <br>

then you will get a much simpler setup.<br>

<br>

<br>

* Bump at step1, before Squid contacts AWS: ssl_bump bump all<br>

<br>

Bugs notwithstanding, there will be no Squid-AWS connection for cache <br>

hits. The resulting certificate will not be based on AWS service info, <br>

but it looks like your client is ignorant enough to ignore related <br>

certificate problems.<br>

<br>

<br>

HTH,<br>

<br>

Alex.<br>

<br>

<br>

> Hi, Hoping someone can help me with this issue that I have been <br>

> struggling with for days now.   I am setting up squid on an ubuntu PC to <br>

> forward HTTPS requests to an API and an s3 bucket under my control on <br>

> amazon AWS.  The reason I am setting up the proxy is two-fold...<br>

> <br>

> 1) To reduce costs from AWS.<br>

> 2) To provide content to the client on the ubuntu PC if there is a <br>

> networking issue somewhere in between the ubuntu PC and AWS.<br>

> <br>

> Item 1 is going well so far.   Item 2 is not going well.   Setup details ...<br>

> <br>

> *# squid - setup cache folder*<br>

> mkdir -p /var/cache/squid<br>

> chown -R proxy:proxy  /var/cache/squid<br>

> <br>

> *# ssl - generate key*<br>

> apt --yes install squid-openssl libnss3-tools<br>

> openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \<br>

>    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=<a href="http://www.example.com" rel="noreferrer" target="_blank">www.example.com</a> <br>

> <<a href="http://www.example.com" rel="noreferrer" target="_blank">http://www.example.com</a>>" \<br>

>    -keyout /etc/squid/stuff.pem -out /etc/squid/stuff.pem<br>

> chown root:proxy /etc/squid/stuff.pem<br>

> chmod 644  /etc/squid/stuff.pem<br>

> <br>

> *# ssl - ssl DB*<br>

> mkdir -p /var/lib/squid<br>

> rm -rf /var/lib/squid/ssl_db<br>

> /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB<br>

> chown -R proxy:proxy /var/lib/squid/ssl_db<br>

> <br>

> *# /etc/squid/squid.conf :*<br>

> acl to_aws dstdomain .<a href="http://amazonaws.com" rel="noreferrer" target="_blank">amazonaws.com</a> <<a href="http://amazonaws.com" rel="noreferrer" target="_blank">http://amazonaws.com</a>><br>

> acl from_local src localhost<br>

> http_access allow to_aws<br>

> http_access allow from_local<br>

> cache allow all<br>

> cache_dir ufs /var/cache/squid 1024 16 256<br>

> offline_mode on<br>

> http_port 3129 ssl-bump cert=/etc/squid/stuff.pem <br>

> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>

> sslcrtd_program /usr/lib/squid/security_file_certgen -s <br>

> /var/lib/squid/ssl_db -M 4MB<br>

> acl step1 at_step SslBump1<br>

> ssl_bump peek step1<br>

> ssl_bump bump all<br>

> sslproxy_cert_error deny all<br>

> cache_store_log stdio:/var/log/squid/store.log<br>

> logfile_rotate 0<br>

> <br>

> *# /usr/bin/proxy-test :*<br>

> #!/bin/bash<br>

> curl --proxy <a href="http://localhost:3129" rel="noreferrer" target="_blank">http://localhost:3129</a> <<a href="http://localhost:3129" rel="noreferrer" target="_blank">http://localhost:3129</a>> \<br>

>    --cacert /etc/squid/stuff.pem \<br>

>    -v "<a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json" rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a> <br>

> <<a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json" rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a>>" \<br>

>    -H "Authorization: token MYTOKEN" \<br>

>    -H "Content-Type: application/json" \<br>

>    --output "/tmp/stuff.json"<br>

> <br>

> <br>

> <br>

> When network connectivity is GOOD, everything works well and I get cache <br>

> HITS ...<br>

> <br>

> *# /var/log/squid/access.log*<br>

> 1705587538.837    238 127.0.0.1 NONE_NONE/200 0 CONNECT <br>

> <a href="http://stuff.amazonaws.com:443" rel="noreferrer" target="_blank">stuff.amazonaws.com:443</a> <<a href="http://stuff.amazonaws.com:443" rel="noreferrer" target="_blank">http://stuff.amazonaws.com:443</a>> - <br>

> HIER_DIRECT/<a href="http://3.136.246.238" rel="noreferrer" target="_blank">3.136.246.238</a> <<a href="http://3.136.246.238" rel="noreferrer" target="_blank">http://3.136.246.238</a>> -<br>

> 1705587538.838      0 127.0.0.1 TCP_MEM_HIT/200 32818 GET <br>

> <a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json" rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a> <br>

> <<a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json" rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a>> - HIER_NONE/- <br>

> application/json<br>

> <br>

> *# extract from /usr/bin/proxy-test output*<br>

> < HTTP/1.1 200 OK<br>

> < Date: Thu, 18 Jan 2024 13:38:01 GMT<br>

> < Content-Type: application/json<br>

> < Content-Length: 32187<br>

> < x-amzn-RequestId: 8afba80e-6df7-4d5b-a34b-a70bd9b54380<br>

> < Last-Modified: 2024-01-03T11:23:19.000Z<br>

> < Access-Control-Allow-Origin: *<br>

> < x-amz-apigw-id: RvN1CF2_iYcEokA=<br>

> < Cache-Control: max-age=2147483648,public,stale-if-error<br>

> < ETag: "53896156c4e8e26933188a092c4e40f1"<br>

> < X-Amzn-Trace-Id: Root=1-65a929b9-3bd3285934151c1a2495481a<br>

> < Age: 2578<br>

> < Warning: 110 squid/5.7 "Response is stale"<br>

> < X-Cache: HIT from ubuntu-pc<br>

> < X-Cache-Lookup: HIT from ubuntu-pc:3129<br>

> < Via: 1.1 ubuntu-pc (squid/5.7)<br>

> < Connection: keep-alive<br>

> <br>

> <br>

> When network connectivity is BAD, I get errors and a cache MISS.   In <br>

> this test case I unplugged the ethernet cable from the back on the <br>

> ubuntu-pc ...<br>

> <br>

> *# /var/log/squid/access.log*<br>

> 1705588717.420     11 127.0.0.1 NONE_NONE/200 0 CONNECT <br>

> <a href="http://stuff.amazonaws.com:443" rel="noreferrer" target="_blank">stuff.amazonaws.com:443</a> <<a href="http://stuff.amazonaws.com:443" rel="noreferrer" target="_blank">http://stuff.amazonaws.com:443</a>> - <br>

> HIER_DIRECT/<a href="http://3.135.162.228" rel="noreferrer" target="_blank">3.135.162.228</a> <<a href="http://3.135.162.228" rel="noreferrer" target="_blank">http://3.135.162.228</a>> -<br>

> 1705588717.420      0 127.0.0.1 NONE_NONE/503 4087 GET <br>

> <a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json" rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a> <br>

> <<a href="https://stuff.amazonaws.com/api/v1/stuff/stuff.json" rel="noreferrer" target="_blank">https://stuff.amazonaws.com/api/v1/stuff/stuff.json</a>> - HIER_NONE/- <br>

> text/html<br>

> <br>

> *# extract from /usr/bin/proxy-test output*<br>

> < HTTP/1.1 503 Service Unavailable<br>

> < Server: squid/5.7<br>

> < Mime-Version: 1.0<br>

> < Date: Thu, 18 Jan 2024 14:38:37 GMT<br>

> < Content-Type: text/html;charset=utf-8<br>

> < Content-Length: 3692<br>

> < X-Squid-Error: ERR_CONNECT_FAIL 101<br>

> < Vary: Accept-Language<br>

> < Content-Language: en<br>

> < X-Cache: MISS from ubuntu-pc<br>

> < X-Cache-Lookup: NONE from ubuntu-pc:3129<br>

> < Via: 1.1 ubuntu-pc (squid/5.7)<br>

> < Connection: close<br>

> <br>

> I have also seen it error in a different way with a 502 but with the <br>

> same ultimate result.<br>

> <br>

> My expectation/hope is that squid would return the cached object on any <br>

> network failure in between ubuntu-pc and the AWS endpoint - and continue <br>

> to return this cached object forever.   Is this something squid can do? <br>

>    It would seem that offline_mode should do this?<br>

> <br>

> Hope you can help,<br>

> <br>

> Robin<br>

> <br>

> <br>

> <br>

> _______________________________________________<br>

> squid-users mailing list<br>

> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>

> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>

<br>

</blockquote></div></div>