[squid-users] Transparent HTTPS Squid proxy with upstream parent
Michael Ludvig
michael.ludvig at enterpriseit.co.nz
Thu Nov 5 03:01:39 UTC 2015
Hi
I've got a network without direct internet access where I have Squid
3.5.9as a transparent proxylistening on tcp/8080for HTTP and on
tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443
respectively).
This Squid (proxy-test) doesn't have a direct Internet access either but
can talk to a parent Squid (proxy-upstream) in other part of the network
that does have Internet access.
With HTTP it works well - client makes a request to
http://www.example.com(port 80), router and iptables redirect the
connection to Squid's port 8080, that intercepts the request and makes a
request to the upstream proxy that serves it as usual. Here are the
config options used:
http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query
never_direct allow all
Now I wanted to do a similar thing for HTTPS:
https_port 8443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump bump all
Without cache_peerit works as expected (when I enable temporary internet
access), i.e. auto-generates a fake SSL cert and makes a direct
connection to the target.
However with cache_peerit doesn't work. I get HTTP/503 error from the proxy:
1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 -
HIER_NONE/- -
1446684476.970 3 proxy-client TCP_MISS/503 4309 GET
https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html
Alternatively if I change the ssl_bumpsetup to this:
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
I get a crash message in cache.log:
2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
"peer->use_ssl"
When I use this proxy in non-transparent mode, i.e. configuring the
proxy on client to proxy-test:3128, it works:
1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT
secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream -
So I need to somehow turn the HTTPSrequest that lands on proxy-testinto
CONNECTrequest that's forwarded to proxy-upstream.
If Squid can't do that is there any other transparent-to-nontransparent
proxy software that can do that?
Thanks!
Michael
More information about the squid-users
mailing list