[squid-users] Transparent HTTPS Squid proxy with upstream parent

Michael Ludvig michael.ludvig at enterpriseit.co.nz
Sat Nov 7 11:20:00 UTC 2015 

Hi again

Does anyone have any idea how to fix the below described problem? Please :)

Thanks!

Michael

On 05/11/15 16:01, Michael Ludvig wrote:
> Hi
>
> I've got a network without direct internet access where I have Squid 
> 3.5.9as a transparent proxylistening on tcp/8080for HTTP and on 
> tcp/8443for HTTPS (redirected via iptablesfrom tcp/80 and tcp/443 
> respectively).
>
> This Squid (proxy-test) doesn't have a direct Internet access either 
> but can talk to a parent Squid (proxy-upstream) in other part of the 
> network that does have Internet access.
>
> With HTTP it works well - client makes a request to 
> http://www.example.com(port 80), router and iptables redirect the 
> connection to Squid's port 8080, that intercepts the request and makes 
> a request to the upstream proxy that serves it as usual. Here are the 
> config options used:
>
> http_port 8080 intercept cache_peer proxy-upstream parent 3128 0 no-query
> never_direct allow all
>
> Now I wanted to do a similar thing for HTTPS:
>
> https_port 8443 intercept ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 5
> ssl_bump bump all
>
> Without cache_peerit works as expected (when I enable temporary 
> internet access), i.e. auto-generates a fake SSL cert and makes a 
> direct connection to the target.
>
> However with cache_peerit doesn't work. I get HTTP/503 error from the 
> proxy:
>
> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443 
> - HIER_NONE/- -
> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET 
> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html
>
> Alternatively if I change the ssl_bumpsetup to this:
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
> I get a crash message in cache.log:
>
> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116: 
> "peer->use_ssl"
>
> When I use this proxy in non-transparent mode, i.e. configuring the 
> proxy on client to proxy-test:3128, it works:
>
> 1446684724.879 141 proxy-client TCP_TUNNEL/200 1886 CONNECT 
> secure.example.com:443 - FIRSTUP_PARENT/proxy-upstream -
>
> So I need to somehow turn the HTTPSrequest that lands on 
> proxy-testinto CONNECTrequest that's forwarded to proxy-upstream.
> If Squid can't do that is there any other 
> transparent-to-nontransparent proxy software that can do that?
>
> Thanks!
>
> Michael
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list