[squid-users] Transparent HTTPS Squid proxy with upstream parent

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 7 14:27:08 UTC 2015


On 8/11/2015 12:20 a.m., Michael Ludvig wrote:
> Hi again
> 
> Does anyone have any idea how to fix the below described problem? Please :)
> 

You are taking secured traffic. Removing the decryption. Then ...


>> i.e. auto-generates a fake SSL cert and makes a
>> direct connection to the target.

Except when the target is a peer receiving plain-text TCP connections
(not TLS encrypted connections) ...

>>
>> 1446684476.877 0 proxy-client TAG_NONE/200 0 CONNECT 198.51.100.10:443
>> - HIER_NONE/- -
>> 1446684476.970 3 proxy-client TCP_MISS/503 4309 GET
>> https://secure.example.com/ - FIRSTUP_PARENT/proxy-upstream text/html
>>

... splat.


Clear enough? If not the assertion below should make it clearer.


>> Alternatively if I change the ssl_bumpsetup to this:
>>
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump bump all
>>
>> I get a crash message in cache.log:
>>
>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
>> "peer->use_ssl"

Attempting to connect and send encryption to a non-encryted peer.

Using a current version of Squid should fix that assertion and just not
let the peer be used. Your Squid is a whole 2 months old. In the arms
race that is SSL-Bump a few months is a long time.

Squid still will not generate new CONNECT to non-encrypted peers though.
So you will need to TLS enable the cache_peer link.

Amos



More information about the squid-users mailing list