[squid-users] Transparent HTTPS Squid proxy with upstream parent
Michael Ludvig
michael.ludvig at enterpriseit.co.nz
Sun Nov 8 22:55:44 UTC 2015
Hi Amos
thanks for your reply.
On 08/11/15 03:27, Amos Jeffries wrote:
> You are taking secured traffic. Removing the decryption. Then ...
Yes. Then ... I expected it would make a CONNECT to the upstream proxy
that would in turn do HTTPS to the target.
I'm happy with the certificate mismatch.
>> I get a crash message in cache.log:
>>
>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
>> "peer->use_ssl"
> Attempting to connect and send encryption to a non-encryted peer.
>
> Using a current version of Squid should fix that assertion and just not
> let the peer be used. Your Squid is a whole 2 months old. In the arms
> race that is SSL-Bump a few months is a long time.
>
> Squid still will not generate new CONNECT to non-encrypted peers though.
> So you will need to TLS enable the cache_peer link.
If my proxy talks TLS with the upstream one - will that do the trick? I
can upgrade to the latest Squid if that should fix the problem.
However I'm a bit confused with the protocols / certificates involved..
[client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS ->
[target]
What protocol is used between [my_proxy] and [upstream_proxy]? It's not
CONNECT, is it? Is it TLS connection with something like "GET
https://example.com/ HTTP/1.." passing through?
Does that also mean the upstream one will have to ssl_bump the
connection again and re-encrypt with yet another certificate to be able
to read the target URL? And also - can I pass non-SSL traffic between my
proxy and the upstream as well?
Can you provide some config hints for both proxies please? The
SSL-related bits only as that's the unclear part.
Thanks in advance!
Michael
More information about the squid-users
mailing list