[squid-users] Transparent HTTPS Squid proxy with upstream parent

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 8 23:55:29 UTC 2015


On 9/11/2015 11:55 a.m., Michael Ludvig wrote:
> Hi Amos
> 
> thanks for your reply.
> 
> On 08/11/15 03:27, Amos Jeffries wrote:
>> You are taking secured traffic. Removing the decryption. Then ...
> 
> Yes. Then ... I expected it would make a CONNECT to the upstream proxy
> that would in turn do HTTPS to the target.
> 
> I'm happy with the certificate mismatch.
> 
>>> I get a crash message in cache.log:
>>>
>>> 2015/11/05 01:07:11 kid1| assertion failed: PeerConnector.cc:116:
>>> "peer->use_ssl"
>> Attempting to connect and send encryption to a non-encryted peer.
>>
>> Using a current version of Squid should fix that assertion and just not
>> let the peer be used. Your Squid is a whole 2 months old. In the arms
>> race that is SSL-Bump a few months is a long time.
>>
>> Squid still will not generate new CONNECT to non-encrypted peers though.
>> So you will need to TLS enable the cache_peer link.
> 
> If my proxy talks TLS with the upstream one - will that do the trick? I
> can upgrade to the latest Squid if that should fix the problem.
> 
> However I'm a bit confused with the protocols / certificates involved..
> 
> [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS ->
> [target]
> 
> What protocol is used between [my_proxy] and [upstream_proxy]? It's not
> CONNECT, is it?

Correct, it is not.

> Is it TLS connection with something like "GET
> https://example.com/ HTTP/1.." passing through?
> 

Yes.

> Does that also mean the upstream one will have to ssl_bump the
> connection again and re-encrypt with yet another certificate to be able
> to read the target URL?

No and yes.

No - the upstream proxy is an explicit-/forward- proxy, just receiving
messages over TLS.

Yes - the outbound connection from the peer to the server will use
different TLS connection, thus different certificates.

This type of multiple-hop proxying is one where server-first style of
bumping and certificate minmicing is difficult at best and not possible
in current Squid versions. So whoever is managing the upstream proxy
needs to make sure that it only connects to servers that are properly
secured and verified.


> And also - can I pass non-SSL traffic between my
> proxy and the upstream as well?

You can. Either over the same TLS link between the proxies, or over a
second cache_peer link.

> 
> Can you provide some config hints for both proxies please? The
> SSL-related bits only as that's the unclear part.

my_proxy:
 cache_peer example.com 3129 0 ssl

upstream_proxy:
 https_port 3129 cert=/path/to/cert


Amos



More information about the squid-users mailing list