[squid-users] cache peer only forward http , not https !!!

Yuri Voinov yvoinov at gmail.com
Tue Nov 10 18:24:18 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
You just must remember my two first line from previous mail.

You need to configure Squid with SSL Bump to capture HTTPS traffic. Or,
of course, you can configure your Squid as non-transparent forwarding
proxy. All you need:

Your Squid must see HTTPS-traffic in any way. Either with SSL Bump, or
just tunneling (forwarding proxy).

and, finally:

3. You don't need any special directives for cache_peer with https.

10.11.15 23:18, Ahmad Alzaeem пишет:
> Thank you , 
>
> 
>
> Can you just guide me for the https peer directive plz ?
>
> I can take care of https intercept
>
> 
>
> So with http , we have directive cache_peer 10.12.0.32  parent 8080  0
no-query no-digest
>
> 
>
> As ok
>
> 
>
> Now what about https directive ?
>
> Can u help me
>
> 
>
> Thanks a lot a lot a lot for your help
>
> 
>
> cheers
>
> 
>
> 
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
On Behalf Of Yuri Voinov
> Sent: Tuesday, November 10, 2015 8:49 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] cache peer only forward http , not https !!!
>
> 
>
>
> 1. You need to configure Squid with SSL Bump to capture HTTPS traffic.
> 2. You need to configure forwarded requests with splice/no bump. :)
>
> 10.11.15 22:42, Ahmad Alzaeem пишет:
> > Hi Guys I want proxy  and I
>
>       want it to forward http & https to remote proxy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > Does the command below enogh ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > cache_peer 10.12.0.32  parent 8080  0 no-query no-digest
>
>       no-tproxy
>
>
>
>       > proxy-only
> No.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > or I need to add other line for https ??
> No.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > BTW the command line above work only for http not for https
> Sure.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > Any help ?
>
> *** DISCLAMER: THIS IS MY OWN CONFIG SNIPPET. DON'T BLIND COPY-N-PASTE
IT IN YOUR ENVIRONMENT! ***
>
> # Privoxy+Tor acl
> acl tor_url dstdom_regex "C:/Squid/etc/squid/url.tor"
>
> # SSL bump rules
> sslproxy_cert_error allow all
> acl DiscoverSNIHost at_step SslBump1
> ssl_bump peek DiscoverSNIHost
> acl NoSSLIntercept ssl::server_name_regex -i
"C:/Squid/etc/squid/url.nobump"
> acl NoSSLIntercept ssl::server_name_regex -i "C:/Squid/etc/squid/url.tor"
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> # Privoxy+Tor access rules
> never_direct allow tor_url
>
> # Local Privoxy is cache parent
> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
> cache_peer_access 127.0.0.1 allow tor_url
> cache_peer_access 127.0.0.1 deny all
>
> As you can see, this is just example. The idea described with first
two lines of my answer above.
> This snippet works for torified sites described in tor_url acl.
> NB: I do not guarantee this will work on your environment!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > _______________________________________________
>
>
>
>       > squid-users mailing list
>
>
>
>       > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
>
>
>       > http://lists.squid-cache.org/listinfo/squid-users
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWQjZSAAoJENNXIZxhPexGgXcH/RGcP659oJqW+tD+YIUDAkWz
W4QEwik9mS/TtdvtHy6rQbnVNPp5Tk451JvMsmfjGW91xZBUL+Owa35TLaLo2B7p
ypYXdwr/q42VgbtZ1pawZyHaC/CIotcM5A7Gv28kGuaWVsqgXIn35tQ3bbmqQeDr
3+aNYSUv7qwwIqXMIExoWY4aDAUYIMlhtmjydRXKPTmdr2tlZHRwGLPhbP69i2cB
Y79JFCsz03cq5Ohzh41hc7TqdZ5QeoVWMri/TcnOu3gBIuJ2vmVvNqtV4yykwSbn
2lhd0qaZX64JJVNhrNEnyAI1sK/VaJgh71yn11JddG7Q+ZYp4rlxxS0bmD1uDbg=
=CfyG
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151111/dffc7432/attachment.html>


More information about the squid-users mailing list