[squid-users] cache peer only forward http , not https !!!
Yuri Voinov
yvoinov at gmail.com
Tue Nov 10 21:49:06 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Are you see in access.log ip:443 CONNECT records?
I.e., does your HTTPS traffic incoming to Squid?
11.11.15 1:45, Ahmad Alzaeem пишет:
> Hi I don’t have ssl pump
>
>
>
> All my users user ip:port to have internet
>
>
>
>
>
> I already have ISA windows server and it works with http and https
>
>
>
> Im wondering why all complexity needed for peer https
>
> !!!
>
>
>
>
>
> Anyway hnere is squid.conf
>
>
>
> # This file is automatically generated by pfSense
>
> # Do not edit manually !
>
>
>
> http_port 172.23.101.253:3128
>
> icp_port 0
>
> dns_v4_first on
>
> pid_filename /var/run/squid/squid.pid
>
> cache_effective_user proxy
>
> cache_effective_group proxy
>
> error_default_language en
>
> icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
>
> visible_hostname mne
>
> cache_mgr azaeem at mne.ps <mailto:azaeem at mne.ps>
>
> access_log /var/squid/logs/access.log
>
> cache_log /var/squid/logs/cache.log
>
> cache_store_log none
>
> netdb_filename /var/squid/logs/netdb.state
>
> pinger_enable off
>
> pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
>
>
>
> logfile_rotate 2
>
> debug_options rotate=2
>
> shutdown_lifetime 3 seconds
>
> # Allow local network(s) on interface(s)
>
> acl localnet src 172.23.101.0/24
>
> forwarded_for off
>
> via off
>
> httpd_suppress_version_string on
>
> uri_whitespace strip
>
>
>
> acl dynamic urlpath_regex cgi-bin ?
>
> cache deny dynamic
>
>
>
> cache_mem 64 MB
>
> maximum_object_size_in_memory 256 KB
>
> memory_replacement_policy heap GDSF
>
> cache_replacement_policy heap LFUDA
>
> minimum_object_size 0 KB
>
> maximum_object_size 4 MB
>
> cache_dir ufs /var/squid/cache 100 16 256
>
> offline_mode off
>
> cache_swap_low 90
>
> cache_swap_high 95
>
> cache allow all
>
>
>
> # Add any of your own refresh_pattern entries above these.
>
> refresh_pattern ^ftp: 1440 20% 10080
>
> refresh_pattern ^gopher: 1440 0% 1440
>
> refresh_pattern -i (/cgi-bin/|?) 0 0% 0
>
> refresh_pattern . 0 20% 4320
>
>
>
>
>
> #Remote proxies
>
>
>
>
>
> # Setup some default acls
>
> # From 3.2 further configuration cleanups have been done to make
things easier and safer. The manager, localhost, and to_localhost ACL
definitions are now built-in.
>
> # acl localhost src 127.0.0.1/32
>
> acl allsrc src all
>
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128
3127 1025-65535
>
> acl sslports port 443 563
>
>
>
> # From 3.2 further configuration cleanups have been done to make
things easier and safer. The manager, localhost, and to_localhost ACL
definitions are now built-in.
>
> #acl manager proto cache_object
>
>
>
> acl purge method PURGE
>
> acl connect method CONNECT
>
>
>
> # Define protocols used for redirects
>
> acl HTTP proto HTTP
>
> acl HTTPS proto HTTPS
>
> http_access allow manager localhost
>
>
>
> http_access deny manager
>
> http_access allow purge localhost
>
> http_access deny purge
>
> http_access deny !safeports
>
> http_access deny CONNECT !sslports
>
>
>
> # Always allow localhost connections
>
> # From 3.2 further configuration cleanups have been done to make
things easier and safer.
>
> # The manager, localhost, and to_localhost ACL definitions are now
built-in.
>
> # http_access allow localhost
>
>
>
> request_body_max_size 0 KB
>
>
>
>
>
>
>
>
>
> delay_access 1 allow allsrc
>
>
>
> # Reverse Proxy settings
>
>
>
>
>
> # Custom options before auth
>
> dns_nameservers 8.8.8.8 10.12.0.33
>
> cache_peer 10.12.0.32 parent 80 0 no-query no-digest no-tproxy proxy-only
>
>
>
> # Setup allowed acls
>
> # Allow local network(s) on interface(s)
>
> http_access allow localnet
>
> # Default block all to be sure
>
> http_access deny allsrc
>
>
>
>
>
>
>
> cheers
>
>
>
> From: Yuri Voinov [mailto:yvoinov at gmail.com]
> Sent: Tuesday, November 10, 2015 9:43 PM
> To: Ahmad Alzaeem
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] cache peer only forward http , not https !!!
>
>
>
>
> I think, we need to take a look on your squid.conf first.
>
> 10.11.15 23:18, Ahmad Alzaeem пишет:
> > Thank you ,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Can you just guide me for the https peer directive plz ?
>
>
>
>
>
>
>
> > I can take care of https intercept
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > So with http , we have directive cache_peer 10.12.0.32
>
> parent 8080 0 no-query no-digest
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > As ok
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Now what about https directive ?
>
>
>
>
>
>
>
> > Can u help me
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Thanks a lot a lot a lot for your help
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > cheers
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > From: squid-users
>
> [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of
>
> Yuri Voinov
>
>
>
> > Sent: Tuesday, November 10, 2015 8:49 PM
>
>
>
> > To: squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
>
>
> > Subject: Re: [squid-users] cache peer only forward http , not
>
> https !!!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > 1. You need to configure Squid with SSL Bump to capture HTTPS
>
> traffic.
>
>
>
> > 2. You need to configure forwarded requests with splice/no
>
> bump. :)
>
>
>
>
>
>
>
> > 10.11.15 22:42, Ahmad Alzaeem пишет:
>
>
>
> > > Hi Guys I want proxy and I
>
>
>
>
>
>
>
> > want it to forward http & https to remote proxy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > Does the command below enogh ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > cache_peer 10.12.0.32 parent 8080 0 no-query
>
> no-digest
>
>
>
>
>
>
>
> > no-tproxy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > proxy-only
>
>
>
> > No.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > or I need to add other line for https ??
>
>
>
> > No.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > BTW the command line above work only for http not
>
> for https
>
>
>
> > Sure.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > Any help ?
>
>
>
>
>
>
>
> > *** DISCLAMER: THIS IS MY OWN CONFIG SNIPPET. DON'T BLIND
>
> COPY-N-PASTE IT IN YOUR ENVIRONMENT! ***
>
>
>
>
>
>
>
> > # Privoxy+Tor acl
>
>
>
> > acl tor_url dstdom_regex "C:/Squid/etc/squid/url.tor"
>
>
>
>
>
>
>
> > # SSL bump rules
>
>
>
> > sslproxy_cert_error allow all
>
>
>
> > acl DiscoverSNIHost at_step SslBump1
>
>
>
> > ssl_bump peek DiscoverSNIHost
>
>
>
> > acl NoSSLIntercept ssl::server_name_regex -i
>
> "C:/Squid/etc/squid/url.nobump"
>
>
>
> > acl NoSSLIntercept ssl::server_name_regex -i
>
> "C:/Squid/etc/squid/url.tor"
>
>
>
> > ssl_bump splice NoSSLIntercept
>
>
>
> > ssl_bump bump all
>
>
>
>
>
>
>
> > # Privoxy+Tor access rules
>
>
>
> > never_direct allow tor_url
>
>
>
>
>
>
>
> > # Local Privoxy is cache parent
>
>
>
> > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>
>
>
>
>
>
>
> > cache_peer_access 127.0.0.1 allow tor_url
>
>
>
> > cache_peer_access 127.0.0.1 deny all
>
>
>
>
>
>
>
> > As you can see, this is just example. The idea described with
>
> first two lines of my answer above.
>
>
>
> > This snippet works for torified sites described in tor_url
>
> acl.
>
>
>
> > NB: I do not guarantee this will work on your environment!
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > _______________________________________________
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > squid-users mailing list
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > squid-users at lists.squid-cache.org
<mailto:squid-users at lists.squid-cache.org>
>
> <mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWQmZSAAoJENNXIZxhPexGET4IALyngp8cFZvt9hx0uv/6UU68
gNFrkv81onp5G12sgK87zpk5gdOSQBXSXCcx+fQpLNKfWRdP4FLdq0kZpXRDqLbB
70zMqir42nqT+73FNekcjw3+Csb3RQLWIPO3M4wu9RfP91NnB84BVcuay/jindhF
+bNrFijg9r7iw/tS5XE8CKdvc6hzSpC66fSJ8RWMf7ieDCn+u2+g/gDai8LhpQRs
/IauwO3HxsnHc8a8kTm/UYwgO/BV/Wlwn7q0YDK8hLFnoaZZLQdCluhtl/vsClpl
EGKW73xR+SoNHCPjpFDrc9fSLYSOIaQPqw5XFuQkWEyN5mrGMX9DaO44vLU/OZI=
=TATV
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151111/c41555ec/attachment-0001.html>
More information about the squid-users
mailing list