[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 17 10:18:27 UTC 2015


On 17/09/2015 7:57 p.m., Yuri Voinov wrote:
> 
> 
> 17.09.15 10:50, Amos Jeffries пишет:
>> On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
>>> Hm.
>>>
>>> If I understand correctly, the right configuration must be:
>>>
>>> # Privoxy+Tor access rules
>>> never_direct allow CONNECT
>>> never_direct allow tor_url
>>>
>>> # Local Privoxy is cache parent
>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>>
>>> cache_peer_access 127.0.0.1 allow tor_url
>>> cache_peer_access 127.0.0.1 deny all
>>>
>>> Right?
>>>
>>> But:
>>>
>>> http://i.imgur.com/UMxt2vh.png
>>>
>>> Is CONNECT always requires DIRECT?
>> In the above yes. If you don't want that remove the never_direct for
>> CONNECT as well.
>>
>>> I can't see FIRSTUP_PARENT for CONNECT in access log:
>>>
>>> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
>>> torproject.org:443 - HIER_DIRECT/154.35.132.70 -
>>> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
>>> torproject.org:443 - HIER_DIRECT/38.229.72.16 -
>>>
>> Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
>> upstream. The access controls about how to pass things upstream are
>> irrelevant for them.
>>
>>> Because of IP's banned by ISP, direct CONNECT got timeout.
>>>
>>> Also, all rot_url ACL can't connect.
>>>
>>> Where I'm wrong?
>> Where is the server IP coming from?
> Server IP comes from local DNS cache, which is got right IP via dnscrypt.
> 
> I was in this case confused by the fact that CONNECT and does not go
> into the tunnel.
> 
> I've correct configuration a bit, but still no effect:
> 
> # SSL bump rules
> sslproxy_cert_error allow all
> ssl_bump none localhost
> ssl_bump none url_nobump
> ssl_bump none dst_nobump
> ssl_bump server-first net_bump
> 

Ah. Right I forget this is 3.4 you are talking about.

server-first bumping requires a SSL/TLS server to get the cert details
from. Your cache_peer is not one of those servers, and ssl-bump through
a peer is a 3.5 feature. What happens in 3.4 is a mandatory DIRECT
connection.

Amos


More information about the squid-users mailing list