[squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?
Yuri Voinov
yvoinov at gmail.com
Thu Sep 17 12:47:49 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Squid 3.5.7 the same result:
1442420915.874 207879 127.0.0.1 TAG_NONE/200 0 CONNECT
torproject.org:443 - HIER_DIRECT/2001:41b8:202:deb:213:21ff:fe20:1426 -
1442493956.863 168528 127.0.0.1 TAG_NONE/200 0 CONNECT
torproject.org:443 - HIER_DIRECT/38.229.72.16 -
1442493957.934 168289 127.0.0.1 TAG_NONE/200 0 CONNECT
torproject.org:443 - HIER_DIRECT/38.229.72.16 -
Config snippet is:
# SSL bump rules
sslproxy_cert_error allow all
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz
ssl_bump splice NoSSLIntercept
ssl_bump bump all
# Privoxy+Tor access rules
never_direct allow tor_url
# And finally deny all other access to this proxy
http_access deny all
# -------------------------------------
# HTTP parameters
# -------------------------------------
# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all
Squid configuration options:
http://i.imgur.com/1234E8q.png
17.09.15 16:18, Amos Jeffries пишет:
> On 17/09/2015 7:57 p.m., Yuri Voinov wrote:
>>
>>
>> 17.09.15 10:50, Amos Jeffries пишет:
>>> On 17/09/2015 4:36 a.m., Yuri Voinov wrote:
>>>> Hm.
>>>>
>>>> If I understand correctly, the right configuration must be:
>>>>
>>>> # Privoxy+Tor access rules
>>>> never_direct allow CONNECT
>>>> never_direct allow tor_url
>>>>
>>>> # Local Privoxy is cache parent
>>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>>>
>>>> cache_peer_access 127.0.0.1 allow tor_url
>>>> cache_peer_access 127.0.0.1 deny all
>>>>
>>>> Right?
>>>>
>>>> But:
>>>>
>>>> http://i.imgur.com/UMxt2vh.png
>>>>
>>>> Is CONNECT always requires DIRECT?
>>> In the above yes. If you don't want that remove the never_direct for
>>> CONNECT as well.
>>>
>>>> I can't see FIRSTUP_PARENT for CONNECT in access log:
>>>>
>>>> 1442419630.962 168084 127.0.0.1 TAG_NONE/200 0 CONNECT
>>>> torproject.org:443 - HIER_DIRECT/154.35.132.70 -
>>>> 1442420935.127 168180 127.0.0.1 TAG_NONE/200 0 CONNECT
>>>> torproject.org:443 - HIER_DIRECT/38.229.72.16 -
>>>>
>>> Those appear to be CONNECT requests which got ssl_bump'ed, not passed on
>>> upstream. The access controls about how to pass things upstream are
>>> irrelevant for them.
>>>
>>>> Because of IP's banned by ISP, direct CONNECT got timeout.
>>>>
>>>> Also, all rot_url ACL can't connect.
>>>>
>>>> Where I'm wrong?
>>> Where is the server IP coming from?
>> Server IP comes from local DNS cache, which is got right IP via dnscrypt.
>>
>> I was in this case confused by the fact that CONNECT and does not go
>> into the tunnel.
>>
>> I've correct configuration a bit, but still no effect:
>>
>> # SSL bump rules
>> sslproxy_cert_error allow all
>> ssl_bump none localhost
>> ssl_bump none url_nobump
>> ssl_bump none dst_nobump
>> ssl_bump server-first net_bump
>>
>
> Ah. Right I forget this is 3.4 you are talking about.
>
> server-first bumping requires a SSL/TLS server to get the cert details
> from. Your cache_peer is not one of those servers, and ssl-bump through
> a peer is a 3.5 feature. What happens in 3.4 is a mandatory DIRECT
> connection.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJV+rZ1AAoJENNXIZxhPexGQiAH/RLc8a0mWAV6Xi75QFM+TBnD
0FgRqYqeZCbYEgGl+pTJFMQyEo1e1eXSudRTAQGNcO3gTqhlz9n/2tee6U60a/tC
jmxVtFxpqThcZjcvLP1/ODz1dclDkSJ4QBKlKlr2Z4Qya3Sd/jF8g1hm+tr7jZ31
fLp6MVxcO3fGNg1dfb7AQjRaMiOz+/nVsQD6dt3ciqLxjjTqyCMd/YceSsg9//l/
N/sfoR/Jj6lQrQBb59ssUHOGE04y1Igksx24kqF+NhQllHn2Tgc48G1R+13Zyj9s
f21kzakaSqHcrATHg7VK9iNkOguqrkJx9bTRZrTr9GM0mD/1VTAmV22qjAcqxp0=
=Luej
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list