[squid-users] ssl-bump / https traffic not cacheing

Amos Jeffries squid3 at treenet.co.nz
Sat Aug 20 10:31:02 UTC 2016


On 20/08/2016 2:56 p.m., JR Dalrymple wrote:
> I'm sure I'm missing something stupid, but https traffic just isn't
> caching. I really want to cache https alongside http as this project is for
> a customer who lives in the sticks and pays dearly for every byte.
> 
> 1471660884.894  11402 172.22.19.48 TCP_MISS/200 746898 GET
> https://www.jrssite.com/newfi/fullsizes/081916214031.jpg - ORIGINAL_DST/
> 23.30.254.3 image/jpeg
> 1471660967.389  14392 172.22.22.68 TCP_MISS/200 746898 GET
> https://www.jrssite.com/newfi/fullsizes/081916214031.jpg - ORIGINAL_DST/
> 23.30.254.3 image/jpeg
> 1471661329.884  33506 172.22.22.68 TCP_MISS/200 746898 GET
> http://www.jrssite.com/newfi/fullsizes/081916214031.jpg - ORIGINAL_DST/
> 23.30.254.3 image/jpeg
> 1471661385.282    402 172.22.19.48 TCP_HIT/200 746906 GET
> http://www.jrssite.com/newfi/fullsizes/081916214031.jpg - HIER_NONE/-
> image/jpeg
> 
> # grep -i ssl /usr/local/squid/etc/squid.conf
> acl SSL_ports port 443
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> ssl_bump stare all
> ssl_bump bump all
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CACert.pem
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 10
> 
> Happy to provide any other information someone else might find useful. I'm
> sure that there is just some point of ignorance on my part. This is indeed
> all very new to me.


ORIGINAL_DST is a hint that these requests may have failed to pass
Squid's Host verfication tests. If Squid is unable to verify that the
server providing the data is actually the correct origin/authority for
that data then we relay to the client expicitly requesting that server
be used - but do not cache to avoid corrupting/infecting other clients.

Alternatively, there could be some cache controls or Vary header
involved that cause the particular reponses.
 (I went to check that myself, but it says login is required. You can
use the redbot.org tool to see the caching status if you have a working
login).

Amos



More information about the squid-users mailing list