[squid-users] FW: squid proxy 3.5 redhat 7.3
Madonna, A. (spir-it)
A.Madonna at rechtspraak.nl
Fri Jun 2 07:37:54 UTC 2017
Hello Alex,
Our setup is as follows:
Clients -> squid proxy -> internet.
This works with the config as previously mentioned.
Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid) -> internet
Does not work.
However I've also setup the following:
Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy) -> internet
This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).
Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?
Kind regards,
-----Oorspronkelijk bericht-----
Van: Alex Rousskov [mailto:rousskov at measurement-factory.com]
Verzonden: donderdag 1 juni 2017 18:49
Aan: Madonna, A. (spir-it) <A.Madonna at rechtspraak.nl>; squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3
On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).
IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).
> ssl_bump peek step1
> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest
Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.
I recommend that you make everything work without a cache_peer and then add a cache_peer.
Alex.
________________________________
Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
More information about the squid-users
mailing list