[squid-users] SNI-based forwarding to parent proxy

C. Kroeger commx at commx.ws
Thu Oct 5 21:12:35 UTC 2017


Hi there,

i've been new to squid and trying to get a certain problem solved. I
have a setup with an VPN server, redirecting any traffic to its port
80/443 to a squid server. The users within that VPN can browse the web
(both http and https) without any problems.

However, I need to redirect http(s) traffic for a list of domains to
another proxy. While this works fine for http, it doesn't work for
https, even with the peek-n-slice functionality available in 3.5+.

Below is my current configuration:

```
http_port 3128
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem
options=NO_SSLv2:NO_SSLv3
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
4MB sslcrtd_children 8 startup=1 idle=1

# peek SNI and splice all https connections for tunneling
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all

# ACL for SNIs that need to be forwarded to another proxy
acl sni_fwd ssl::server_name .google.com

# redirect matching traffic to another proxy
cache_peer 10.0.2.115 parent 3128 0 no-query default name=px2
cache_peer_access px2 allow sni_fwd
cache_peer_access px2 deny all
```

Surprisingly, http requests are sent to px2, but https ones are not.
What I'm doing wrong here?

Note: Requests not matching the SNI ACL shall not be forwarded and
processed directly.

Best regards,
Christian


More information about the squid-users mailing list