[squid-users] SNI-based forwarding to parent proxy
C. Kroeger
commx at commx.ws
Thu Oct 5 21:12:35 UTC 2017
Hi there,
i've been new to squid and trying to get a certain problem solved. I
have a setup with an VPN server, redirecting any traffic to its port
80/443 to a squid server. The users within that VPN can browse the web
(both http and https) without any problems.
However, I need to redirect http(s) traffic for a list of domains to
another proxy. While this works fine for http, it doesn't work for
https, even with the peek-n-slice functionality available in 3.5+.
Below is my current configuration:
```
http_port 3128
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem
options=NO_SSLv2:NO_SSLv3
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
4MB sslcrtd_children 8 startup=1 idle=1
# peek SNI and splice all https connections for tunneling
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
# ACL for SNIs that need to be forwarded to another proxy
acl sni_fwd ssl::server_name .google.com
# redirect matching traffic to another proxy
cache_peer 10.0.2.115 parent 3128 0 no-query default name=px2
cache_peer_access px2 allow sni_fwd
cache_peer_access px2 deny all
```
Surprisingly, http requests are sent to px2, but https ones are not.
What I'm doing wrong here?
Note: Requests not matching the SNI ACL shall not be forwarded and
processed directly.
Best regards,
Christian
More information about the squid-users
mailing list