[squid-users] SSL Bump with HTTP Cache Peer Parent

sam.handley sam at myriadworks.org
Wed Dec 12 23:15:16 UTC 2018


I am not 100% confident what I am asking is possible but I'd love it to be
confirmed.

Here is what our setup would look like, I’ve explained a bit below:

DEVICE ---> PRX3 (HTTPS CACHE) ---> PRX2 ---> PRX1 ---> INTERNET

Our current environment is a bit behind the times and inflexible. We have a
local squid proxy/cache (PRX2) that we do not fully control that only caches
HTTP content. This proxy is downstream from another proxy which is also HTTP
(PRX1). Both just TUNNEL HTTPS. PRX1 is the only way out of our WAN to the
internet.

We would like to start caching HTTPS (PRX3) because these other proxies are
not and it is costing us bandwidth. With the config below and a direct
internet connection I can successfully connect and cache HTTP/S content.
However, this won’t work in our environment. We must go through a cache peer
either PRX1 or PRX2, adding either upstream proxy as a cache peer parent
results in either SSL errors or the request not being forwarded to the peer. 

I think what I need to do is TUNNEL the bumped request to PRX2 over HTTP. I
thought squid 4 could do this but can’t find any docs for it so it may have
been wishful thinking.

*--- SSL Error ---*
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:1408F10B:SSL
routines:ssl3_get_record:wrong version number
*--- SSL Error ---*

*--- squid.conf ---*
## Proxy

# Only allow addresss in our subnet
acl LAN src 10.141.28.0/22
http_access allow LAN
http_access deny all

cache_mem 500 MB
maximum_object_size 5000 MB
range_offset_limit 5000 MB

# Set proxy port enable ssl bump, set root cert
http_port 3128 ssl-bump tls-cert=/etc/squid/CA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE
ssl_bump bump all

# Set cache directory and settings [type] [dir] [MB] [L1 = number of first
level subdirs] [L2 = number of second level subdirs] [[options]]
cache_dir diskd /srv/cache 10000 64 72

never_direct allow all
cache_peer 10.141.28.19 parent 800 0 no-query no-digest 

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
*--- squid.conf ---*

*--- squid version info --- *
Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1a  20 Nov 2018. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--sbindir=/usr/bin'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--localstatedir=/var'
'--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid'
'--enable-auth' '--enable-auth-basic' '--enable-auth-ntlm'
'--enable-auth-digest' '--enable-auth-negotiate'
'--enable-removal-policies=lru,heap' '--enable-storeio=aufs,ufs,diskd,rock'
'--enable-delay-pools' '--with-openssl' '--enable-snmp'
'--enable-linux-netfilter' '--enable-ident-lookups' '--enable-useragent-log'
'--enable-cache-digests' '--enable-referer-log' '--enable-htcp'
'--enable-carp' '--enable-epoll' '--with-large-files' '--enable-arp-acl'
'--with-default-user=proxy' '--enable-async-io' '--enable-truncate'
'--enable-icap-client' '--enable-ssl-crtd' '--disable-arch-native'
'--disable-strict-error-checking' '--enable-wccpv2' 'CFLAGS=-march=x86-64
-mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt'
'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-march=x86-64 -mtune=generic -O2
-pipe -fstack-protector-strong -fno-plt'
*--- squid version info --- *
         



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list