[squid-users] Problems with peek and slice through parent proxy
Hess, Niklas
Niklas.Hess at webit-wetterau.de
Wed Jul 11 13:33:02 UTC 2018
Hello list,
I´m setting up a Squid proxy specifically to scan the incoming traffic from a cloud platform.
ClamAV should scan the incoming traffic.
So far so good.
The cloud uses WebDAV over HTTPS, so I have to SSL-Bump the incoming traffic via Peek and Splice Feature.
That works indeed with the CA signed internal Certificate.
But as soon as I add a cache_peer as a "parent proxy" it does not work. (This request could not be forwarded to the origin server or to any parent caches.)
I just get "FwdState.cc(813) connectStart: fwdConnectStart: Ssl bumped connections through parent proxy are not allowed" in the cache.log
And yes I know ssl-bump through a parent proxy is an security issue and might be unsecure, but the connection to the parent is internal, save and secure.
I don't know how, but could there be a way to "comment out" the section in fwdConnectStart source file?
Squid Cache: Version 3.5.27
Service Name: squid
configure options: '--with-openssl' '--enable-ssl-crtd'
Here´s my "minimal" SSL-Bump config:
### Start config
debug_options ALL,6
shutdown_lifetime 1 seconds
http_port 8080 ssl-bump cert=/usr/local/squid/etc/ssl_cert/Squidtest.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 25 startup=5 idle=10
cache_peer 10.106.3.66 parent 8080 0 no-query no-digest name=parent
never_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump bump all
http_access allow all
### End config
Thanks for any help!
Niklas
Azubi Niklas Hess
Team Applikation-Management
Eigenbetrieb Informationstechnologie des Wetteraukreises
61169 Friedberg
Europaplatz
Gebäude B
Tel.: 06031 83-6526
Mobil:
Fax.: 06031 83-916526
www.wetteraukreis.de<http://www.wetteraukreis.de>
Informationen zum Datenschutz erhalten sie über unsere Datenschutzseite www.datenschutz.wetterau.de<http://www.datenschutz.wetterau.de/>
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180711/785ce589/attachment-0001.html>
More information about the squid-users
mailing list