[squid-users] HTTPS cache for Java application - only getting TCP_MISS
Amos Jeffries
squid3 at treenet.co.nz
Thu Jun 14 11:33:36 UTC 2018
On 14/06/18 07:44, Antony Stone wrote:
> On Wednesday 13 June 2018 at 21:28:27, baretomas wrote:
>
>> The calls from the application is done using ssl / https by telling java to
>> use Squid as a proxy (-Dhttps.proxyHost and -Dhttp.proxyHost).
>
> Okay, but...
>
>> http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> cert=/cygdrive/c/squid/etc/squid/proxyCAx.pem
>> key=/cygdrive/c/squid/etc/squid/proxyCA.pem
>
>> # certificate generation program
>> sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s
>> /cygdrive/c/squid/var/cache/squid_ssldb -M 4MB
>
>> acl step1 at_step SslBump1
>>
>> ssl_bump peek step1
>> ssl_bump bump all
>
> Surely all this peeking and bumping is only needed if you're running Squid in
> interception mode,
Not quite. SSL-Bump is interception of the TLS layer. Regular / forward
/ explicit proxies use it to decrypt the CONNECT messages transporting
HTTPS traffic through tunnels.
> whereas you've said that you've configured your Java
> application to explicitly use Squid as a proxy?
>
The proxy port and SSL-Bump config is consistent with a SSL-Bumping
forward proxy.
I suspect the -Dhttp.proxyHost is probably the Java apps equivalent to
the Linux http_proxy environment variables we are more familiar with
seeing applications use to connect to that type of proxy.
>
> Have you tried your Squid configuration with a plain browser, configured to use
> the proxy, with (a) a few random websites, and (b) the specific resource you're
> trying to access from your Java application, to see whether it is actually
> working as a caching proxy?
>
Good idea.
Amos
More information about the squid-users
mailing list