[squid-users] Is there any way to cache or forward https requests to an http proxy using Squid?

Brett Anderson brett.anderson.ftw at gmail.com
Thu Sep 20 21:26:09 UTC 2018


Thank you!

I reverted back to:

ssl_bump peek step1
ssl_bump bump all

And then based on that first link you sent me I rebuilt my Squid instance
from
https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump

Then tested and I think it's working now?

>From my access log:
# testing https
# first request
1537477894.828    310 172.27.0.3 NONE/200 0 CONNECT foo.com:443 -
FIRSTUP_PARENT/64.58.117.175 -
1537477895.645    797 172.27.0.3 TCP_MISS/200 32374 GET
https://foo.com/js/bootstrap.min.js - FIRSTUP_PARENT/64.58.117.175
application/javascript
# second request
1537477899.009    336 172.27.0.3 NONE/200 0 CONNECT foo.com:443 -
FIRSTUP_PARENT/64.58.117.175 -
1537477899.019      0 172.27.0.3 TCP_MEM_HIT/200 32384 GET
https://foo.com/js/bootstrap.min.js - HIER_NONE/- application/javascript

# testing http
# first request
1537477956.088   1051 172.27.0.3 TCP_MISS/200 28203 GET
http://websites.web.com/ - FIRSTUP_PARENT/64.58.117.175 text/html
# second request
1537477957.888      2 172.27.0.3 TCP_MEM_HIT/200 28198 GET
http://websites.web.com/ - HIER_NONE/- text/html

Should I change anything else for more improvement? Should I build from the
master or a more recent branch of  https://github.com/measurement-factory
<https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump>
?

Thanks again!
B.

On Thu, Sep 20, 2018 at 12:47 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 09/20/2018 12:36 PM, Brett wrote:
> > I currently have squid setup to use a self-signed certificate for MITM to
> > cache HTTPS requests. This works. [...]
>
> > Is there a way I can configure squid so I can specify
> > it as a proxy for an https request and then have it act as a cache or
> > forward to an HTTP proxy (that supports CONNECT)?
>
> AFAICT, you are asking about the missing "SslBump with cache_peer"
> feature, which was covered in several recent threads, including this email:
>
> http://lists.squid-cache.org/pipermail/squid-users/2018-July/018653.html
>
>
> > ssl_bump peek step1
> > ssl_bump bump all
>
> This configuration bumps everything at step2.
>
>
> > If I change the ssl_bump directives above to the following:
>
> > ssl_bump stare step2
> > ssl_bump bump step3
>
> This (misleading!) configuration should splice everything at step1. In
> other words, it should be equivalent to this (clear) configuration:
>
>   ssl_bump splice all
>
> or a disabled SslBump. According to your tests, that is exactly what
> happens (and the lack of non-trivial SslBump involvement probably
> explains why peering works in this corner case).
>
>
> If you need more information about the equivalence of the last two
> configurations, please consider studying the following wiki page and a
> related recent email thread:
>
> * https://wiki.squid-cache.org/Features/SslPeekAndSplice
> *
>
> http://lists.squid-cache.org/pipermail/squid-users/2018-September/019162.html
>
>
> HTH,
>
> Alex.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180920/c87aa33f/attachment-0001.html>


More information about the squid-users mailing list