[squid-users] Non-transparent proxy with cache_peer and ssl_bump

Yosi Greenfield ygreenfield at kewsystems.com
Wed Mar 20 21:23:06 UTC 2019


Hello all,

I'm pretty sure this has been asked and answered more than once, but I've
been over the emails and the docs, and I still can't figure out how to make
this work. Might one of you be able to guide me here?

We have the following setup in our network:
Client ---- Squid1 ---- Squid2 ---- Internet

Squid1 is running Squid 3.5.28.
Squid2 is running Squid 3.5.23.

We do not do transparent proxying. Each user sets their proxy server in
their browser to use Squid1.

The browser authenticates to Squid1. Squid1 passes the authenticated request
to Squid2. Squid2 rewrites the request based on the authenticated user. 

It all works except for peered https traffic. Both squid1 and squid2 work
separately for https traffic. Cache_peer works if I remove SSL from it. It's
just the peered https that does not.

Here are the relevant lines in Squid1 squid.conf:

# START SQUID1 CONF
http_port 3128
http_port 3129 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl/myCA.pem name=bumped
options=ALL

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl NoBump ssl::server_name  "/etc/squid/nobump/domains"

ssl_bump peek step1 all
ssl_bump peek step2 NoBump
ssl_bump splice step3 NoBump
ssl_bump stare step2
ssl_bump bump step3

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

request_header_access Surrogate-Capability deny all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

cache_peer proxy2.ourserver.com parent 3130 0 no-query no-digest
login=PASSTHRU default ssl  sslcert=/etc/squid/ssl/myCA.pem
never_direct allow all

# END SQUID1 CONF


Here are the relevant lines in Squid2 squid.conf:

# START SQUID2 CONF
http_port 3128 name=non-bumped
http_port 3130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl/myCA.pem name=bumped
options=ALL

acl non-bumped myportname non-bumped
acl bumped myportname bumped

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl NoBump ssl::server_name  "/etc/squid/nobump/domains"

ssl_bump peek step1 all
ssl_bump peek step2 NoBump
ssl_bump splice step3 NoBump
ssl_bump stare step2
ssl_bump bump step3

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

# END SQUID2 CONF


Squid1 cache.log shows lots of this:

2019/03/20 16:22:14 kid1| TCP connection to proxy2.ourserver.com/3130 failed
2019/03/20 16:22:14 kid1| Error negotiating SSL on FD 14: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol


Here are my questions:

1. Does squid 3.5 even allow sending https between peers? I've read
conflicting emails, but I'm pretty sure it does. (Do I have to comment out
some source code?)

2. What file goes into the cache_peer directive sslcert? I'm using the same
PEM file for cahe_peer on Squid1 and http_port on Squid2. Is that a mistake?

3. What else am I doing wrong?


Thanks for your time and help!



More information about the squid-users mailing list