[squid-users] Non-transparent proxy with cache_peer and ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Wed Mar 20 21:58:17 UTC 2019


On 3/20/19 3:23 PM, Yosi Greenfield wrote:

> ssl_bump splice step3 NoBump
> ssl_bump bump step3

> cache_peer proxy2.ourserver.com ... ssl

Forwarding most SslBump-related connections to cache_peers is still
unsupported by official Squids, including Squid v3 and v4. Measurement
Factory code that implements this feature is being officially reviewed
at https://github.com/squid-cache/squid/pull/380/

If you can test the above-referenced code, please do.

However, even if the above-referenced changes are officially accepted
(into v5), they will not allow you to do "TLS inside TLS" -- you will
not be able to forward most SslBump-related connections to HTTPS proxies
(i.e. your "cache_peer ssl").

Fortunately, forwarding to HTTPS proxies is not critical in most use
cases -- one layer of TLS encryption is often enough. Unfortunately, you
will expose CONNECT requests between Squid1 and Squid2 until we add that
support or perhaps [controversially] allow bumped traffic to be sent to
HTTPS proxies without additional encryption. I am not aware of anybody
working on either right now.


> 1. Does squid 3.5 even allow sending https between peers? 

Squid allows sending plain HTTP traffic to an HTTPS peer. That is not
what you are configuring your squid1 to do though: You are telling
squid1 to send bumped HTTPS traffic to an HTTPS peer. The latter is not
supported.


> 2. What file goes into the cache_peer directive sslcert?

Let's assume that the TCP connection between squid1 and squid2 is
encrypted with TLS (i.e., your configuration with "cache_peer ssl"). TLS
supports certificate-based client authentication: A TLS client (i.e.,
squid1 in your case) sends its SSL certificate to the TLS server (i.e.,
squid2 in your case). The TLS server (i.e. squid2) validates that
certificate against some mutually trusted CA and allows (or denies) the
connection.

"cache_peer sslcert" names the file containing the (client) SSL
certificate that squid1 sends and squid2 expects/validates.


> I'm using the same
> PEM file for cahe_peer on Squid1 and http_port on Squid2. Is that a mistake?

It is a mistake in most (possibly all) use cases. The former is a
(client) SSL certificate that squid1 sends and squid2 validates. The
latter is an SSL CA certificate to generate fake (server) SSL
certificates. Squid2 sends those generated certificates. A bumping
Squid1 validates them.


HTH,

Alex.


More information about the squid-users mailing list