[squid-users] Fixing Squid configuration for caching proxy?
Alex Rousskov
rousskov at measurement-factory.com
Tue Jan 26 20:14:43 UTC 2021
On 1/26/21 1:54 PM, Milos Dodic wrote:
> when the test server goes for a picture I have stored somewhere in
> the cloud, the squid access log shows "TCP_TUNNEL/200". But when I
> try from the proxy itself with squidclient tool, I get
> "TCP_MEM_HIT/200"
Given the very limited information you have provided, I am guessing that
* the primary tests opens a CONNECT tunnel through Squid
* the squidclient test sends a plain text HTTP request to Squid
The final origin server destination may be the same in both tests, but
the two transactions are completely different from Squid point of view.
> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step3 all
AFAICT, this configuration is splicing or terminating all TLS traffic.
No bumping at all. If you want your Squid to bump TLS tunnels, then you
have to have at least one "bump" rule!
I do not know what your overall SslBump needs are, but perhaps you meant
something like the following?
acl shouldBeBumped ssl::server_name .amazonaws.com
ssl_bump stare all
ssl_bump bump shouldBeBumped
ssl_bump terminate all
Please do not use the configuration above until you understand what it
does. Please see https://wiki.squid-cache.org/Features/SslPeekAndSplice
for details.
Depending on your environment, the http_access rules may need to be
adjusted to allow CONNECT requests (to TLS-safe ports) to IP addresses
that do not result in .amazonaws.com in reverse DNS lookups.
HTH,
Alex.
More information about the squid-users
mailing list