[squid-users] Squid 6.10 SSL-Bump Woes

Bryan Seitz seitzbg at gmail.com
Wed Oct 9 19:40:02 UTC 2024 

I have the following configuration:

http_port 3128 ssl-bump generate-host-certificates=on
tls-cert=/etc/squid/ssl/myCA.pem
ssl_bump bump all

# BMCs return Cache-Control: private
reply_header_access Cache-Control deny all
reply_header_add Cache-Control  "public, max-age=1800"

follow_x_forwarded_for allow all
http_access allow all
include /etc/squid/conf.d/*.conf
host_verify_strict off
tls_outgoing_options min-version=1.0
flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
sslproxy_cert_error allow all

sslcrtd_program /usr/lib/squid/security_file_certgen -s
/var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5

cache_mem 8192 MB
cache_dir rock /cm/squid/squid 8192

buffered_logs on
access_log daemon:/var/log/squid/access.log logformat=squid
logfile_daemon /usr/lib/squid/log_file_daemon
cache_store_log daemon:/var/log/squid/store.log
log_mime_hdrs on
coredump_dir /var/spool/squid
shutdown_lifetime 2 seconds
max_filedesc 4096
workers 4


A curl will note the resource is stale (with new host), but I never get a
cache hit on subsequent retries:

Store log:

1728502393.992 RELEASE -1 FFFFFFFF 02000000000000003A632F0003000000  200
1728502382        -1        -1 application/json 1182/1182 GET
https://10.170.31.77/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
1728502395.674 RELEASE -1 FFFFFFFF 02000000000000003B632F0002000000  200
1728502384        -1        -1 application/json 1182/1182 GET
https://10.170.31.77/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
1728502408.317 RELEASE 00 00056924 04000000000000003C632F0001000000  200
1728420588        -1 1728422388 application/json 1189/1189 GET
https://10.170.31.81/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
1728502408.318 RELEASE -1 FFFFFFFF 03000000000000003C632F0001000000  200
1728502404        -1        -1 application/json 1179/1179 GET
https://10.170.31.81/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics
1728502417.161 RELEASE -1 FFFFFFFF 05000000000000003C632F0001000000  200
1728502413        -1        -1 application/json 1179/1179 GET
https://10.170.31.81/redfish/v1/Oem/Supermicro/HGX_H100/Systems/HGX_Baseboard_0/Processors/GPU_SXM_4/ProcessorMetrics

Response headers:

HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Link: <http://redfish.dmtf.org/schemas/v1/Z.v1_5_2.json>; rel=describedby
Allow: GET
Content-Length: 1179
Content-Type: application/json; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self';connect-src 'self' ws:
wss:;frame-src 'self';img-src 'self' data:;object-src 'self';font-src
'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src
'self' 'unsafe-inline';worker-src 'self' blob:;
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
OData-Version: 4.0
Date: Wed, 09 Oct 2024 19:35:50 GMT
Cache-Status: squid;detail=mismatch
Via: 1.1 squid (squid/6.10)
Connection: keep-alive
Cache-Control: public, max-age=1800

If I use a cache peer with MITMPROXY, squid will cache the results however
this is inefficient and slow.

-- 
Bryan Seitz
seitzbg at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20241009/f00d2a4e/attachment.htm>

More information about the squid-users mailing list