Re: [squid-users] https traffic via cache peer with SSL termination enabled on downstream proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 12 Jun 2012 11:58:53 +1200

On 12.06.2012 11:17, Eliezer Croitoru wrote:
> you can use two cache_peers fot he same host then name them
> differently with a "name=" and using a CONNECT method acl to allow
> access to the ssl encrypted upstream connection.
>

Not quite. The downstream has terminated the TLS and Squid does not
wrap things in CONNECT. Squid uses "native" upstream connectivity which
may be over TLS or TCP links.

The encrypted cache_peer link needs to be setup with the "ssl" flag and
possibly related settings.

> Eliezer
>
> On 11/06/2012 16:00, nipun_mlist Assam wrote:
>> Hi All,
>>
>> I have a configuration as given below:
>>
>> client<------> downstream-proxy<------> upstream-proxy<------->
>> cloud
>>
>> downstream proxy is always squid, while upstream proxy is either
>> squid
>> or bluecoat.
>> When SSL termination enabled on downstream proxy, I noticed traffic
>> between down-stream and upstream-proxy is not encrypted. That
>> results
>> in failures when upstream proxy is bluecoat. It returns "400 Bad
>> request" error.

This is a mis-configuration and possibly a bug in BlueCoat.

* Bug in the BlueCoat in that it is not accepting https:// over
non-encrypted links. there are clients which need to send such and have
the proxy encrypt.

* mis-configuration in that HTTPS specification require https:// URL to
be sent over TLS encrypted links. You should have the "ssl" flag on the
downstream cache_peer configuration to ensure TLS on the link between
downstream and upstream.

Amos
Received on Mon Jun 11 2012 - 23:58:58 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 12:00:03 MDT