Re: [squid-users] transparent SSL and cache_peer

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 08 Mar 2014 18:20:54 +1300

On 8/03/2014 9:03 a.m., cyber_at_irc.pp.ru wrote:
> I have a Squid Cache: Version 3.4.3 this --enable-ssl --enable-ssl-crtd
>
>
> In squid.conf:
>
> http_port 3128 transparent
> https_port 3129 transparent ssl-bump key=/etc/squid3/ssl/privkey.pem
> cert=/etc/squid3/ssl/newcert.pem
> ssl_bump client-first all
> sslproxy_flags DONT_VERIFY_PEER
> acl to_sniff dstdom_regex .com$
> cache_peer 192.168.56.100 parent 8888 0 no-query no-digest name=peer1
> cache_peer_access peer1 allow to_sniff
> cache_peer_access peer1 deny all
>
> Iptables rules:
> iptables -t nat -A PREROUTING -s 192.168.56.42 -p tcp --dport 80 -j
> REDIRECT --to-port 3128
> iptables -t nat -A PREROUTING -s 192.168.56.42 -p tcp --dport 443 -j
> REDIRECT --to-port 3129
>
> HTTP traffic is successfuly go to the cache_peer, but HTTPS don't send
> any request to the cache_peer.
> If we disable "acl to_sniff dstdom_regex .com$" ssl_bump work fine. No
> errors in the log file.
>
> Why HTTPS don't send any request to the cache_peer?

Several reasons why Squid would not send HTTPS to that peer:

1) the cache_peer is insecure. Sending decrypted traffic to it
invalidates the use of TLS from the client.

2) Squid does not properly support generating new CONNECT messages to
re-encrypt the HTTPS traffic. This prevents sending secure traffic over
insecure cache_peer like yours.

What errors are you seeing?

Amos
Received on Sat Mar 08 2014 - 05:21:05 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 08 2014 - 12:00:05 MST