[squid-users] Re: https traffic via cache peer with SSL termination enabled on downstream proxy

From: nipun_mlist Assam <nipunmlist_at_gmail.com>
Date: Mon, 11 Jun 2012 19:30:16 +0530

To Summarize for the below configuration:
client <------> downstream-proxy <------> upstream-proxy <-------> cloud

squid should do HTTP CONNECT (for https traffic) to upstream proxy
whenever "SSL termination" is enabled on the downstream proxy. But
instead, SSL termination is resulting in non-encrypted traffic flow
between downstream-proxy and upstream-proxy

-Nipun

On Mon, Jun 11, 2012 at 6:30 PM, nipun_mlist Assam <nipunmlist_at_gmail.com> wrote:
> Hi All,
>
> I have a configuration as given below:
>
> client <------> downstream-proxy <------> upstream-proxy <-------> cloud
>
> downstream proxy is always squid, while upstream proxy is either squid
> or bluecoat.
> When SSL termination enabled on downstream proxy, I noticed traffic
> between down-stream and upstream-proxy is not encrypted. That results
> in failures when upstream proxy is bluecoat. It returns "400 Bad
> request" error.
> The root cause is bluecoat always wants "https" traffic to be encrypted.
> For example, if below data ( a plain text request
> https://accounts.google.com) is sent to bluecoat, bluecoat will return
> a "400 Bad request" error, but squid will happily get the response and
> send back to the client program.
>
> GET https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
> HTTP/1.1
> Accept: image/jpeg, application/x-ms-application, image/gif,
> application/xaml+xml, image/pjpeg, application/x-ms-xbap,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/msword, */*
> Accept-Language: en-IN
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
> Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
> .NET CLR 3.0.30729; Media Center PC 6.0)
> Accept-Encoding: gzip, deflate
> Host: accounts.google.com
> Via: 1.1 taarusg (squid/3.1.11)
> X-Forwarded-For: 192.168.119.8
> Cache-Control: max-age=259200
> Connection: keep-alive
>
>
>
> On the other hand if I disable SSL termination on the downstream
> proxy, everything works just fine.
> My requirement is http traffic between upstream and downstream proxy
> should be always non-encrypted. While in case of HTTPS, traffic
> between downstream and upstream proxy should never be non-encrypted.
> How can I configure downstream squid to always use "HTTP CONNECT" in
> case of for HTTPS even when SSL termination enabled on the downstream
> proxy ?
> Any help is greatly appreciated.
>
> Regards,
> Nipun Talukdar
> Bangalore
> India

-- 
Regards,
Nipun
Received on Mon Jun 11 2012 - 14:00:25 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 12:00:03 MDT