Re: [squid-users] https traffic via cache peer with SSL termination enabled on downstream proxy

From: bnichols <mrnicholsb_at_gmail.com>
Date: Mon, 11 Jun 2012 08:42:46 -0700

On Mon, 11 Jun 2012 18:30:14 +0530
nipun_mlist Assam <nipunmlist_at_gmail.com> wrote:

> Hi All,
>
> I have a configuration as given below:
>
> client <------> downstream-proxy <------> upstream-proxy <------->
> cloud

Im not sure what a cloud is, I think its called the internet.

>
> downstream proxy is always squid, while upstream proxy is either squid
> or bluecoat.
> When SSL termination enabled on downstream proxy, I noticed traffic
> between down-stream and upstream-proxy is not encrypted. That results
> in failures when upstream proxy is bluecoat. It returns "400 Bad
> request" error.
> The root cause is bluecoat always wants "https" traffic to be
> encrypted. For example, if below data ( a plain text request
> https://accounts.google.com) is sent to bluecoat, bluecoat will return
> a "400 Bad request" error, but squid will happily get the response and
> send back to the client program.
>
> GET
> https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
> HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif,
> application/xaml+xml, image/pjpeg, application/x-ms-xbap,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/msword, */*
> Accept-Language: en-IN
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
> Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
> .NET CLR 3.0.30729; Media Center PC 6.0)
> Accept-Encoding: gzip, deflate
> Host: accounts.google.com
> Via: 1.1 taarusg (squid/3.1.11)
> X-Forwarded-For: 192.168.119.8
> Cache-Control: max-age=259200
> Connection: keep-alive
>

Let ssl pass through your downstream proxy uncache, let your parent
proxy handle the ssl. Also, SSL is allready encrypted, whether its
being cached or not.

>
>
> On the other hand if I disable SSL termination on the downstream
> proxy, everything works just fine.
> My requirement is http traffic between upstream and downstream proxy
> should be always non-encrypted. While in case of HTTPS, traffic
> between downstream and upstream proxy should never be non-encrypted.
> How can I configure downstream squid to always use "HTTP CONNECT" in
> case of for HTTPS even when SSL termination enabled on the downstream
> proxy ?
> Any help is greatly appreciated.
>
> Regards,
> Nipun Talukdar
> Bangalore
> India
Received on Mon Jun 11 2012 - 15:42:57 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 11 2012 - 12:00:03 MDT