Re: [squid-users] https traffic via cache peer with SSL termination enabled on downstream proxy

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 12 Jun 2012 02:17:38 +0300

you can use two cache_peers fot he same host then name them differently
with a "name=" and using a CONNECT method acl to allow access to the
ssl encrypted upstream connection.

Eliezer

On 11/06/2012 16:00, nipun_mlist Assam wrote:
> Hi All,
>
> I have a configuration as given below:
>
> client<------> downstream-proxy<------> upstream-proxy<-------> cloud
>
> downstream proxy is always squid, while upstream proxy is either squid
> or bluecoat.
> When SSL termination enabled on downstream proxy, I noticed traffic
> between down-stream and upstream-proxy is not encrypted. That results
> in failures when upstream proxy is bluecoat. It returns "400 Bad
> request" error.
> The root cause is bluecoat always wants "https" traffic to be encrypted.
> For example, if below data ( a plain text request
> https://accounts.google.com) is sent to bluecoat, bluecoat will return
> a "400 Bad request" error, but squid will happily get the response and
> send back to the client program.
>
> GET https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
> HTTP/1.1
> Accept: image/jpeg, application/x-ms-application, image/gif,
> application/xaml+xml, image/pjpeg, application/x-ms-xbap,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/msword, */*
> Accept-Language: en-IN
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
> Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
> .NET CLR 3.0.30729; Media Center PC 6.0)
> Accept-Encoding: gzip, deflate
> Host: accounts.google.com
> Via: 1.1 taarusg (squid/3.1.11)
> X-Forwarded-For: 192.168.119.8
> Cache-Control: max-age=259200
> Connection: keep-alive
>
>
>
> On the other hand if I disable SSL termination on the downstream
> proxy, everything works just fine.
> My requirement is http traffic between upstream and downstream proxy
> should be always non-encrypted. While in case of HTTPS, traffic
> between downstream and upstream proxy should never be non-encrypted.
> How can I configure downstream squid to always use "HTTP CONNECT" in
> case of for HTTPS even when SSL termination enabled on the downstream
> proxy ?
> Any help is greatly appreciated.
>
> Regards,
> Nipun Talukdar
> Bangalore
> India

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Mon Jun 11 2012 - 23:17:45 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 12:00:03 MDT