Re: [squid-users] SSL interception: no hits from Amos Jeffries on 2012-01-10 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 11 Jan 2012 12:36:34 +1300

On 11.01.2012 06:33, Damir Cosic wrote:
> Hello,
>
> I am trying to configure a Squid (v3.1.11) proxy for SSL connections
> between hosts on the LAN and servers on the internet. The traffic is
> routed through the host on which Squid runs and iptables are used to
> redirect traffic to ports 80 and 443 to ports 3128 and 3130,
> respectively. Simple HTTP caching works well. First attempt is a miss
> and subsequent ones are hits. For HTTPS, however, there are no hits,
> only misses, even though the requested page is in the Squid's cache.
> I
> would greatly appreciate any help.
>
> The Squid configuration is based on the default file, with following
> modifications (I understand that some of these are security risks,
> but
> currently it is in testing environment and the only goal is to make
> it
> work):
>
> http_port 3128 intercept
> https_port 3130 intercept ssl-bump cert=/etc/certs/beta-srv.crt
> key=/etc/certs/beta-srv.key
> always_direct allow all
> ssl_bump allow all
> sslproxy_cert_error allow all
>
> The log entry when a client attempts to retrieve a page from a
> server:
>
> Jan 2 23:51:10 beta squid: 1325573470.788 25 192.168.10.2
> TCP_MISS/200 388 GET https://192.168.11.2/ - DIRECT/192.168.11.2
> text/html
>
> The cache file (the garbled part at the beginning is left out):
>
> https://192.168.11.2/^@HTTP/1.1 200 OK^M
> Date: Sat, 07 Jan 2012 21:22:42 GMT^M
> Server: Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0d^M
> Last-Modified: Fri, 06 Jan 2012 16:25:09 GMT^M
> ETag: "10d-31-4b5de7e0d2340"^M
> Accept-Ranges: bytes^M
> Content-Length: 49^M
> Keep-Alive: timeout=5, max=100^M
> Connection: Keep-Alive^M
> Content-Type: text/html^M
> ^M
> <html><body><h1>It is secure!</h1></body></html>
>
> Please let me know if some other information would be useful.

Well, that is certainly cacheable, which explains why it is in the
cache ;)

BUT,
* what are the client request headers? It is possible and in some
agents likely that they are requesting re-validation and new content to
be fetched.

* does a newer version work better? ssl-bump is only supported well in
the 3.1.13 and later releases. Please try a newer release and see if the
problem disappears.

Amos
Received on Tue Jan 10 2012 - 23:36:37 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 11 2012 - 12:00:02 MST