Re: [squid-users] SSL interception: no hits from Damir Cosic on 2012-01-10 (squid-users)

From: Damir Cosic <damir_at_fatpipeinc.com>
Date: Tue, 10 Jan 2012 23:36:27 -0500

Amos, right on! It works with 3.1.18. Thank you very much!

On 1/10/12 6:36 PM, Amos Jeffries wrote:
> On 11.01.2012 06:33, Damir Cosic wrote:
>> Hello,
>>
>> I am trying to configure a Squid (v3.1.11) proxy for SSL connections
>> between hosts on the LAN and servers on the internet. The traffic is
>> routed through the host on which Squid runs and iptables are used to
>> redirect traffic to ports 80 and 443 to ports 3128 and 3130,
>> respectively. Simple HTTP caching works well. First attempt is a miss
>> and subsequent ones are hits. For HTTPS, however, there are no hits,
>> only misses, even though the requested page is in the Squid's cache. I
>> would greatly appreciate any help.
>>
>> The Squid configuration is based on the default file, with following
>> modifications (I understand that some of these are security risks, but
>> currently it is in testing environment and the only goal is to make it
>> work):
>>
>> http_port 3128 intercept
>> https_port 3130 intercept ssl-bump cert=/etc/certs/beta-srv.crt
>> key=/etc/certs/beta-srv.key
>> always_direct allow all
>> ssl_bump allow all
>> sslproxy_cert_error allow all
>>
>> The log entry when a client attempts to retrieve a page from a server:
>>
>> Jan 2 23:51:10 beta squid: 1325573470.788 25 192.168.10.2
>> TCP_MISS/200 388 GET https://192.168.11.2/ - DIRECT/192.168.11.2
>> text/html
>>
>> The cache file (the garbled part at the beginning is left out):
>>
>> https://192.168.11.2/^@HTTP/1.1 200 OK^M
>> Date: Sat, 07 Jan 2012 21:22:42 GMT^M
>> Server: Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0d^M
>> Last-Modified: Fri, 06 Jan 2012 16:25:09 GMT^M
>> ETag: "10d-31-4b5de7e0d2340"^M
>> Accept-Ranges: bytes^M
>> Content-Length: 49^M
>> Keep-Alive: timeout=5, max=100^M
>> Connection: Keep-Alive^M
>> Content-Type: text/html^M
>> ^M
>> <html><body><h1>It is secure!</h1></body></html>
>>
>> Please let me know if some other information would be useful.
>
> Well, that is certainly cacheable, which explains why it is in the
> cache ;)
>
> BUT,
> * what are the client request headers? It is possible and in some
> agents likely that they are requesting re-validation and new content
> to be fetched.
>
> * does a newer version work better? ssl-bump is only supported well
> in the 3.1.13 and later releases. Please try a newer release and see
> if the problem disappears.
>
> Amos
>
Received on Wed Jan 11 2012 - 04:36:35 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 11 2012 - 12:00:02 MST