[squid-users] https traffic via cache peer with SSL termination enabled on downstream proxy

From: nipun_mlist Assam <nipunmlist_at_gmail.com>
Date: Mon, 11 Jun 2012 18:30:14 +0530

Hi All,

I have a configuration as given below:

client <------> downstream-proxy <------> upstream-proxy <-------> cloud

downstream proxy is always squid, while upstream proxy is either squid
or bluecoat.
When SSL termination enabled on downstream proxy, I noticed traffic
between down-stream and upstream-proxy is not encrypted. That results
in failures when upstream proxy is bluecoat. It returns "400 Bad
request" error.
The root cause is bluecoat always wants "https" traffic to be encrypted.
For example, if below data ( a plain text request
https://accounts.google.com) is sent to bluecoat, bluecoat will return
a "400 Bad request" error, but squid will happily get the response and
send back to the client program.

GET https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1&ltmpl=default&ltmplcache=2
HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif,
application/xaml+xml, image/pjpeg, application/x-ms-xbap,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-IN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729;
.NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: accounts.google.com
Via: 1.1 taarusg (squid/3.1.11)
X-Forwarded-For: 192.168.119.8
Cache-Control: max-age=259200
Connection: keep-alive

On the other hand if I disable SSL termination on the downstream
proxy, everything works just fine.
My requirement is http traffic between upstream and downstream proxy
should be always non-encrypted. While in case of HTTPS, traffic
between downstream and upstream proxy should never be non-encrypted.
How can I configure downstream squid to always use "HTTP CONNECT" in
case of for HTTPS even when SSL termination enabled on the downstream
proxy ?
Any help is greatly appreciated.

Regards,
Nipun Talukdar
Bangalore
India
Received on Mon Jun 11 2012 - 13:00:23 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 12:00:03 MDT