Re: [squid-users] Transparent HTTPS & Parent proxy from Amos Jeffries on 2012-09-08 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 09 Sep 2012 00:09:30 +1200

On 8/09/2012 11:48 p.m., Mike Mitchell wrote:
> I have several clients that cannot be reconfigured to use a PAC file or
> proxy, their traffic must be intercepted. They are all behind a Cisco
> firewall. I've set up WCCP and am intercepting both the HTTP and
> HTTPS traffic, using two different service groups and two different
> proxy ports.
>
> One problem I had with the Cisco firewall was that it insisted on having
> the Squid proxy on the same network as the other clients. Since I do
> not want that network to have direct access to the Internet, I'm chaining
> the local squid to another squid process on a different network. It looks
> like
> client -> squid1 -> squid2 -> internet
> where the squid1 process is picking up the traffic via WCCP and squid2
> is a cache_peer (parent) of squid1.
>
> It all works well for HTTP traffic, but I have yet to get HTTPS traffic to
> work. WCCP is intercepting the traffic and squid1 is seeing it, but an
> error page is returned to the client saying "Unsupported Request
> Method and Protocol"

Which proxy is generating it? I suspect the squid2 has no SSL support
built in or configured.

>
> I've tried both
> https_port 4433 cert=myCA.pem intercept
> and
> https_port 4433 cert=myCA.pem intercept ssl-bump

This second one is correct. However for better results use the 3.HEAD
packages and dynamic certificate generation.

> but I get the same behaviour with both.
> I do have
> ssl_bump allow all
> never_direct allow all
> in the configuration.
>
> Am I missing something simple? Is it just not possible yet with a parent
> proxy? I realize the request will have to be converted from a GET to a
> CONNECT. It would not surprise me if the conversion hasn't been
> implemented yet.

The squid1 is meant to pass a regular request for https:// URL to
squid2. Both squid require SSL support, squid1 to recieve HTTPS traffic
and squid2 to make the outbound HTTPS connections (also sslproxy_*
options configured for squid2 to make those outbound with). It is a good
idea to SSL-encrypt the channel between them explicitly to ensure
end-to-end security, but not mandatory.

>
> This is with squid 3.2.1.
>
> Mike Mitchell
> Mike.Mitchell_at_sas.com
>
Received on Sat Sep 08 2012 - 12:09:43 MDT

This archive was generated by hypermail 2.2.0 : Sun Sep 09 2012 - 12:00:02 MDT