Re: [squid-users] Squid to Cache Peer SSL from Amos Jeffries on 2013-02-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 06 Feb 2013 14:29:15 +1300

On 6/02/2013 1:58 p.m., Brooks Lyrette wrote:
> Hey All,
>
> I've been racking my brain trying to figure out how to get this
> configured. I'm looking to get the following working:
>
> Client <-- Over SSL --> Squid <-- Over SSL --> Accel Server
>
> I'm using Squid Cache (Version 3.1.10)
>
> I have the connection from the client to the server over SSL working
> with the following configuration:
>
> ----
> https_port 443 accel cert=site.crt key=site.key
> defaultsite=dev.foo.com accel vhost
> ignore_expect_100 on
>
> cache_peer <server_ip> parent 80 0 no-query originserver name=foo
>
> acl sites_server_3 dstdomain dev.foo.com
> cache_peer_access foo allow sites_server_3
> http_access allow sites_server_3
>
> http_access deny all
> ----
>
> From the documentation and examples I tried chaning this configuration
> to make the Squid to Accel Server happen over SSL.
>
> ---
> https_port 443 accel cert=site.crt key=site.key
> defaultsite=dev.foo.com accel vhost
> ignore_expect_100 on
>
> cache_peer <server_ip> parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=foo
>
> acl sites_server_3 dstdomain dev.foo.com
> cache_peer_access foo allow sites_server_3
> http_access allow sites_server_3
>
> http_access deny all
> ---
>
> When using this configuration Squid hangs on the connection. It also
> takes 100% CPU. It never replies to the HTTP request, nor does it add
> any entries to cache.log or access.log.
>
> Am I missing something obvious?

The above config seems correct for https://dev.foo.com/. Apart from the
"vhost" setting, which is not supported well on https_port with a single
static certificate.

* It is possible you are having firewall or PMTU, ECN, Windows scaling
issues - all the normal causes of hanging connections.

* It is possible your client software is using the Expect:
100-continue feature. Which you have configured to be ignored - the side
effect of ignoring is that when Expect: is not available (it is not
available in squid-3.1) the client will hang until it times out and
re-tries using suitable HTTP/1.0 features.

Please try upgrading your Squid the current supported version is 3.2.7.

Amos
Received on Wed Feb 06 2013 - 01:29:21 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 06 2013 - 12:00:03 MST