[squid-users] Squid with ssl-bumping and parent-proxy

Hi

I'm trying to set up a configuration like this:

Internet -> squid1 <--> Clients
              |
            squid2

Squid1 runs on my firewall as interception-proxy and should forward all
requests to squid2 wich should be the "real" proxy, doing
content-inspection, virus-scanning and so on.

The Clients have no direct access to squid2, wich sits seperated from
the rest of my network and is the only machine allowed to access the
internet.

This works fine with http requests. I configured squid2 as parent and
disabled caching on squid1. All requests are now forwarded to squid2.

This doesn't work with https-requests. When I configure squid1 to
forward https to squid2, I get an errormessage where it complains about
beeing unable to forward my request to any parent.

So, I have two questions now:

1. Is it possible to bump ssl request in a configuration like mine?

2. If not, what is the correct way to implement the above mentioned
configuration.

Here are my configfiles:
###############
#squid1 (running on firewall, forwarding requests to squid2)
debug_options ALL,1 33,2
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
acl httptraffic proto http
acl httpstraffic proto https

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
ssl_bump server-first localnet
ssl_bump server-first localhost
http_access deny all

http_port 192.168.200.1:3128
http_port 192.168.200.1:3129 intercept
https_port 192.168.200.1:3130 intercept ssl-bump
generate-host-certificates=on cert=/usr/local/etc/ssl/ca.crt
key=/usr/local/etc/ssl/ca.key dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s var/lib/ssl_db -M 4MB
sslcrtd_children 5
cache deny all

coredump_dir /var/squid/cache/squid

cache_peer proxy.mynetwork.test parent 3128 0 no-query name=proxyhttp
cache_peer proxy.mynetwork.test parent 3130 0 no-query name=proxyhttps
cache_peer_access proxyhttp allow httptraffic
cache_peer_access proxyhttps allow httpstraffic
# never_direct allow httptraffic
never_direct allow all

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

###############
#squid2 (processes all requests from squid1)
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
ssl_bump server-first localnet
ssl_bump server-first localhost
http_access deny all

http_port 3128
http_port 3130 ssl-bump generate-host-certificates=on
cert=/usr/local/etc/ssl/ca.crt key=/usr/local/etc/ssl/ca.key
dynamic_cert_mem_cache_size=4MB

cache_dir ufs /var/cache/squid 100 16 256

coredump_dir /var/squid/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Received on Mon Feb 03 2014 - 09:33:23 MST