Re: [squid-users] Is it possible to send the connection, starting with the CONNECT, to cache-peer?

[Yuri Voinov]

Here is my testing config from test system. This is original
configuration, which is works well with HTTP but not with HTTPS.

I've tried to permit CONNECT access to cache_peer, config cache_peer as
ssl, splice forwarded URL's... without any result.

When I've turned URL into cache_peer -
access.log shows this:

1442336013.594   8060 127.0.0.1 TCP_TUNNEL/200 6833 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336013.924  10802 127.0.0.1 TCP_TUNNEL/200 31810 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.157   9315 127.0.0.1 TCP_TUNNEL/200 29088 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.157   8664 127.0.0.1 TCP_TUNNEL/200 22643 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.252   8677 127.0.0.1 TCP_TUNNEL/200 10701 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -
1442336014.256   8678 127.0.0.1 TCP_TUNNEL/200 42904 CONNECT
www.torproject.org:443 - FIRSTUP_PARENT/127.0.0.1 -

bit nothing happens. IP's for this URL is banned by ISP. So, CONNECT has
no answer. And - site is strict HTTPS. Note: Bump can't start because
server no answers to CONNECT.

In some variants - whenever HTTP goes into cache_peer with ssl enabled -
Squid dies:

2015/09/15 23:24:27 kid1| assertion failed: PeerConnector.cc:116:
"peer->use_ssl"

In most cases Squid simple stops working.

always_direct state has no visible effect and no matter.
Excludind/including forwarded URL to splice directive is no matter.

I can't see any other error.

So, will be interesting - is it possible to forward HTTP/HTTPS for
specified URL to cache_peer without decrypting.

And I do not understand how to make this correctly.

16.09.15 0:15, Matus UHLAR - fantomas пишет:
> On 15.09.15 23:42, Yuri Voinov wrote:
>> I asked a specific question. How does Squid as a whole - I am well
>> aware. Before asking a question - I tried everything I seemed right. And
>> I asked, hoping to get a specific answer or intelligible explanation,
>> not the common words and sentences to read the manual. I outlined the
>> position quite clear?
>
> so, have you tried cache_peer with dst acl or have you not?
>
>> If you do not know the exact answer - it is better to remain silent.
>
> you did not provide enough informations, you did not tell what you
> did, you
> did not mention basic information like using sslbump and now you are
> telling
> me not even try to help you?
>
> with this attitude I will just ignore you for next time no matter if I
> can
> help you or not.


# -------------------------------------
# ACL's
# -------------------------------------
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# No-cache ACLs
acl dont_cache dstdomain rulesofwargame.com imgur.com

# Privoxy+Tor acl
acl tor_url url_regex "C:/Squid/etc/squid/url.tor"

# -------------------------------------
# Access parameters
# -------------------------------------
# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

# Rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# Cache directives
cache deny dont_cache

# Hide internal networks details outside
forwarded_for delete
via off

# Disable alternate protocols
reply_header_access Alternate-Protocol deny all
# Disable HSTS
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
# Normalize Vary to reduce duplicates
reply_header_access Vary deny all
reply_header_replace Vary Accept-Encoding

# SSL bump rules
sslproxy_cert_error allow all
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
acl NoSSLIntercept ssl::server_name_regex -i localhost \.icq\.* kaspi\.kz
ssl_bump splice NoSSLIntercept
ssl_bump bump all

# Privoxy+Tor access rules
never_direct allow tor_url
always_direct deny tor_url
always_direct allow all

# And finally deny all other access to this proxy
http_access deny all

# -------------------------------------
# HTTP parameters
# -------------------------------------

# Local Privoxy is cache parent
cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default

cache_peer_access 127.0.0.1 allow tor_url
cache_peer_access 127.0.0.1 deny all

# Don't cache 404 long time
negative_ttl 5 minutes
positive_dns_ttl 15 hours
negative_dns_ttl 15 minutes

# -------------------------------------
# Cache parameters
# -------------------------------------
# Squid normally listens to port 3128
#          dhparams=    File containing DH parameters for temporary/ephemeral
#                       DH key exchanges. See OpenSSL documentation for details
#                       on how to create this file.
#                       WARNING: EDH ciphers will be silently disabled if this
#                                option is not set.
http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/rootCA.crt 
key=/etc/squid/rootCA.key options=NO_SSLv3 dhparams=/etc/squid/dhparam.pem
sslproxy_cafile /etc/ssl/certs/ca-bundle.trust.crt
sslproxy_options NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid_ssldb -M 4MB

# Turn off collect per-client statistics
client_db off

# Hide internal networks details outside
via off
forwarded_for delete

# Do not show Squid version
httpd_suppress_version_string on

# Specify local DNS cache
dns_nameservers 127.0.0.1
positive_dns_ttl 15 hours

visible_hostname cthulhu_jr

dns_v4_first on

# -------------------------------------
# Store parameters
# -------------------------------------
# Uncomment and adjust the following to add a disk cache directory
cache_dir aufs D:/squid/var/cache 8192 16 256

# -------------------------------------
# Memory parameters
# -------------------------------------
cache_mem 256 Mb
maximum_object_size_in_memory 5 Mb
maximum_object_size 4 Gb
memory_pools_limit 100 MB

# -------------------------------------
# Tuning parameters
# -------------------------------------
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA

# Default is 20
store_objects_per_bucket 128

# Shutdown delay before terminate connections
shutdown_lifetime 1 second

# -------------------------------------
# Process/log parameters
# -------------------------------------
# Access log
access_log daemon:D:/squid/var/logs/access.log squid

logfile_rotate 5

# Cache log
cache_log D:/squid/var/logs/cache.log

# Store log
cache_store_log none

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Buffered logs. Default is off
buffered_logs on

strip_query_terms off

# -------------------------------------
# Content parameters
# -------------------------------------
quick_abort_min 100 KB
quick_abort_max 1 MB
quick_abort_pct 80

# Keep swf in cache
refresh_pattern -i \.swf$       10080   100%    43200   override-expire 
reload-into-ims ignore-private
# .NET cache
refresh_pattern -i \.((a|m)s(h|p)x?)$           10080   100%    43200   
reload-into-ims ignore-private
# Other long-lived items
refresh_pattern -i 
\.(jp(e?g|e|2)|gif|png|tiff?|bmp|ico|svg|webp|flv|f4f|mp4|ttf|eot|woff)(\?.*)?$ 
     14400   99%     518400   override-expire ignore-reload reload-into-ims 
ignore-private ignore-must-revalidate
refresh_pattern -i 
\.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|(c|x|j)ss|js(t?|px)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$
  10080   90%     86400   override-expire override-lastmod reload-into-ims 
ignore-private ignore-must-revalidate
# Default patterns
refresh_pattern -i (/cgi-bin/|\?)       0       0%      0
refresh_pattern .       0       20%     10080   override-lastmod 
reload-into-ims ignore-private
##
^https?.*archive\.org.*
^https?.*livejournal\.com.*
#^https?.*wordpress\.com.*
#^https?.*youtube.*
#^https?.*ytimg.*
#^https?.*googlevideo.*
#^https?.*google.*
#^https?.*googleapis.*
#^https?.*googleusercontent.*
#^https?.*gstatic.*
#^https?.*gmodules.*
#^https?.*blogger.*
#^https?.*blogspot.*
#^https?.*facebook.*
#^https?.*fb.*
https?.*torproject.*
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users