On 8/03/2014 9:03 a.m., cy...@irc.pp.ru wrote: > I have a Squid Cache: Version 3.4.3 this --enable-ssl --enable-ssl-crtd > > > In squid.conf: > > http_port 3128 transparent > https_port 3129 transparent ssl-bump key=/etc/squid3/ssl/privkey.pem > cert=/etc/squid3/ssl/newcert.pem > ssl_bump client-first all > sslproxy_flags DONT_VERIFY_PEER > acl to_sniff dstdom_regex .com$ > cache_peer 192.168.56.100 parent 8888 0 no-query no-digest name=peer1 > cache_peer_access peer1 allow to_sniff > cache_peer_access peer1 deny all > > Iptables rules: > iptables -t nat -A PREROUTING -s 192.168.56.42 -p tcp --dport 80 -j > REDIRECT --to-port 3128 > iptables -t nat -A PREROUTING -s 192.168.56.42 -p tcp --dport 443 -j > REDIRECT --to-port 3129 > > HTTP traffic is successfuly go to the cache_peer, but HTTPS don't send > any request to the cache_peer. > If we disable "acl to_sniff dstdom_regex .com$" ssl_bump work fine. No > errors in the log file. > > Why HTTPS don't send any request to the cache_peer?
Several reasons why Squid would not send HTTPS to that peer: 1) the cache_peer is insecure. Sending decrypted traffic to it invalidates the use of TLS from the client. 2) Squid does not properly support generating new CONNECT messages to re-encrypt the HTTPS traffic. This prevents sending secure traffic over insecure cache_peer like yours. What errors are you seeing? Amos
