RE: [squid-users] SQUID cache proxy with SSL (Version 3.0 STABLE-1)

From: Tomer Brand <tomer@dont-contact.us>
Date: Wed, 13 Feb 2008 12:38:22 +0200

Amos I removed the max-age from the http headers and SQUID kept the file
in the cache directory.
The problem is that only the first request needs to authenticate.
Is there any way I can configure SQUID / back-end server to force the
authentication on each request but will serve the data from the cache
dir?

Thank you.

-----Original Message-----
From: Amos Jeffries [mailto:squid3@treenet.co.nz]
Sent: Tuesday, February 12, 2008 13:43 PM
To: Tomer Brand
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] SQUID cache proxy with SSL (Version 3.0
STABLE-1)

Tomer Brand wrote:
> Hi,
>
> I am trying to configure squid to function as SSL cache proxy for an
authenticated object (using login=PASS in the cache_peer directive)
> To do that I've added the "cache-control=public, must-revalidate,
max-age=0" directive to the back-end server whose files I would like to
cache.
> This works great for me when configuring a non-SSL(port 6666)
SQUID-based proxy.
> However when I access the proxy using SSL (port 4444 below) the cache
file is deleted every time and the cache is not used.

Which is what max-age=0 means. "never use again". I think, leave that
off an it will do IMS on each request.

>
> SQUID receives HTTPS requests, performs the SSL termination as
expected, gets the data from the back end server and saves the file to
the cache directory.
>
> Then I pass the SQUID HTTP request, asking for the same file. SQUID
serves the data from the cache.
> Next step is to ask the same file with HTTPS. This time SQUID clears
that file from the cache and download it from the back end server.
>
> So I used Wireshark to identify the difference:
> SQUID pass the HTTP request using the If-None-Match header while the
HTTPS request doesn't contain this directive in the header.
>
> Anyone got any idea?
>
> bellow is my squid.conf file:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhostdomain src 10.10.10.10
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal
network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 6666 # SQIOD port
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow all
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet
> htcp_access deny all
> https_port 4444 vhost vport cert=/home/tomer/Desktop/certificate.pem
key=/home/tomer/Desktop/key.pem
> http_port 6666 vhost vport
> cache_peer 10.10.10.10 parent 8050 0 originserver default login=PASS
> cache_dir ufs /usr/local/squid/var/cache 100 16 256
> maximum_object_size 2097000 KB # A bit below 2 GB - SQUID maximum file
size hierarchy_stoplist cgi-bin ?
> access_log /usr/local/squid/var/logs/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> icp_port 3130
> coredump_dir /usr/local/squid/var/cache
> visible_hostname ubuntu
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Wed Feb 13 2008 - 03:42:37 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST