Re: [squid-users] How to proxy a parent Squid SSL proxy?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 06 Jul 2009 11:27:21 +1200

fulan Peng wrote:
> Hi, Everybody!
>
> I have a Squid ssl proxy server(3.0.16Stable) running listening 8443.
> Now I want to set up another Squid to proxy it again with SSL between
> them.
> The second Squid serves http requests to browsers.
>
> Now I use my browser and try to connect the second Squid, it won't work.
>
> I made self-signed certificates for the first Squid.
>
> Could you please help me out the the squid.conf as following:

You state a usage as a normal forward-proxy and yet are running a
strange mix of reverse and forward- proxy configuration.

Is this in fact a normal forward-proxy?

This is hard to be fully true without full information about the config.
But here is a try. Assuming that the 'unrelated' bits you cut out really
are unrelated...

>
> ################################################################
> cache_peer proxy.website.com parent 8443 0 no-query originserver name=b2
>

"cache_peer proxy.website.com parent 8443 0"
  - Sets up a link to pass requests to a source operating on port 8443
at the location where DNS says proxy.website.com exists.

"... no-query" indicates that ICP cache tests are no to be sent (default
IIRC on parent links).

"... originserver"
   - says that the source is a regular web server.

NOTE: there is no settings to say this is HTTPS, therefore Squid will be
trying to use regular HTTP to talk to the web server.

To match your stated usage you will need to drop the 'originserver' and
add 'ssl' option and maybe some other related ssl*= options.

  see http:/www.squid-cache.org/Doc/config/cache_peer/

> sslproxy_flags DONT_VERIFY_PEER
>

I think you need to change this to the 'cache_peer ...
sslflags=DONT_VERIFY_PEER' option.
The option you have here is most useful for reverse-proxy setups. Which
are not what you are talking about in your request.

>
> hierarchy_stoplist cgi-bin ?

  - don't pass any requests that contain "?" or "cgi-bin" text in their
URL to any peer.

> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

- don't store in the cache anything that contains a "?" or "cgi-bin" in
their URL.

> cache_mem 128 MB

  ... use a 128MB of storage for in-memory object caching.

> cache_dir diskd /usr/local/squid/cache 20000 64 256

  ... use about 60 GB of storage for on-disk object caching. Using diskd
helper.
NP: if you are using Linux change this to AUFS for a faster proxy.

> debug_options ALL,1

.. display all important notices to admin in cache.log

>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

NP: add this new pattern here:

    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

... with that pattern you can drop the QUERY acl for better caching.

> refresh_pattern . 0 20% 4320
>
> acl proxy.website.com dstdomain proxy.website.com
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> acl my_ports port 8080
>
> acl Safe_ports port 3128 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow proxy.website.com

This is looks again like a reverse-proxy setup. Dangerous to do at the
top in a forward-proxy situation... because anythigng the user want to
do to the domain "proxy.website.com" is permitted now.

>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !my_ports

... sets up a security net to prevent abuse of the proxy. They have no
effect on requests which match the above "proxy.website.com" line.

> http_access allow all

And the above creates a semi-open proxy. Ripe for abuse.

> http_access deny all

... and a useless security net. The "allow all" permits everything this
would otherwise protect you from.

> http_reply_access allow all
>
> cache_peer_access b2 allow proxy.website.com
>

... Squid will ask the web server at proxy.website.com:8443 (configured
by "cache_peer ... name=b2") for any request with URL containing the
domain "proxy.website.com".

All other requests must go directly back out to the Internet to be
completed.

NP: Requests to "proxy.website.com" which fail at the peer, will be
attempted to go direct through the Internet.

> visible_hostname second.website.com
> .....
>
>
> I deleted some options which are not the trouble.

I think given the strange mix you have so far, we'd better check the
rest of the config is right for your network use too...

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Sun Jul 05 2009 - 23:27:28 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 06 2009 - 12:00:02 MDT