Re: [squid-users] SQUID cache proxy with SSL (Version 3.0 STABLE-1)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 13 Feb 2008 00:43:04 +1300

Tomer Brand wrote:
> Hi,
>
> I am trying to configure squid to function as SSL cache proxy for an authenticated object (using login=PASS in the cache_peer directive)
> To do that I’ve added the “cache-control=public, must-revalidate, max-age=0” directive to the back-end server whose files I would like to cache.
> This works great for me when configuring a non-SSL(port 6666) SQUID-based proxy.
> However when I access the proxy using SSL (port 4444 below) the cache file is deleted every time and the cache is not used.

Which is what max-age=0 means. "never use again". I think, leave that
off an it will do IMS on each request.

>
> SQUID receives HTTPS requests, performs the SSL termination as expected, gets the data from the back end server and saves the file to the cache directory.
>
> Then I pass the SQUID HTTP request, asking for the same file. SQUID serves the data from the cache.
> Next step is to ask the same file with HTTPS. This time SQUID clears that file from the cache and download it from the back end server.
>
> So I used Wireshark to identify the difference:
> SQUID pass the HTTP request using the If-None-Match header while the HTTPS request doesn’t contain this directive in the header.
>
> Anyone got any idea?
>
> bellow is my squid.conf file:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhostdomain src 10.10.10.10
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 6666 # SQIOD port
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow all
> icp_access allow localnet
> icp_access deny all
> htcp_access allow localnet
> htcp_access deny all
> https_port 4444 vhost vport cert=/home/tomer/Desktop/certificate.pem key=/home/tomer/Desktop/key.pem
> http_port 6666 vhost vport
> cache_peer 10.10.10.10 parent 8050 0 originserver default login=PASS
> cache_dir ufs /usr/local/squid/var/cache 100 16 256
> maximum_object_size 2097000 KB # A bit below 2 GB - SQUID maximum file size hierarchy_stoplist cgi-bin ?
> access_log /usr/local/squid/var/logs/access.log squid
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> icp_port 3130
> coredump_dir /usr/local/squid/var/cache
> visible_hostname ubuntu
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Feb 12 2008 - 04:42:54 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST