[squid-users] ssl/acl problem with cache_peers

Fri, 12 Jul 2013 00:53:32 -0700 

Hi all, I'm posting for an ssl/acl problem.

In my configuration I have 2 proxies, 1 Internal proxy (used by internal users) 
that serves internal websites and that escalate (cache_peer) to another proxy 
(external) when needs to go outside.

My problem is that an internal server now needs to reach an external website 
(via SSL/HTTPS) but I need to filter the access on just some paths (the 
internal server will contact the internal squid that should user the cache_peer 
to reach the "external" site).

>From what I've learnt about squid the way to filter paths with HTTPS protocol 
>is to use ssl_bump directive. Actually I've already configured the internal 
>squid with ssl_bump (I've just upgraded to 3.3.7):

    http_port   host11.domain.com:9999 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=8MB cert=/path..../squid-CA.pem

    .
    .
    .
    # SSL Bump Start
    ###################
    sslproxy_cert_error allow all
    sslproxy_flags DONT_VERIFY_PEER
    sslcrtd_program =/path..../ssl_crtd -s =/path..../ssl_db -M 8MB
    sslcrtd_children 5

    acl src_test        src           222.222.222.222
    acl to_test_domain  dstdomain     server1.test.com
    acl to_test_regex   url_regex     ^https://server1.test.com/path1/
    http_access allow to_test_domain  CONNECT
    http_access allow src_test        to_test_regex
    # Routing with Bump
    cache_peer_access host21.domain.com allow to_test_domain
    cache_peer_access host22.domain.com allow to_test_domain
    ssl_bump        server-first  to_test_bump

    # SSL Bump Finish
    ###################
    ssl_bump    none  all
    .
    .
    .

After some tests I realized that ssl_bump works only when squid does direct 
connect to websites but doesn't work when used with cache_peers, is it right ?

What would be to best way to achieve my scope ? Should I configure ssl_bump on 
the external squid (I would prefer do it on the internal one to keep the 
outside squid config the simplier possible) ? Actually to use the "url_regex" 
acl to filter the path of an HTTPS site I have opened to also the CONNECT 
method to the whole site ... Is this the right method to filter paths on an 
https website? 

Kind regards,
Daniel Hubeli

Reply via email to