Yes, I've tried all of these combinations. ### 0x00 cache_peer no ssl
> ssl_bump allow all > cache_peer 127.0.0.1 parent 3129 0 【no ssl】 curl http://google.com <https://google.com/> -x http://admin:squid@localhost :3128 -v -k 【it is ok】 curl https://google.com -x https://admin:squid@localhost:3128 -v -k 【Get 502】 curl https://google.com -x http://admin:squid@localhost:3128 -v -k 【Get 502】 < HTTP/1.1 502 Bad Gateway < X-Cache: MISS from example.com < Transfer-Encoding: chunked < Connection: keep-alive log json: { "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443", "httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" } { "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/";, "httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" } ### 0x01 cache_peer with ssl > ssl_bump allow all > cache_peer 127.0.0.1 parent 3129 0 ssk curl http://google.com <https://google.com/> -x http://admin:squid@localhost :3128 -v -k 【Get 502】 curl https://google.com -x https://admin:squid@localhost:3128 -v -k 【Get 502】 < HTTP/1.1 503 Service Unavailable < Server: squid/5.0.4 < Mime-Version: 1.0 < Date: Mon, 28 Sep 2020 04:21:00 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 1649 < X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71 <p>The system returned:</p> <blockquote id="data"> <pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre> <p>Handshake with SSL server failed: [No Error]</p> </blockquote> ### 0x02 how to outgoing https request by cache_peer (on squid 5.0.4/Chains proxy) Similar features to Charles OR Fiddler. ( open http(s) proxy on 8080, then capture the request , outgoing on another http(s)/socks4/5 proxy.) 1. Fiddler gateway: https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway curl https://google.com -x http://squid:3128 --> outgoing(cache_peer: like Fiddler gateway) --> google.com:443 The cache_peer should be ignore ssl VERIFY. !!! like other software. On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error. Alex Rousskov <rouss...@measurement-factory.com> 于2020年9月28日周一 上午6:48写道: > On 9/27/20 12:07 PM, sec wrote: > > > http_port 3128 ssl-bump ... > > > curl http://google.com -x https://admin:squid@localhost:3128 -v -k > > The above two lines do not match AFAICT: You tell curl to use an HTTPS > proxy, but you tell Squid to expect plain HTTP proxy requests. > > Also, please note that if you fix the above problem by moving "https" > from "-x" to the origin server URL, then you will probably face another > problem: > > curl https://google.com -x http://admin:squid@localhost:3128 -v -k > > > ssl_bump allow all > > > cache_peer 127.0.0.1 parent 3129 0 ssl > > Squid does not (yet) support "TLS inside TLS": Talking TLS with the > origin server through a cache_peer that also expects a TLS connection. > > > HTH, > > Alex. >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
