I have redeployed everything, with most basic configuration, and use the proposed config for ssl_bump. The test server that goes through Squid now doesn't get tunneled, and instead checks the cache. I get something like this NONE/200 TCP_MISS/200
But I have noticed that the test server also doesn't cache anything, and instead only looks at the cache. So if I try to go for a file in S3, it says MISS, and after that, MISS again, and I see no new objects in cache being created. If I try the same thing from the proxy itself, I get the MISS, and the object gets cached, as it should. When I go back to the test server, and try again, it sees the object in cache and returns TCP_MEM_HIT/200 instead. Is there a specific configuration that I need to add/enable, in order to have the server cache the objects, or am I making a mistake elsewhere perhaps? This is the entire config file: visible_hostname squid cache_dir ufs /test/cache/squid 10000 16 256 http_access allow localhost http_access alow all http_port 3128 http_port 3129 intercept acl allowed_http_sites dstdomain .amazonaws.com http_access allow allowed_http_sites https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept acl SSL_port port 443 http_access allow SSL_port acl allowed_https_sites ssl::server_name .amazonaws.com ssl_bump stare all ssl_bump bump allowed_https_sites ssl_bump terminate all Thanks! On Tue, Jan 26, 2021 at 9:14 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 1/26/21 1:54 PM, Milos Dodic wrote: > > > when the test server goes for a picture I have stored somewhere in > > the cloud, the squid access log shows "TCP_TUNNEL/200". But when I > > try from the proxy itself with squidclient tool, I get > > "TCP_MEM_HIT/200" > > > Given the very limited information you have provided, I am guessing that > > * the primary tests opens a CONNECT tunnel through Squid > * the squidclient test sends a plain text HTTP request to Squid > > The final origin server destination may be the same in both tests, but > the two transactions are completely different from Squid point of view. > > > > ssl_bump peek step1 all > > ssl_bump peek step2 allowed_https_sites > > ssl_bump splice step3 allowed_https_sites > > ssl_bump terminate step3 all > > > AFAICT, this configuration is splicing or terminating all TLS traffic. > No bumping at all. If you want your Squid to bump TLS tunnels, then you > have to have at least one "bump" rule! > > I do not know what your overall SslBump needs are, but perhaps you meant > something like the following? > > acl shouldBeBumped ssl::server_name .amazonaws.com > > ssl_bump stare all > ssl_bump bump shouldBeBumped > ssl_bump terminate all > > Please do not use the configuration above until you understand what it > does. Please see https://wiki.squid-cache.org/Features/SslPeekAndSplice > for details. > > Depending on your environment, the http_access rules may need to be > adjusted to allow CONNECT requests (to TLS-safe ports) to IP addresses > that do not result in .amazonaws.com in reverse DNS lookups. > > > HTH, > > Alex. >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
