cache_peer to SSL/TLS proxy

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

cache_peer to SSL/TLS proxy

Carlos Cesar Caballero Díaz
Hi, I am really new with squid, an I am trying to solve an issue.

Right now I am working against a squid proxy wich is using SSL/TLS
(encrypted browser-squid connection) and as you know there are a lot of
applications that does not work with this kind of proxy configuration.
In other ocations, I have been able to avoid some proxy issues
installing a local squid and using cache_peer, so that my local squid
handle the nasty parent configurations and my applications can work
cleanly against the local instance. So, can I use cache_peer against a
parent proxy whish is using SSL/TLS for encrypted browser-squid
connection? An if it is possible, How?

Greetings.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer to SSL/TLS proxy

Amos Jeffries
Administrator
On 22/05/18 04:22, Carlos Cesar Caballero Díaz wrote:
>  can I use cache_peer against a
> parent proxy whish is using SSL/TLS for encrypted browser-squid
> connection? An if it is possible, How?
>

Add the "ssl" (Squid-3) or "tls" (Squid-4) option to your cache_peer
line and all traffic to that peer will be encrypted with TLS/SSL.

See <http://www.squid-cache.org/Doc/config/cache_peer/> in the section
called "SSL / HTTPS / TLS OPTIONS" for more options related to securing
the connection between the proxies.
 If you have Squid-3 the option names are a bit different, so see the
doc page for your specific Squid series number.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer to SSL/TLS proxy

Alex Rousskov
In reply to this post by Carlos Cesar Caballero Díaz
On 05/21/2018 10:22 AM, Carlos Cesar Caballero Díaz wrote:

> Right now I am working against a squid proxy wich is using SSL/TLS
> (encrypted browser-squid connection) and as you know there are a lot of
> applications that does not work with this kind of proxy configuration.
> In other ocations, I have been able to avoid some proxy issues
> installing a local squid and using cache_peer, so that my local squid
> handle the nasty parent configurations and my applications can work
> cleanly against the local instance. So, can I use cache_peer against a
> parent proxy whish is using SSL/TLS for encrypted browser-squid
> connection? An if it is possible, How?

Do you want to configure your Squid proxy to use proxy B as a parent
when proxy B insists on all connections to it being encrypted? If yes,
please see the various cache_peer options that start with letters "tls"
and "ssl":

> ==== SSL / HTTPS / TLS OPTIONS ====
>
> tls Encrypt connections to this peer with TLS.
...


I have not tested the HTTPS parent setup discussed above, but it looks
like it should work in principle.

Please note that, AFAIK, Squid does not support HTTPS parents for many
SslBump configurations that require looking at TLS server Hello packets
-- there is currently no support for TLS inside TLS.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer to SSL/TLS proxy

Carlos Cesar Caballero Díaz
In reply to this post by Amos Jeffries
Thanks @Amos and @Alex, I have been testing and playing with the
options, but all I get is 502 (Bad Gateway) responses in my local proxy.

Greetings.


El 21/05/18 a las 12:49, Amos Jeffries escribió:

> On 22/05/18 04:22, Carlos Cesar Caballero Díaz wrote:
>>   can I use cache_peer against a
>> parent proxy whish is using SSL/TLS for encrypted browser-squid
>> connection? An if it is possible, How?
>>
> Add the "ssl" (Squid-3) or "tls" (Squid-4) option to your cache_peer
> line and all traffic to that peer will be encrypted with TLS/SSL.
>
> See <http://www.squid-cache.org/Doc/config/cache_peer/> in the section
> called "SSL / HTTPS / TLS OPTIONS" for more options related to securing
> the connection between the proxies.
>   If you have Squid-3 the option names are a bit different, so see the
> doc page for your specific Squid series number.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users