squid and https URLs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

squid and https URLs

isaac
This post has NOT been accepted by the mailing list yet.
I have installed squid as a non-transparent proxy/cache server with --enable-ssl configuration. It is a child of a parent proxy server named proxy1.ut.ac.ir in our network which all computers in network must access Internet through it.

The new proxy server works well for HTTP URLs but has problem with HTTPS ones. For example, when I try to open www.gmail.com or https://www.google.com, the browser just stops after a very long time at this URL:

https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1<mpl=default<mplcache=2



And this is the access.log entries:
1279413204.892    302 127.0.0.1 TCP_MISS/302 1136 GET http://mail.google.com/mail/ - DEFAULT_PARENT/proxy1.ut.ac.ir text/html
1279413264.188  59293 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/209.85.229.104 -
1279413324.241  60051 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/209.85.229.147 -
1279413384.293  60050 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/209.85.229.99 -
1279413444.317  60022 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/209.85.229.147 -
1279413504.369  60048 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/209.85.229.104 -


Here is the squid.conf:

http_port 3128

cache_dir ufs /usr/local/squid/var/cache 100 16 256
coredump_dir /usr/local/squid/var/cache


acl all src 0.0.0.0/0.0.0.0
http_access allow all


cache_peer proxy1.ut.ac.ir parent 3128 0 no-query default no-digest no-netdb-exchange

There is no problem when i set proxy1.ut.ac.ir as the proxy server in browsers so there is nothing wrong in parent proxy server.

Reply | Threaded
Open this post in threaded view
|

Re: squid and https URLs

isaac
This post has NOT been accepted by the mailing list yet.
Update:

I tried to add default DNS servers of my network to squid.conf by:

dns_nameservers 217.219.19.20 217.219.19.21
When i add this line, HTTP websites like www.google.com still opens correctly, but when i try to open www.gmail.com a get a 404 Server not found Error.


Here is the access.log:

1279491590.616      2 127.0.0.1 TCP_MISS/404 0 CONNECT www.google.com:443 - DIRECT/- -



and squid in console says:

2010/07/18 18:19:50| ipcacheParse: No Address records in response to 'www.google.com'

Reply | Threaded
Open this post in threaded view
|

Re: squid and https URLs

slevin
This post has NOT been accepted by the mailing list yet.
In reply to this post by isaac
Reply | Threaded
Open this post in threaded view
|

Re: squid and https URLs

isaac
This post was updated on .
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: squid and https URLs

isaac
Problem Solved!

I've asked this question in ServerFault here:

http://serverfault.com/questions/161428/squid-and-https-urls

and find a solution by just adding these lines in squid.conf:


acl CONNECT method CONNECT
acl POST method POST
never_direct allow CONNECT
never_direct allow POST

But i still don't understand this behaviour of squid:

Why should we add these lines for CONNECT and POST method explicity while GET method works correctly without such settings?

Is this default behaviour of squid or what?

Reply | Threaded
Open this post in threaded view
|

Re: squid and https URLs

Henrik Nordström
mån 2010-08-02 klockan 04:11 -0700 skrev isaac:

> Problem Solved!
>
> I've aksed this question in ServerFault and find a solution by just adding
> these lines in squid.conf:
>
>
> acl CONNECT method CONNECT
> acl POST method POST
> never_direct allow CONNECT
> never_direct allow POST
>
> But i still don't understand this behaviour of squid:
>
> Why should we add these lines for CONNECT and POST method explicity while
> GET method works correctly without such settings?
>
> Is this default behaviour of squid or what?

Sounds like you should really have

  never_direct allow all


What is happening is that Squid by default acts somewhat differently
depending on if it thinks the response may be possible to cache. If it
knows that the response won't be possible to cache then it selects the
shortest possible path to retrieve the requested object which is going
direct unless forbidden.

  CONNECT/POST/etc (most non-HEAD/GET) can never be cached.

  GET/HEAD depends on a number of factors. There is many kinds of GET
requests as well which Squid will consider non-cacheable and go direct
if allowed.


The never_direct directive is what you use to tune this when you need
requests forwarded even if it's worthless from a cache perspective.
never_direct tells Squid that it is not allowed to go direct and MUST
forward requests to a peer (usually parent peer). Used for example if
you are behinda firewall without direct connectivity, or otherwise MUST
use a parent proxy.


Regards
Henrik

Reply | Threaded
Open this post in threaded view
|

Re: squid and https URLs

slevin
This post has NOT been accepted by the mailing list yet.
it solved.
mamnoon!