[squid-users] HTTPS Caching between Squid's Parent and Child

From: Ghassan Gharabli <sounarose_at_googlemail.com>
Date: Wed, 4 Sep 2013 18:50:35 +0300

Hi,

I am trying to setup SSL-Bump between Parent Squid Proxy and the Child Proxy .

I am using Squid Version : 3.3.8 for each Parent and Squid installed
on the same system (Fedora 64-Bit)

Configure Options : --enable-ssl --enable-ssl-crtd --enable-icap-client
--with-filediscriptors=65536 --enable-ltdl-convenience

My target is to cache HTTPS Traffic, due to the very expensive
bandwidth, I have also noticed that most websites are moving to HTTPS
protocol.

I am having difficulties establishing a connection between Parent with
Child Squid .

I am able to cache HTTPS Traffic by installing a certificate file on
each customer's PC or Phone .

Is there any possible idea that can make the parent proxy cache just
the HTTPS Traffic and let the child proxy negotiate between parent and
establish SSL connection, using the required certificate and then the
child could possibly share the connection again without annoying
customers to install the certificate ?.

Parent Proxy Settings:
---------------------------------

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl SSL method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
#http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 0.0.0.0:9000
http_port 0.0.0.0:3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/usr/local/squidparent/ssl_cert/myCA.pem
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB
cert=/usr/local/squidparent/ssl_cert/myCA.pem

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squidparent/var/cache/squid 10000 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squidparent/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern
^https:\/\/.*\.(jp(eg|g|e|2)|tiff?|bmp|gif|png|kmz|eot|css|js)
129600 99% 129600 ignore-no-cache ignore-no-store reload-into-ims
override-expire ignore-must-revalidate store-stale ignore-private
ignore-auth
refresh_pattern
\.(class|css|cssz|js|jsz|xml|jhtml|txt|tif|swf|zsci|arc|asc) 129600
99% 129600 ignore-no-cache ignore-no-store reload-into-ims
override-expire ignore-must-revalidate store-stale ignore-private
ignore-auth
refresh_pattern \.(doc|xls|ppt|ods|odt|odp|pdf|rtf|inf|ini)
  129600 99% 129600 ignore-no-cache ignore-no-store reload-into-ims
override-expire ignore-must-revalidate store-stale ignore-private
refresh_pattern \.(jp(eg|g|e|2)|tiff?|bmp|gif|png|kmz|eot) 129600
99% 129600 ignore-no-cache ignore-no-store override-lastmod
reload-into-ims override-expire ignore-must-revalidate store-stale
ignore-private ignore-auth
refresh_pattern
\.(z(ip|[0-9]{2})|r(ar|[0-9]{2})|jar|tgz|bz2|grf|gpf|lz|lzh|lha|arj|sis|gz|ipa|tar|rpm|vpu|amz|img)
129600 99% 129600 ignore-no-cache ignore-no-store override-lastmod
reload-into-ims override-expire ignore-must-revalidate store-stale
ignore-private
refresh_pattern
\.(mp(2|3|4)|wav|og(g|a)|flac|mid|midi?|r(m|mvb)|aac|mka|ap(e|k))
              129600 99% 129600 ignore-no-cache ignore-no-store
override-lastmod reload-into-ims override-expire
ignore-must-revalidate store-stale ignore-private
refresh_pattern
\.(exe|msi|dmg|bin|xpi|fid|sisx|iso|part|mar|psf|msp|cab|npk|inc|hqx|ad|ipsw)
                   129600 99% 129600 ignore-no-cache ignore-no-store
override-lastmod reload-into-ims override-expire
ignore-must-revalidate store-stale ignore-private
refresh_pattern
\.(mpeg|ra?m|avi|mp(g|e|4)|mov|m4v|qt|divx|asf|wm(a|v)|m\dv|rv|vob|asx|ogm|flv|3gp|on2)
129600 99% 129600 ignore-no-cache ignore-no-store override-lastmod
reload-into-ims override-expire ignore-must-revalidate store-stale
ignore-private ignore-reload
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

always_direct allow all
acl broken_sites dstdomain .example.com

ssl_bump server-first all

# the following two options are unsafe and not always necessary:
# ignore certain certificate errors (very dangerous!)
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
#sslproxy_cert_error allow BadSite
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#sslproxy_cert_adapt setValidAfter all
#sslproxy_cert_sign signSelf all
sslcrtd_program /usr/local/squidparent/libexec/ssl_crtd -s
/usr/local/squidparent/var/lib/ssl_db -M 16MB
sslcrtd_children 5

# add at the last line
#request_header_access Referer deny all
#request_header_access X-Forwarded-For deny all
#request_header_access Via deny all
#request_header_access Vary deny all
#request_header_access Cache-Control deny all
#request_header_access Content-Encoding deny all
#request_header_access Accept-Encoding deny all

#strip_query_terms off
# add (hide IP address)
#forwarded_for transparent
#visible_hostname cacheparent.skydsl.net
cache_effective_user squid
vary_ignore_expire on
via off
log_icp_queries on
reload_into_ims on
cache_mem 2 GB
cache_replacement_policy heap LFUDA
#max_filedescriptors 65536
#dns_v4_first on
offline_mode on
maximum_object_size 100000 KB
dns_nameservers 192.168.1.1 192.168.1.2

--------------------------------------------------------------------

Child Proxy:
------------------

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl SSL method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
#http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 0.0.0.0:8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB
cert=/usr/local/squidchild/ssl_cert/myCA.pem
http_port 192.168.10.4:8080
#http_port 0.0.0.0:3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/usr/local/squidchild/ssl_cert/myCA.pem
https_port 3131 cert=/usr/local/squidchild/ssl_cert/skyDSL.pem
clientca=/usr/local/squidchild/ssl_cert/myCA.pem

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squidchild/var/cache/squid 10000 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squidchild/var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

always_direct allow all
acl broken_sites dstdomain .example.com
ssl_bump none localhost
ssl_bump none broken_sites
ssl_bump server-first all

# the following two options are unsafe and not always necessary:
# ignore certain certificate errors (very dangerous!)
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
#sslproxy_cert_adapt setValidAfter all
#sslproxy_cert_sign signSelf all
#sslcrtd_program /usr/local/squidchild/libexec/ssl_crtd -s
/usr/local/squidchild/var/lib/ssl_db -M 16MB
#sslcrtd_children 5

#cache_peer 127.0.0.1 parent 80 0 default ssl
sslcert=/usr/local/squidchild/ssl_cert/skyDSL.pem
#never_direct allow all

# Enable Logging Full URLs but when its enabled
#strip_query_terms off
# add (hide IP address)
#forwarded_for transparent
#visible_hostname cachechild

cache_effective_user squid
vary_ignore_expire on
via off
log_icp_queries on
reload_into_ims on
cache_mem 2 GB
cache_replacement_policy heap LFUDA
#max_filedescriptors 65536
#dns_v4_first on
offline_mode on
maximum_object_size 100000 KB
dns_nameservers 192.168.1.1 192.168.1.2

--------------------------------------------------

If I remove/add the cache_peer line in the squid.conf file of CHILD
SQUID and I try to use https_port 3131 in Internet Explorer Settings
then an error appears in the Squid's Log ..

2013/09/04 18:36:21 | clientNegotiateSSL : Error negotiating SSL
connection on FD 13: error:1407609B:SSL
routines:SSL23_GET_CLIENT_HELLO:https proxy request (1/-1)

Is there any solution to cache HTTPS Traffic without installing a
certificate file at customer's machines?.
Do you think that by using SSL Bump between Parent and Child Squids ,
it would solve the problem which should allow us to cache https
traffic as long as the SSL negotiation would be between Parent Squid
and Child Squid? And then the child proxy would share the HTTPS
connection with others without the need of installing the certificate
file at customer's side?.

I really appreciate your support.

Thank you

Regards,
Ghassan
Received on Wed Sep 04 2013 - 15:50:44 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 04 2013 - 12:00:05 MDT