RE: [squid-users] HTTPS traffic not being forwarded to upstream proxy.

From: Chris Robertson <[email protected]>
Date: Wed, 1 Feb 2006 11:19:29 -0900

> -----Original Message-----
> From: squid user [mailto:squid_user@hotmail.co.uk]
> Sent: Wednesday, February 01, 2006 7:27 AM
> To: mark.elsen@gmail.com
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] HTTPS traffic not being forwarded
> to upstream
> proxy.
>
> >On 2/1/06, squid user <squid_user@hotmail.co.uk> wrote:
> > > Hi,
> > >
> > > I have a Squid 2.5 stable 11 proxy forwarding traffic to
> > > an upstream proxy
> > > based on domain. This works fine for HTTP traffic, but
> > > HTTPS traffic is
> > > flowing directly from the downstream proxy to the internet.
> > >
> > > Would anyone give me any pointers as to an access list or
> > > other strategy I
> > > can use to ensure that HTTPS traffic flows to the
> > > upstream proxy? Here's
> > > what I have at the moment...
> > >
> > > acl forwardTraffic dstdomain .co.uk
> > > cache_peer 172.21.118.118 parent 3128 0 proxy-only no-query
> > > cache_peer_access 172.21.118.118 allow forwardTraffic
> >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >Try changing the above line into :
> >
> > never_direct allow forwardTraffic
> >
> > > cache_peer_access 172.21.118.118 deny all
> > >

Not such a good idea. Now you are saying that .co.uk can't go direct (fine) but that no requests can use the cache_peer (whoops). Hence the problem seen below...

> >
> > M.
>
>
> Hi Mark,
>
> Thanks for getting back to me, but unfortunately that didn't work.
>
> On the browser I see:
>
> "The following error was encountered:
>
> * Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or
> to any parent
> caches. The most likely cause for this error is that:
>
> * The cache administrator does not allow this cache to
> make direct
> connections to origin servers, and
> * All configured parent caches are currently unreachable."
>
> And in the squid log I see, using ebay.co.uk for example...
>
> Failed to select source for 'http://www.ebay.co.uk'
> always_direct = 0
> never_direct = 1
> timed_out = 0
>
> Cheers
>
> SU
>
>

I'd say either add the never_direct line to what you have (cache_peer_access) or get rid of the cache_peer_access lines, and ONLY have the never_direct. Otherwise, if you want to direct ALL ssl traffic through your parent cache, "cache_peer_access 172.21.118.118 allow CONNECT" will do it.

Chris
Received on Wed Feb 01 2006 - 13:19:36 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST