RE: [squid-users] HTTPS traffic not being forwarded to upstream proxy.

From: Paul Murphy <[email protected]>
Date: Mon, 6 Feb 2006 15:55:23 -0000

-----Original Message-----
From: Chris Robertson [mailto:crobertson@gci.com]
Sent: 01 February 2006 20:19
To: squid-users@squid-cache.org
Subject: RE: [squid-users] HTTPS traffic not being forwarded to upstream
proxy.

> -----Original Message-----
> From: squid user [mailto:squid_user@hotmail.co.uk]
> Sent: Wednesday, February 01, 2006 7:27 AM
> To: mark.elsen@gmail.com
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] HTTPS traffic not being forwarded
> to upstream
> proxy.
>
> >On 2/1/06, squid user <squid_user@hotmail.co.uk> wrote:
> > > Hi,
> > >
> > > I have a Squid 2.5 stable 11 proxy forwarding traffic to
> > > an upstream proxy
> > > based on domain. This works fine for HTTP traffic, but
> > > HTTPS traffic is
> > > flowing directly from the downstream proxy to the internet.
> > >
> > > Would anyone give me any pointers as to an access list or
> > > other strategy I
> > > can use to ensure that HTTPS traffic flows to the
> > > upstream proxy? Here's
> > > what I have at the moment...
> > >
> > > acl forwardTraffic dstdomain .co.uk
> > > cache_peer 172.21.118.118 parent 3128 0 proxy-only no-query
> > > cache_peer_access 172.21.118.118 allow forwardTraffic
> >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >Try changing the above line into :
> >
> > never_direct allow forwardTraffic
> >
> > > cache_peer_access 172.21.118.118 deny all
> > >

Not such a good idea. Now you are saying that .co.uk can't go direct
(fine) but that no requests can use the cache_peer (whoops). Hence the
problem seen below...

> >
> > M.
>
>
> Hi Mark,
>
> Thanks for getting back to me, but unfortunately that didn't work.
>
> On the browser I see:
>
> "The following error was encountered:
>
> * Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or
> to any parent
> caches. The most likely cause for this error is that:
>
> * The cache administrator does not allow this cache to
> make direct
> connections to origin servers, and
> * All configured parent caches are currently unreachable."
>
> And in the squid log I see, using ebay.co.uk for example...
>
> Failed to select source for 'http://www.ebay.co.uk'
> always_direct = 0
> never_direct = 1
> timed_out = 0
>
> Cheers
>
> SU
>
>

>I'd say either add the never_direct line to what you have
>(cache_peer_access) or get rid of the cache_peer_access lines, and ONLY
>have the never_direct. Otherwise, if you want to direct ALL ssl traffic
>through your parent cache, "cache_peer_access 172.21.118.118 allow
CONNECT" >will do it.

>Chris

Hi all,

Sorry about starting this up again, but I wasn't around my computer for
the latter part of last week.

Anyway, I tried adding the 'never_direct' line alongside my
cache_peer_access configuration and it still failed to work. HTTPS traffic
went direct from the first proxy to the outside world. I installed squid
STABLE12 and it happened with that release also.

As directing all ssl traffic to the upstream proxy isn't an option, any
other ideas would be greatly appreciated!

Cheers

SU

Received on Mon Feb 06 2006 - 08:58:51 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST