Re: [squid-users] https/SSL forwarding to parent squid cache

From: Chris Robertson <[email protected]>
Date: Tue, 23 Jan 2007 11:15:56 -0900

Rakesh Jha wrote:
> Hi,
> I have following scenario -
>
> Client-->squid--->Proxy--->Stateful Inspection--> Squid
> Parent-------->ISP2
> Firewall Firewall | (two NIC config)
> |
> |-->ISP1
>
> From Squid I am contacting parent squid at tcp port 3128 and it is
> allowed through both firewalls. This arrangements works perfectly for
> http traffic but I cannot login to hotmail or can not go to site with
> https.
> The idea behind this is that I want to use second ISP without
> complicating my configuration. The HTTP traffic goes perfectly through
> ISP2 but have problem with HTTPS. When I change never_direct to
> always_direct https works but then it not using ISP2. Any help?
>

I would have to guess this is related to how you are balancing the
traffic between the two NICs on the parent Squid. Many HTTPS services
don't like a connection to bounce between two client IPs. I'd suggest
biasing your HTTPS traffic to one ISP (either by using
tcp_ougoing_address in the parent Squid configuration file, or by the
routing rules on the box) and see it that fixes things.

> For using ISP1 I have other squid box which has default route to Proxy
> firewall. My squid.conf on the client side squid proxy is as following -
>
> acl bb-itsup src 10.10.56.0/255.255.255.0
> acl CONNECT method CONNECT
> acl all src 0.0.0.0/0.0.0.0
> never_direct allow bb-itsup
> never_direct allow CONNECT
>

Or you could eliminate this never_direct line which would allow CONNECT
requests to bypass the parent proxy, while pushing all other requests
through it.

> http_access allow localhost
> http_access allow bb-itsup
> #always_direct allow bb-itsup
> http_access deny all
>
> Thanks & regards,
>
> Rakesh
>

Chris
Received on Tue Jan 23 2007 - 13:16:14 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST