0

I need to Cache html response from anonymous proxies using squid caching server. However my requirement is something as given:

From client machine I need to connect to anonymous proxy with credentials IP and port. All my request are routed through local squid proxy server.

I tried with the given configurations on squid but not able to cache the response when I connect to the origin as following:

squidclinet -h <IP-Anonymous_Proxy> -p <Port> -u <username> -w <Password> <https://www.example.com>

However I am able to cache using following method:

squidclient -h  <IP-squid_proxy> -p  <Port>  -u <username> -w <Password>

My squid.conf file

# General

http_port 3128
visible_hostname Proxy
forwarded_for delete
via off

# Log

logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid

# Cache

cache_dir aufs /var/cache/squid 1024 16 256
coredump_dir /var/spool/squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0


# Network ACL

acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network

# Port ACL

acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rync
acl Safe_ports port 80 8080     # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
###Cache Peer
cache_peer <Anonymous-Proxy> parent <Port> 0 no-query default login=username:password
never_direct allow all

http_access allow all
icp_access allow all
#always_direct allow all

# Request Headers Forcing

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

# Response Headers Spoofing

reply_header_access Via deny all
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Bikash Bhandari
  • 3
  • 2

1 Answers1

0

You cannot cache HTTPS as it is encrypted.
Squid is a HTTP cache only.
HTTPS queries of clients like browsers, wget or curl can only be routed through Squid with the CONNECT method but not be cached there.

While the ssl bump method supports caching, it involves generating fake SSL certificates and installing a fake CA certificate on the clients. This constitutes a man-in-the-middle attack.
While this is possible, it is not recommended except in special cases justifying such an approach.
The objective of caching alone does not justify using the ssl bump method.

Juergen
  • 138
  • 1
  • 10
  • Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL. – Bikash Bhandari Feb 27 '21 at 23:43
  • Also I read about ssl bump being used for caching https. Also my question was I was I was not able cache while using following command as client with squid being my transparent proxy squidclient -h -p -u -w with – Bikash Bhandari Feb 27 '21 at 23:47
  • Your question was about `https://www.example.com`. While squid does support HTTPS, it supports it by routing through using the CONNECT method and not caching. I'm extending my answer to cover the `ssl bump` method. – Juergen Feb 28 '21 at 10:40
  • Also would like to know when using squid as a transparent proxy, does it cache the information when client connects to origin server through anonymous proxy server. In this case squid is used only as a gateway between client and anonymous proxy. – Bikash Bhandari Feb 28 '21 at 15:22
  • Yes ist does, but still not HTTPS but only HTTP. – Juergen Feb 28 '21 at 15:37
  • Do you mean to say using cache_peer in the configuration? With cache_peer configuration, using anonymous proxy it does but how about without using cache peer. I tried to connect to the origin using anonymous proxy using squidclient . In this case the packet was routed through squid but was not able to store any headers. – Bikash Bhandari Feb 28 '21 at 16:12
  • Squid's ability to cache something is independent of whether you use it as a transparent proxy or anonymous or with a login: It caches HTTP traffic and cannot cache HTTPS traffic except if you use the `ssl bump` method what you should do only in special cases, but not to achieve caching. – Juergen Feb 28 '21 at 17:59