i was also getting this in my weblogic terminal window:
------------------
javax.net.ssl.SSLProtocolException: FATAL Alert:BAD_RECORD_MAC - A
record was received with an incorrect MAC.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
Source)
at com.certicom.tls.record.MessageInterpreter.fireAlert(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown
Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.read(Unknown Source)
at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
at weblogic.socket.SSLFilter.isMessageComplete(SSLFilter.java:225)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:697)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:648)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:123)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
--------------
ok, it seems to be working now, i figured out that i needed no-query
in my cache_peer line. here's my working squid.conf, for those who are
interested:
---------------
https_port 8080 cert=/usr/local/squid/etc/key.crt
key=/usr/local/squid/etc/key.key \
defaultsite=minbedrift.no-ip.com:8080
sslproxy_flags DONT_VERIFY_PEER
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow CONNECT localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
cache_peer 192.168.0.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER no-query
---------------
hope this helps somebody and thanks Henrik and Mark for the help =)
Nick Humphrey
2006/11/2, nick humphrey <nick.c.humphrey@xxxxxxxxx>:
i came up with this:
cache_peer 192.168.150 parent 8080 3130 ssl sslflags=DONT_VERIFY_PEER
originserver
but it doesn't seem to work. i just tried following the comment
guidelines in squid.conf for cache_peer, but i'm obviously not doing
this right.
there it says, among other things, that:
"To specify other caches in a hierarchy, use the format"
but i don't have other caches, i'm just trying to redirect traffic to
the one machine, wl81machine.
but if i have to use the cache_peer, then:
is it supposed to be "parent"?
i assume 8080 is correct
i'm confused about the 3130. do i have to make wl81machine listen on
that port? when i try contacting that port on wl81machine with netcat
from deb3machine it says "permission denied"
here's my (updated) squid.conf:
-------------------
https_port 8080 cert=/usr/local/squid/etc/key.crt
key=/usr/local/squid/etc/key.key defaultsite=192.168.0.150:8080
#httpd_accel_no_pmtu_disc on
#visible_hostname minbedrift.no-ip.com
sslproxy_flags DONT_VERIFY_PEER
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#always_direct allow all
http_access allow manager localhost
http_access deny manager
http_access allow CONNECT localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny CONNECT
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
cache_peer 192.168.0.150 parent 8080 3130 ssl
sslflags=DONT_VERIFY_PEER originserver
------------------
the commented out lines are just stuff i've tried in desperation to
see if they'd help (not sure if they do...)
i don't understand why in https_port:
defaultsite=192.168.0.150:8080
has to have the port on it as well, since it is already defined in the
beginning of https_port...
also a dumb question: do i reply to you or just to squid-users? both?
thanks Henrik,
Nick
2006/11/2, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>:
> tor 2006-11-02 klockan 08:40 +0100 skrev nick humphrey:
>
> > Ready to serve requests.
> > Failed to select source for 'https://192.168.0.150:8080/'
> > always_direct = 0
> > never_direct = 0
> > timedout = 0
>
> This indicates incomplete accelerator mode configuration, missing the
> cache_peer telling Squid where the origin server(s) is..
>
> Regards
> Henrik
>
>
>
