Hi all, first post. I am a squid noob, but I?ve RTFM, and the FAQ, and searched the archive and I can?t figure this out. On my web clients, pages load crazy slowly, then fail with local error pages such as: ?The connection was reset; The connection to the server was reset while the page was loading.? Squid 3.3.12, OS Fedora 20, Linux Kernel 3.14.4-200.fc20.x86_64. Tested Windows clients Firefox 29.01; Google Chrome 35.0.1916.114 m, IE 11. Squid cache.log contain no errors. Squid access.log does not show expected requests, instead shows TCP_MISS_ABORTED: ?1401736785.584 20020 127.0.0.1 TCP_MISS_ABORTED/000 0 GET http://www.google.com/url? - HIER_DIRECT/2607:f8b0:400f:801::1013 ?? (I just noticed the unexpected ip6 type address. I do not know if that is relevant. I will now try to disable ipv6.) I did not previously need ssl_bump, but I am trying to get it to work now. Here is my current squid.conf: acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT always_direct allow all ssl_bump server-first all sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB sslcrtd_children 5 sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access allow localnet manager http_access deny manager http_access allow localnet http_access allow localhost http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/pki/certs/squid.crt key=/pki/private/squid.key coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Background: I had a Dansguardian+Squid transparent proxy that worked great for two years on Fedora 17. I used the default Fedora Squid config (no ssl_bump), and merely configured iptables to redirect port 80 traffic to dansguardian, and dansguardian used Squid. However, Fedora forces end-of-life upgrades every two years. After the latest upgrade Squid failed, and I have not been able to restore functionality. I have tried installing on a fresh Fedora 20 system but https requests still fail. The box is an edge router. It has one external NIC, wan0, one internal NIC lan0, two internal wifi NICs wifi[0,1] and one bridge interface br0. The box uses the NAT feature of iptables to provide access to the internet. My eventual goal is for a transparent proxy, but iptables is NOT currently configured to try that yet. Current rules look like this: *nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT -A POSTROUTING -o wan0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i lan0 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -d 224.0.0.251/32 -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i lan0 -j ACCEPT -A FORWARD -o wan0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT I have been struggling with this for quite some time. I have read, and tried to follow the FAQ, including http://wiki.squid-cache.org/SquidFaq/InterceptionProxy. I started with the default squid config, and ended up trying the ssl_bump feature. I have hacked iptables configuration, including dumping all firewall rules (except nat). I have installed wireshark on client and squidbox. I am not skilled at interpreting the output, but I see my requests going to the squidbox, and nothing happening. I have tried downgrading to Squid 3.2.12, and upgrading to 3.4.5. Thanks for any help. Dev
