On 17/06/2014 10:30 a.m., Mike wrote: > Running into another issue, not sure whats going on here. > > ALL HTTPS connections are being denied. Temporarily, selinux is disabled > and firewall is off. We have it working on 2 other servers with same OS, > same kernel, same settings but it is just this one that refuses to allow > connections to HTTPS sites. > > We went with this version since none of the other rpms (3.4x and newer) > we could find included the ssl_crtd without manually compiling the > entire thing, which we wanted to stay away from if possible, due to ease > of updating squid at some point down the road on many servers without > having to recompile on dozens (or maybe hundreds by then) when it comes > time. > > The cache.log shows no errors. "squid -k parse" shows no errors. > > [root@servername $]# yum info squid > Loaded plugins: security > Installed Packages > Name : squid > Arch : x86_64 > Epoch : 7 > Version : 3.5.0.001 > Release : 1.el6 > Size : 8.2 M > Repo : installed > > [root@servername $]# squid -v > Squid Cache: Version 3.HEAD-20140127-r13248 Hi Mike, that package is several months old now and this sounds like one of the bugs now fixed. I'm sending Eliezer a request to update the package, you may want to do so as well. I dont see any http_access lines at all in the below config file. Squid security policy is "closed by default", so if you omit all access permissions noting is permitted. > From access.log: > TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/- text/html > TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html > TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html > > Rules are same as previously mentioned: > > # Squid normally listens to port 3128 > http_port 3128 > http_port 3129 intercept > https_port 3130 intercept ssl-bump connection-auth=off > generate-host-certificates=on dynamic_cert_mem_cache_size=16MB > cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB > sslcrtd_children 50 startup=5 idle=1 > ssl_bump server-first all > ssl_bump none localhost > always_direct allow all > > visible_hostname xxxxx.xx.net > cache_mgr xxxx@xxxxxx > dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz > hosts_file /etc/hosts > > #cache_access_log /dev/null > #cache_store_log none > #cache_log /dev/null > # acl blacklist dstdomain -i "/etc/squid/domains" > # http_access deny blacklist > > > # Below line is for troubleshooting only, comment out when sys goes to > production > cache_access_log /var/log/squid/access.log The above line should be: access_log /var/log/squid/access.log Also, the cache_log and debug_options lines shoud remain like this in production if at all possible. You can start Squid with the -s command line option to pipe the cache critical messages to syslog but Squid should always have a cache.log for a backup troubleshooting information source. > cache_store_log /var/log/squid/store.log > cache_log /var/log/squid/cache.log > debug_options ALL,0 > > # Uncomment and adjust the following to add a disk cache directory. > cache_dir ufs /var/spool/squid 10000 32 512 > cache_effective_user squid > > The cache store (store.log) shows a lot of entries like this: > RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F ? ? > ? ? ?/? ?/? ? ? Not to worry, temporary files used as disk-backing store for some transactions. We have not yet fully removed the need for this type of file from Squid. HTH Amos
