Re: Issues with ssl-bump in 3.HEAD

[Mike <mcsnv96@xxxxxxx>]

I got it figured out... it was the acl rules at the top... since the 
server IP was within the company network and I was testing and accessing 
from outside, it was not working. So at least for testing I needed to 
add my own IP as part of the "acl localnet"... after that it worked 
perfectly.

Thanks to everyone for their help.


Mike


On 6/18/2014 4:59 PM, Mike wrote:
> I (think) got it figured out... seemed that port 3128 was the 
> problem... not sure why this provider blocks that port but as soon as 
> I changed the squid.conf http_port to 8080, it worked right away.
>
> Thanks for everyones help!
>
> Mike
>
>
> On 6/18/2014 12:35 PM, Mike wrote:
> > I compiled source 3.4.5 from squid-cache.org with all the needed 
> > rules and it is still refusing all connections.
> > OS (on all 3 tested systems) is Scientific Linux 6.5, kernel is 
> > 2.6.32.431.17.1.el6. The latest squid version available in their repo 
> > is 3.1.10 which does not have the needed SSL related options.
> >
> > No unusual errors with configure, make or make install.
> >
> >
> >
> >
> > So any suggestions or other items to check?
> >
> >
> > Mike
> >
> > On 6/17/2014 12:34 AM, Amos Jeffries wrote:
> > > On 17/06/2014 10:30 a.m., Mike wrote:
> > > > Running into another issue, not sure whats going on here.
> > > >
> > > > ALL HTTPS connections are being denied. Temporarily, selinux is 
> > > > disabled
> > > > and firewall is off. We have it working on 2 other servers with 
> > > > same OS,
> > > > same kernel, same settings but it is just this one that refuses to 
> > > > allow
> > > > connections to HTTPS sites.
> > > >
> > > > We went with this version since none of the other rpms (3.4x and 
> > > > newer)
> > > > we could find included the ssl_crtd without manually compiling the
> > > > entire thing, which we wanted to stay away from if possible, due to 
> > > > ease
> > > > of updating squid at some point down the road on many servers without
> > > > having to recompile on dozens (or maybe hundreds by then) when it 
> > > > comes
> > > > time.
> > > >
> > > > The cache.log shows no errors. "squid -k parse" shows no errors.
> > > >
> > > > [root@servername $]# yum info squid
> > > > Loaded plugins: security
> > > > Installed Packages
> > > > Name        : squid
> > > > Arch        : x86_64
> > > > Epoch       : 7
> > > > Version     : 3.5.0.001
> > > > Release     : 1.el6
> > > > Size        : 8.2 M
> > > > Repo        : installed
> > > >
> > > > [root@servername $]# squid -v
> > > > Squid Cache: Version 3.HEAD-20140127-r13248
> > > Hi Mike,
> > >   that package is several months old now and this sounds like one of 
> > > the
> > > bugs now fixed. I'm sending Eliezer a request to update the package, 
> > > you
> > > may want to do so as well.
> > >
> > > I dont see any http_access lines at all in the below config file. Squid
> > > security policy is "closed by default", so if you omit all access
> > > permissions noting is permitted.
> > >
> > >
> > > >  From access.log:
> > > > TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/- 
> > > > text/html
> > > > TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html
> > > > TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html
> > > >
> > > > Rules are same as previously mentioned:
> > > >
> > > > # Squid normally listens to port 3128
> > > > http_port 3128
> > > > http_port 3129 intercept
> > > > https_port 3130 intercept ssl-bump connection-auth=off
> > > > generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> > > > cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
> > > >
> > > > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db 
> > > > -M 16MB
> > > > sslcrtd_children 50 startup=5 idle=1
> > > > ssl_bump server-first all
> > > > ssl_bump none localhost
> > > > always_direct allow all
> > > >
> > > > visible_hostname xxxxx.xx.net
> > > > cache_mgr xxxx@xxxxxx
> > > > dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz
> > > > hosts_file /etc/hosts
> > > >
> > > > #cache_access_log /dev/null
> > > > #cache_store_log none
> > > > #cache_log /dev/null
> > > > # acl blacklist dstdomain -i "/etc/squid/domains"
> > > > # http_access deny blacklist
> > > >
> > > >
> > > > #  Below line is for troubleshooting only, comment out when sys 
> > > > goes to
> > > > production
> > > > cache_access_log /var/log/squid/access.log
> > > The above line should be:
> > >    access_log /var/log/squid/access.log
> > >
> > > Also, the cache_log and debug_options lines shoud remain like this in
> > > production if at all possible. You can start Squid with the -s command
> > > line option to pipe the cache critical messages to syslog but Squid
> > > should always have a cache.log for a backup troubleshooting information
> > > source.
> > >
> > > > cache_store_log /var/log/squid/store.log
> > > > cache_log /var/log/squid/cache.log
> > > > debug_options ALL,0
> > > >
> > > > # Uncomment and adjust the following to add a disk cache directory.
> > > > cache_dir ufs /var/spool/squid 10000 32 512
> > > > cache_effective_user squid
> > > >
> > > > The cache store (store.log) shows a lot of entries like this:
> > > > RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F   ? ?
> > > > ?         ? ?/? ?/? ? ?
> > > Not to worry, temporary files used as disk-backing store for some
> > > transactions. We have not yet fully removed the need for this type of
> > > file from Squid.
> > >
> > >
> > > HTH
> > > Amos