-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Amos, this issue looks like very similar to bug 4188, isn't it? WBR, Yuri 26.08.15 11:36, Amos Jeffries пишет: > On 26/08/2015 6:51 a.m., Oliver Webb wrote: >> TLDR Skip to ---------- >> >> I have squid 3.5.7 installed on linux with the following configure options: >> >> '--build=arm-linux-gnueabihf' '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log' '--with-pidfile=/var/run/squid.pid' '--enable-ssl' '--with-openssl' '--enable-ssl-crtd' '--enable-delay-pools' '--enable-external-acl-helpers=session' 'build_alias=arm-linux-gnueabihf' >> >> I have the following ports assigned in squid.conf: >> >> http_port 3129 >> http_port 3128 intercept >> https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem >> >> I also have IPTables redirecting port 443 traffic to port 3130 and port 80 traffic to 3128 >> >> For port 80 HTTP traffic the proxy works fine pages load except blocked ones which the proxy successfully replaces which blocked message >> >> Port 443 HTTPS traffic is successfully bumped by squid and the certificate is replaced with the dynamically generated one. >> ---------- >> HOWEVER >> The page squid serves over the browser-squid tunnel is the ERR_DNS_FAIL error page with the %H hostname template code evaluated to 'http' (without quotes) >> > > That means one or more of these is most likely: > > A) the SNI value sent by the client was "http". > - that is invalid TLS protocol > > B) the Host header in the HTTP message was "Host: http:443" or "Host: > http://blah"; > - both are invalid FQDN > > C) the reverse-DNS for the IP address Squid is dealing with says "http" > - that is an invalid DNS record > > > Maybe be more I've overlooked right now. > > >> Also in the cache.log the following message appears after every HTTPS request >> FATAL: Unable to open HTTPS Socket > > > For (B) and some of (A), try adding "debug_options 11,2 83,5" to your > config file and see what the messages are doing in Squid. > If there are no HTTP messages, then the issue is in the TLS or DNS layers. > > For the rest of (A), you will likely need to use packet captures to see > what is happening on the connections both in and out of Squid > (from-client and to-server). The TLS/SSL library command line test tools > may also be useful there to track the TLS protocol details Squis is not > showing well yet. > > > For (C) try resolving the domain name "http" from the command line of > your Squid machine. > > If you configured dns_nameservers directive in squid.conf repeat that > test using each of the listed servers. > > If the machine normal lookup works but the Squid NS fail, you may need > to add dns_defnames and dns_appenddomain directives to your squid.conf > with details that match what /etc/resolv.conf tells the machine to do. > > > PS. The best setup IMHO, is to remove the dns_* directives entirely and > let Squid use the normal /etc/resolv.conf settings. > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJV3Yd/AAoJENNXIZxhPexGGd8H/1NfOxLblRGsy9qCaPY2yM1J WnF2f5smag9uk+BW08OTz+Px+GePMl6lvdauUXp5NFj4YDNh1q94/tG7sKF0zyOG qt3OafVSdbLuUooE80RjMRPTxaEM2ibgcEj7lAvsDdsQVOFlBJeaysyvsgi+jql5 zijJXcGFfy2y38nhSQAlt8WTgDwLEBxVT77twbSp64l3GMsknugF6X6z97Brwffg IA01dKhUrXZl3ElJokp62XTMs+luBzopwuK77exEvxJSgn1chK6/F6V1GlDaxZYt YL3LGiV57TToluMKxmPkmp9UjCTc+kMU23k8lSzOAYp7KXOhgDXJ0fdWafWhtSg= =JXK6 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
