----- Original Message ----- From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > > You could try with a newer Squid version since the bio.cc code might be > making something else happen in 3.5.23. If that still fails the 4.0 beta > has different logic and far better debug info in this area. Hi again, I'm still struggling with my reverse proxy setup. As stated in my previous post, after upgrading to squid 3.5.23, I successfully connected with a web browser FROM an external location (internet) to the Squid proxy which in turn connected via https on port 443 to an internal MS Exchange OWA server. Apparently, all I was missing was sslcafile in cache_peer. However, I'm now trying (but failing) to do the same thing locally. I'm connecting from a web browser in the local network to the Squid reverse proxy and that, in turn, is trying to connect to the OWA server on the same LAN. I set up the client's hosts file to point webmail2.mydomain.org to Squid's IP address. Here's squid.conf: https_port 0.0.0.0:443 accel cert=/etc/ssl/squid/accel_cert.cer key=/etc/ssl/squid/accel_key.pem defaultsite=webmail2.mydomain.org cache_peer 10.215.144.21 parent 443 0 no-query originserver login=PASS ssl sslcert=/etc/ssl/squid/client_cert.cer sslkey=/etc/ssl/squid/client_key.pem sslcafile=/etc/ssl/CA/cacert.pem front-end-https=on name=owaServer acl OWA dstdomain webmail2.mydomain.org cache_peer_access owaServer allow OWA never_direct allow OWA http_access allow OWA http_access deny all Since it didn't work with Squid 3, I updated to the latest Squid 4 version. I get this in the log when trying to connect: 2017/01/24 07:58:57.075 kid1| 83,5| bio.cc(116) write: FD 18 wrote 312 <= 312 2017/01/24 07:58:57.075 kid1| 83,5| bio.cc(139) read: FD 18 read -1 <= 65535 2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(144) read: error: 11 ignored: 1 2017/01/24 07:58:57.076 kid1| 5,3| comm.cc(559) commSetConnTimeout: local=10.215.144.92:56236 remote=10.215.144.21:443 FD 18 flags=1 timeout 30 2017/01/24 07:58:57.076 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 18, type=1, handler=1, client_data=0xb7cf8be8, timeout=0 2017/01/24 07:58:57.076 kid1| 93,5| AsyncJob.cc(154) callEnd: Security::BlindPeerConnector status out: [ FD 18 job60] 2017/01/24 07:58:57.076 kid1| 93,5| AsyncCallQueue.cc(57) fireNext: leaving AsyncJob::start() 2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(139) read: FD 18 read 0 <= 65535 2017/01/24 07:58:57.076 kid1| 83,5| NegotiationHistory.cc(83) retrieveNegotiatedInfo: SSL connection info on FD 18 SSL version NONE/0.0 negotiated cipher 2017/01/24 07:58:57.076 kid1| Error negotiating SSL on FD 18: error:00000000:lib(0):func(0):reason(0) (5/0/0) 2017/01/24 07:58:57.076 kid1| TCP connection to 10.215.144.21/443 failed 2017/01/24 07:58:57.077 kid1| 15,2| neighbors.cc(1246) peerConnectFailedSilent: TCP connection to 10.215.144.21/443 dead # squid -v Squid Cache: Version 4.0.17-20170122-r14968 Service Name: squid configure options: '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/squid-4.0.17_beta_p2017012214968' '--htmldir=/usr/share/doc/squid-4.0.17_beta_p2017012214968/html' '--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--with-pidfile=/run/squid.pid' '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' '--with-default-user=squid' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io' '--enable-auth-basic=NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=SMB_LM' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group' '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' '--disable-strict-error-checking' '--disable-arch-native' '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib' '--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' '--with-nettle' '--with-gnutls' '--disable-ssl-crtd' '--disable-ecap' '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' '--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig' # openssl version OpenSSL 1.0.2j 26 Sep 2016 Unfortunately, Squid's or OpenSSL's log message isn't too informative, even in Squid 4. Also, I'm not sure why the SSL version isn't picked up (NONE/0.0) but I don't think it changes anything. What else can I try? Thanks, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
