Search squid archive

Help troubleshooting proxy<-->client https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Dear Squid Users,

I am trying to configure my Squid 4.0.17 to use an https connection between the client and the proxy.  I have added an https_port directive to squid.conf, but it must be misconfigured. When I test with a dev version of curl that supports https proxies, I am getting ERR_PROTOCOL_UNKNOWN errors.  Below is the curl output, my squid.conf, and access.log and cache.log snippets.

I appreciate any insights that you can offer.  Thank you very much,
-Masha


----------------------------------------
curl output
----------------------------------------
$ ~/bin/curl -v -x https://proxy.somwhere.com:443 https://github.com
* Rebuilt URL to: https://github.com/
*   Trying 54.210.69.61...
* TCP_NODELAY set
* Connected to proxy.somwhere.com (54.210.69.61) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

----------------------------------------
squid.conf
----------------------------------------
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 81          # http
acl Safe_ports port 800         # http
acl Safe_ports port 8000        # http
acl Safe_ports port 8080        # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl SSL method CONNECT
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager to_localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny to_localhost

# ICAP CONFIG
icp_access deny all
htcp_access deny all

http_port 172.30.0.67:443 ssl-bump cert=/path/to/some.cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-dh=/usr/local/squid/etc/dhparam.pem
https_port 172.30.0.67:443 cert=/path/to/other.cert.pem cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

access_log stdio:/usr/local/squid/var/log/access.log custom
cache_store_log stdio:/usr/local/squid/var/log/store.log custom
log_mime_hdrs on

pid_filename /usr/local/squid/var/run/custom-squid.pid

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

request_header_access Proxy-Authenticate deny all
request_header_access Proxy-Authentication-Info deny all
request_header_access Proxy-Authorization deny all
request_header_access Proxy-Connection deny all
request_header_access Proxy-support deny all
request_header_access custom-version deny all
request_header_access custom-watermark deny all
request_header_access custom-token deny all
request_header_access custom-parent-host deny all
request_header_access Via deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access X-Forwarded-For deny all
reply_header_access X-XSS-Protection deny all
request_header_access Other allow all

cache_mgr cache_mgr@xxxxxxxxxxxxx
mail_from squid@xxxxxxxxxxxxx
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_default_options_ttl 60
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_client_username_encode off

ecap_enable on
loadable_modules /usr/local/squid/modules/libcustom_ecap.so
ecap_service custom_validate_req reqmod_precache ecap://somewhere.com/ecap/services/validate routing=on bypass=off
ecap_service custom_validate_resp respmod_precache ecap://somewhere.com/ecap/services/validate routing=on bypass=off
#adaptation_access custom_validate allow all

icap_service custom_req reqmod_precache routing=on icap://127.0.0.1:1344/custom_req
icap_service custom_resp respmod_precache routing=on icap://127.0.0.1:1344/custom_resp
forwarded_for delete

# Define a service set for requests. The first service (eCAP) will
# process the request if the API token is in the local cache, and the
# user has the "Access Only" preference set. Otherwise eCAP will abort,
# causing Squid to fail over to ICAP to handle the request.
adaptation_service_set custom_req_set custom_validate_req custom_req
adaptation_service_set custom_resp_set custom_validate_resp custom_resp

adaptation_access custom_req_set allow all
adaptation_access custom_resp_set allow all

# Never stop trying to talk to the ICAP server, no matter how many times it fails.
icap_service_failure_limit -1

# Squid uses numeric categories to control logging.
# Interesting categories:
#   93        ICAP
# debug_options ALL,3 44,0 23,0 40,0 73,0 93,3
debug_options  ALL,1 11,2 74,9,93,3
(END)



----------------------------------------
access.log
----------------------------------------
 [26/May/2017:05:35:50 +0000] "NONE error:invalid-request HTTP/1.1" 400 3824



----------------------------------------
cache.log
----------------------------------------
2017/05/26 05:35:50.115 kid1| 74,9| RequestParser.cc(359) doParse: Parse buf={length=517, data="">
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(284) parseRequestFirstLine: parsing possible request: buf.length=517
2017/05/26 05:35:50.115 kid1| 74,9| RequestParser.cc(285) parseRequestFirstLine:
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(382) doParse: request-line: retval -1: line={517, data="">
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(383) doParse: request-line: method: NONE
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(384) doParse: request-line: url:
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(385) doParse: request-line: proto: NONE/0.0
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(386) doParse: Parser: bytes processed=0
2017/05/26 05:35:50.115 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=172.30.0.67:443 remote=75.147.129.242:64540 FD 11 flags=1
2017/05/26 05:35:50.115 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 400 Bad Request
Server: squid/4.0.17
Mime-Version: 1.0
Date: Fri, 26 May 2017 05:35:50 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3394
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from ip-172-30-0-67.ec2.internal
X-Cache-Lookup: NONE from ip-172-30-0-67.ec2.internal:443
Via: 1.1 ip-172-30-0-67.ec2.internal (squid/4.0.17)
Connection: close


----------

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux