Hi All, We have the following setup of a transparent squid box: OS: CentOS release 6.9 (Final) Squid Cache: Version 3.5.26-20170625-r14174 Compile options: '--with-included-ltdl' '--enable-icap-client' '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd' '--enable-icmp' '--enable-snmp' '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' --enable-ltdl-convenience Endpoints are redirected to the Squid box using a policy route for TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We are using ssl bump for ssl, but there is an strange behavior, some websites opens well, but some ones breaks and getting TAG_NONE/503 errors in the access log: 1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/- text/html 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65? - HIER_NONE/- text/html 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET https://service.weather.microsoft.com/appex/DesktopTile/Badge? - HIER_NONE/- text/html 1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp - HIER_NONE/- text/html In the same time-range, other websites loads well 1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12 image/gif 1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST https://cloud-ecs.gravityzone.bitdefender.com/hydra- ORIGINAL_DST/107.20.215.8 application/json 1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif 1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21 text/javascript IPTABLES CONFIGURATION ======================= # PREROUTING INTERCEPT PBR *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #WEB -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 3128 -j ACCEPT -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 3129 -j ACCEPT -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 3130 -j ACCEPT -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport 3131 -j ACCEPT #default -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT SQUID CONFIGURATION ==================== #WHITE LIST acl exclWL url_regex "/etc/squid/white_url.squid" acl neoWL url_regex "/etc/squid/neowl.squid" http_access allow exclWL http_access allow neoWL cache deny exclWL cache deny neoWL always_direct allow exclWL always_direct allow neoWL #Malicious URLs acl dom url_regex "/etc/squid/dom.squid" acl cc url_regex "/etc/squid/cc.squid" http_access deny dom http_access deny cc #BLACK LIST acl exclBL url_regex "/etc/squid/black_url.squid" acl neoBL url_regex "/etc/squid/neobl.squid" http_access deny exclBL http_access deny neoBL #ACLS BASE acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl SSL_ports port 3129 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl HTTPS proto HTTPS include /etc/squid/acls_whitelist.conf acl useragent browser "/etc/squid/useragent.squid" range_offset_limit 0 !useragent minimum_object_size 0 bytes maximum_object_size 3 GB quick_abort_min -1 delay_pools 1 delay_class 1 1 delay_parameters 1 128000/128000 delay_access 1 deny SSL_ports delay_access 1 allow !useragent delay_access 1 deny all #cache conf max_filedescriptors 24576 memory_cache_mode disk cache_mem 0 MB cache allow all minimum_object_size 0 bytes maximum_object_size 20 MB sslproxy_flags DONT_VERIFY_PEER connect_timeout 8 seconds http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all reply_header_access Alternate-Protocol deny all http_port 3130 http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem cache_dir ufs /var/cache/squid 9000 16 256 cache_store_log /var/log/squid/store.log cache_effective_user squid visible_hostname Proxy refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 2 20% 10 refresh_pattern . 2 20% 10 ignore-reload override-expire ignore-no-cache ignore-no-store store-stale ignore-private ignore-must-revalidate ignore-auth refresh_pattern -i \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims #SSL BUMP include /etc/squid/ssl.conf #LOGGING access_log /var/log/squid/access.log access_log /var/log/squid/access_c2.log cc access_log /var/log/squid/access_c2.log dom access_log /var/log/squid/splc.log excludeSSL cache_log /dev/null coredump_dir /var/cache/squid #ICAP icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow useragent icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow useragent #X FORWARDED FOR forwarded_for on SSL.conf ======= sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem sslproxy_cafile /etc/squid/intermediate_ca.pem sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB sslcrtd_children 16 startup=5 idle=1 acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice GlobalWhitelistDomainsRx ssl_bump splice GlobalWhitelistDomains ssl_bump splice FakeCert ssl_bump bump ssl_step2 all ssl_bump splice all sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_error allow all sslproxy_cert_error deny all acls_whitelist.conf ============= acl WindowsUpdates dstdomain officecdn.microsoft.com acl WindowsUpdates dstdomain windowsupdate.microsoft.com acl WindowsUpdates dstdomain ntservicepack.microsoft.com acl WindowsUpdates dstdomain download.microsoft.com acl WindowsUpdates dstdomain .windowsupdate.com acl WindowsUpdates dstdomain .windowsupdate.net acl WindowsUpdates dstdomain .update.microsoft.com acl WindowsUpdates dstdomain .mp.microsoft.com acl WindowsUpdates dstdomain .ws.microsoft.com acl GlobalWhitelistDomains dstdomain "/etc/squid/acls_whitelist.dstdomain.conf" acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf" acl GlobalWhitelistDomainsRx dstdom_regex -i "/etc/squid/acls_whitelist.dstdom_regex.conf" acl GlobalWhitelistBrowsers browser -i "/etc/squid/acls_whitelist.browser.conf" http_access allow GlobalWhitelistDomains url_rewrite_access deny GlobalWhitelistDomains http_access allow GlobalWhitelistDSTNet url_rewrite_access deny GlobalWhitelistDSTNet http_access allow GlobalWhitelistDomainsRx url_rewrite_access deny GlobalWhitelistDomainsRx http_access allow GlobalWhitelistBrowsers Any one with the same TAG_NONE/503 error, please help!? Regards, Hugo _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
