Hi, yes, squid is able to resolve those domains. Currently we have cache.log disabled for performance. any clues? Regards, Hugo 2017-12-06 14:51 GMT-03:00 Enrico Heine <flashdown@xxxxxxxxxxxxx>: > Hi, > > Can you confirm that squid is able to resolve these hostnames? If not try > browsing to them without https and check if squid gives you an error > message. > > Did you check the cache.log as well? > > Br Enrico > > Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra > <hugo.saavedra.oteiza@xxxxxxxxx>: >> >> Hi All, >> >> We have the following setup of a transparent squid box: >> OS: CentOS release 6.9 (Final) >> Squid Cache: Version 3.5.26-20170625-r14174 >> Compile options: >> '--with-included-ltdl' '--enable-icap-client' >> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd' >> '--enable-icmp' '--enable-snmp' '--prefix=/usr' >> '--includedir=/usr/include' '--datadir=/usr/share' >> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' >> '--localstatedir=/var' '--sysconfdir=/etc/squid' >> --enable-ltdl-convenience >> >> Endpoints are redirected to the Squid box using a policy route for >> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We >> are using ssl bump for ssl, but there is an strange behavior, some >> websites opens well, but some ones breaks and getting TAG_NONE/503 >> errors in the access log: >> >> 1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST >> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/- >> text/html >> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET >> >> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65? >> - HIER_NONE/- text/html >> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET >> https://service.weather.microsoft.com/appex/DesktopTile/Badge? - >> HIER_NONE/- text/html >> 1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET >> >> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp >> - HIER_NONE/- text/html >> >> In the same time-range, other websites loads well >> >> 1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET >> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12 >> image/gif >> 1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST >> https://cloud-ecs.gravityzone.bitdefender.com/hydra- >> ORIGINAL_DST/107.20.215.8 application/json >> 1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET >> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif >> 1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET >> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21 >> text/javascript >> >> >> IPTABLES CONFIGURATION >> ======================= >> # PREROUTING INTERCEPT PBR >> >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports >> 3128 >> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports >> 3129 >> COMMIT >> >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> >> #WEB >> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >> --dport 80 -j ACCEPT >> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >> --dport 443 -j ACCEPT >> >> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >> --dport 3128 -j ACCEPT >> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >> --dport 3129 -j ACCEPT >> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >> --dport 3130 -j ACCEPT >> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >> --dport 3131 -j ACCEPT >> >> #default >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -j REJECT --reject-with icmp-host-prohibited >> -A FORWARD -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> >> >> SQUID CONFIGURATION >> ==================== >> >> #WHITE LIST >> acl exclWL url_regex "/etc/squid/white_url.squid" >> acl neoWL url_regex "/etc/squid/neowl.squid" >> http_access allow exclWL >> http_access allow neoWL >> cache deny exclWL >> cache deny neoWL >> always_direct allow exclWL >> always_direct allow neoWL >> >> #Malicious URLs >> acl dom url_regex "/etc/squid/dom.squid" >> acl cc url_regex "/etc/squid/cc.squid" >> http_access deny dom >> http_access deny cc >> >> #BLACK LIST >> acl exclBL url_regex "/etc/squid/black_url.squid" >> acl neoBL url_regex "/etc/squid/neobl.squid" >> http_access deny exclBL >> http_access deny neoBL >> >> #ACLS BASE >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly >> plugged) machines >> acl SSL_ports port 443 >> acl SSL_ports port 3129 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> acl HTTPS proto HTTPS >> >> include /etc/squid/acls_whitelist.conf >> acl useragent browser "/etc/squid/useragent.squid" >> range_offset_limit 0 !useragent >> minimum_object_size 0 bytes >> maximum_object_size 3 GB >> quick_abort_min -1 >> delay_pools 1 >> delay_class 1 1 >> delay_parameters 1 128000/128000 >> delay_access 1 deny SSL_ports >> delay_access 1 allow !useragent >> delay_access 1 deny all >> >> #cache conf >> max_filedescriptors 24576 >> memory_cache_mode disk >> cache_mem 0 MB >> cache allow all >> minimum_object_size 0 bytes >> maximum_object_size 20 MB >> sslproxy_flags DONT_VERIFY_PEER >> connect_timeout 8 seconds >> >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access allow localnet >> http_access allow localhost >> http_access deny all >> reply_header_access Alternate-Protocol deny all >> >> http_port 3130 >> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> http_port 3128 intercept >> https_port 3129 intercept ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem >> >> cache_dir ufs /var/cache/squid 9000 16 256 >> cache_store_log /var/log/squid/store.log >> cache_effective_user squid >> visible_hostname Proxy >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 2 20% 10 >> refresh_pattern . 2 20% 10 ignore-reload >> override-expire ignore-no-cache ignore-no-store store-stale >> ignore-private ignore-must-revalidate ignore-auth >> refresh_pattern -i >> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1 >> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private >> reload-into-ims >> >> >> #SSL BUMP >> include /etc/squid/ssl.conf >> >> #LOGGING >> access_log /var/log/squid/access.log >> access_log /var/log/squid/access_c2.log cc >> access_log /var/log/squid/access_c2.log dom >> access_log /var/log/squid/splc.log excludeSSL >> cache_log /dev/null >> coredump_dir /var/cache/squid >> >> #ICAP >> icap_enable on >> icap_send_client_ip on >> icap_send_client_username on >> icap_client_username_header X-Authenticated-User >> icap_service service_req reqmod_precache bypass=1 >> icap://127.0.0.1:1344/squidclamav >> adaptation_access service_req allow useragent >> icap_service service_resp respmod_precache bypass=1 >> icap://127.0.0.1:1344/squidclamav >> adaptation_access service_resp allow useragent >> >> #X FORWARDED FOR >> forwarded_for on >> >> SSL.conf >> ======= >> >> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem >> sslproxy_cafile /etc/squid/intermediate_ca.pem >> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB >> sslcrtd_children 16 startup=5 idle=1 >> >> acl FakeCert ssl::server_name .apple.com >> acl FakeCert ssl::server_name .icloud.com >> acl FakeCert ssl::server_name .mzstatic.com >> acl FakeCert ssl::server_name .dropbox.com >> acl ssl_step1 at_step SslBump1 >> acl ssl_step2 at_step SslBump2 >> acl ssl_step3 at_step SslBump3 >> >> ssl_bump peek ssl_step1 >> ssl_bump splice GlobalWhitelistDSTNet >> ssl_bump splice GlobalWhitelistDomainsRx >> ssl_bump splice GlobalWhitelistDomains >> ssl_bump splice FakeCert >> ssl_bump bump ssl_step2 all >> ssl_bump splice all >> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression >> sslproxy_cipher >> >> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL >> sslproxy_flags DONT_VERIFY_PEER >> sslproxy_cert_error allow all >> sslproxy_cert_error deny all >> >> acls_whitelist.conf >> ============= >> >> acl WindowsUpdates dstdomain officecdn.microsoft.com >> acl WindowsUpdates dstdomain windowsupdate.microsoft.com >> acl WindowsUpdates dstdomain ntservicepack.microsoft.com >> acl WindowsUpdates dstdomain download.microsoft.com >> acl WindowsUpdates dstdomain .windowsupdate.com >> acl WindowsUpdates dstdomain .windowsupdate.net >> acl WindowsUpdates dstdomain .update.microsoft.com >> acl WindowsUpdates dstdomain .mp.microsoft.com >> acl WindowsUpdates dstdomain .ws.microsoft.com >> acl GlobalWhitelistDomains dstdomain >> "/etc/squid/acls_whitelist.dstdomain.conf" >> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf" >> acl GlobalWhitelistDomainsRx dstdom_regex -i >> "/etc/squid/acls_whitelist.dstdom_regex.conf" >> acl GlobalWhitelistBrowsers browser -i >> "/etc/squid/acls_whitelist.browser.conf" >> http_access allow GlobalWhitelistDomains >> url_rewrite_access deny GlobalWhitelistDomains >> http_access allow GlobalWhitelistDSTNet >> url_rewrite_access deny GlobalWhitelistDSTNet >> http_access allow GlobalWhitelistDomainsRx >> url_rewrite_access deny GlobalWhitelistDomainsRx >> http_access allow GlobalWhitelistBrowsers >> >> >> Any one with the same TAG_NONE/503 error, please help!? >> >> Regards, >> Hugo >> ________________________________ >> >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > -- > Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. -- Saludos, Hugo Saavedra _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
