On 12/06/2017 11:45 AM, Hugo Saavedra wrote: > Currently we have cache.log disabled for performance. With default debug_options, cache.log should not affect performance. If it does in your setup, then there is probably a problem that you should solve (without disabling cache.log). > any clues? You are probably not supplying enough information for others to guess what the problem is. Enabling cache.log may be the best next step. You can also try logging %err_code/%err_detail to access.log but not all errors populate those two logformat %codes so YMMV. Alex. > 2017-12-06 14:51 GMT-03:00 Enrico Heine <flashdown@xxxxxxxxxxxxx>: >> Hi, >> >> Can you confirm that squid is able to resolve these hostnames? If not try >> browsing to them without https and check if squid gives you an error >> message. >> >> Did you check the cache.log as well? >> >> Br Enrico >> >> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra >> <hugo.saavedra.oteiza@xxxxxxxxx>: >>> >>> Hi All, >>> >>> We have the following setup of a transparent squid box: >>> OS: CentOS release 6.9 (Final) >>> Squid Cache: Version 3.5.26-20170625-r14174 >>> Compile options: >>> '--with-included-ltdl' '--enable-icap-client' >>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd' >>> '--enable-icmp' '--enable-snmp' '--prefix=/usr' >>> '--includedir=/usr/include' '--datadir=/usr/share' >>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' >>> '--localstatedir=/var' '--sysconfdir=/etc/squid' >>> --enable-ltdl-convenience >>> >>> Endpoints are redirected to the Squid box using a policy route for >>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We >>> are using ssl bump for ssl, but there is an strange behavior, some >>> websites opens well, but some ones breaks and getting TAG_NONE/503 >>> errors in the access log: >>> >>> 1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST >>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/- >>> text/html >>> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET >>> >>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65? >>> - HIER_NONE/- text/html >>> 1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET >>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? - >>> HIER_NONE/- text/html >>> 1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET >>> >>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp >>> - HIER_NONE/- text/html >>> >>> In the same time-range, other websites loads well >>> >>> 1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET >>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12 >>> image/gif >>> 1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST >>> https://cloud-ecs.gravityzone.bitdefender.com/hydra- >>> ORIGINAL_DST/107.20.215.8 application/json >>> 1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET >>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif >>> 1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET >>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21 >>> text/javascript >>> >>> >>> IPTABLES CONFIGURATION >>> ======================= >>> # PREROUTING INTERCEPT PBR >>> >>> *nat >>> :PREROUTING ACCEPT [0:0] >>> :POSTROUTING ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports >>> 3128 >>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 >>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports >>> 3129 >>> COMMIT >>> >>> *filter >>> :INPUT ACCEPT [0:0] >>> :FORWARD ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> >>> #WEB >>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>> --dport 80 -j ACCEPT >>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>> --dport 443 -j ACCEPT >>> >>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>> --dport 3128 -j ACCEPT >>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>> --dport 3129 -j ACCEPT >>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>> --dport 3130 -j ACCEPT >>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp >>> --dport 3131 -j ACCEPT >>> >>> #default >>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>> -A INPUT -p icmp -j ACCEPT >>> -A INPUT -i lo -j ACCEPT >>> -A INPUT -j REJECT --reject-with icmp-host-prohibited >>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited >>> COMMIT >>> >>> >>> SQUID CONFIGURATION >>> ==================== >>> >>> #WHITE LIST >>> acl exclWL url_regex "/etc/squid/white_url.squid" >>> acl neoWL url_regex "/etc/squid/neowl.squid" >>> http_access allow exclWL >>> http_access allow neoWL >>> cache deny exclWL >>> cache deny neoWL >>> always_direct allow exclWL >>> always_direct allow neoWL >>> >>> #Malicious URLs >>> acl dom url_regex "/etc/squid/dom.squid" >>> acl cc url_regex "/etc/squid/cc.squid" >>> http_access deny dom >>> http_access deny cc >>> >>> #BLACK LIST >>> acl exclBL url_regex "/etc/squid/black_url.squid" >>> acl neoBL url_regex "/etc/squid/neobl.squid" >>> http_access deny exclBL >>> http_access deny neoBL >>> >>> #ACLS BASE >>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>> acl localnet src fc00::/7 # RFC 4193 local private network range >>> acl localnet src fe80::/10 # RFC 4291 link-local (directly >>> plugged) machines >>> acl SSL_ports port 443 >>> acl SSL_ports port 3129 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl CONNECT method CONNECT >>> acl HTTPS proto HTTPS >>> >>> include /etc/squid/acls_whitelist.conf >>> acl useragent browser "/etc/squid/useragent.squid" >>> range_offset_limit 0 !useragent >>> minimum_object_size 0 bytes >>> maximum_object_size 3 GB >>> quick_abort_min -1 >>> delay_pools 1 >>> delay_class 1 1 >>> delay_parameters 1 128000/128000 >>> delay_access 1 deny SSL_ports >>> delay_access 1 allow !useragent >>> delay_access 1 deny all >>> >>> #cache conf >>> max_filedescriptors 24576 >>> memory_cache_mode disk >>> cache_mem 0 MB >>> cache allow all >>> minimum_object_size 0 bytes >>> maximum_object_size 20 MB >>> sslproxy_flags DONT_VERIFY_PEER >>> connect_timeout 8 seconds >>> >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> http_access allow localhost manager >>> http_access deny manager >>> http_access allow localnet >>> http_access allow localhost >>> http_access deny all >>> reply_header_access Alternate-Protocol deny all >>> >>> http_port 3130 >>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> http_port 3128 intercept >>> https_port 3129 intercept ssl-bump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem >>> >>> cache_dir ufs /var/cache/squid 9000 16 256 >>> cache_store_log /var/log/squid/store.log >>> cache_effective_user squid >>> visible_hostname Proxy >>> >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern -i (/cgi-bin/|\?) 2 20% 10 >>> refresh_pattern . 2 20% 10 ignore-reload >>> override-expire ignore-no-cache ignore-no-store store-stale >>> ignore-private ignore-must-revalidate ignore-auth >>> refresh_pattern -i >>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1 >>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private >>> reload-into-ims >>> >>> >>> #SSL BUMP >>> include /etc/squid/ssl.conf >>> >>> #LOGGING >>> access_log /var/log/squid/access.log >>> access_log /var/log/squid/access_c2.log cc >>> access_log /var/log/squid/access_c2.log dom >>> access_log /var/log/squid/splc.log excludeSSL >>> cache_log /dev/null >>> coredump_dir /var/cache/squid >>> >>> #ICAP >>> icap_enable on >>> icap_send_client_ip on >>> icap_send_client_username on >>> icap_client_username_header X-Authenticated-User >>> icap_service service_req reqmod_precache bypass=1 >>> icap://127.0.0.1:1344/squidclamav >>> adaptation_access service_req allow useragent >>> icap_service service_resp respmod_precache bypass=1 >>> icap://127.0.0.1:1344/squidclamav >>> adaptation_access service_resp allow useragent >>> >>> #X FORWARDED FOR >>> forwarded_for on >>> >>> SSL.conf >>> ======= >>> >>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem >>> sslproxy_cafile /etc/squid/intermediate_ca.pem >>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB >>> sslcrtd_children 16 startup=5 idle=1 >>> >>> acl FakeCert ssl::server_name .apple.com >>> acl FakeCert ssl::server_name .icloud.com >>> acl FakeCert ssl::server_name .mzstatic.com >>> acl FakeCert ssl::server_name .dropbox.com >>> acl ssl_step1 at_step SslBump1 >>> acl ssl_step2 at_step SslBump2 >>> acl ssl_step3 at_step SslBump3 >>> >>> ssl_bump peek ssl_step1 >>> ssl_bump splice GlobalWhitelistDSTNet >>> ssl_bump splice GlobalWhitelistDomainsRx >>> ssl_bump splice GlobalWhitelistDomains >>> ssl_bump splice FakeCert >>> ssl_bump bump ssl_step2 all >>> ssl_bump splice all >>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression >>> sslproxy_cipher >>> >>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL >>> sslproxy_flags DONT_VERIFY_PEER >>> sslproxy_cert_error allow all >>> sslproxy_cert_error deny all >>> >>> acls_whitelist.conf >>> ============= >>> >>> acl WindowsUpdates dstdomain officecdn.microsoft.com >>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com >>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com >>> acl WindowsUpdates dstdomain download.microsoft.com >>> acl WindowsUpdates dstdomain .windowsupdate.com >>> acl WindowsUpdates dstdomain .windowsupdate.net >>> acl WindowsUpdates dstdomain .update.microsoft.com >>> acl WindowsUpdates dstdomain .mp.microsoft.com >>> acl WindowsUpdates dstdomain .ws.microsoft.com >>> acl GlobalWhitelistDomains dstdomain >>> "/etc/squid/acls_whitelist.dstdomain.conf" >>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf" >>> acl GlobalWhitelistDomainsRx dstdom_regex -i >>> "/etc/squid/acls_whitelist.dstdom_regex.conf" >>> acl GlobalWhitelistBrowsers browser -i >>> "/etc/squid/acls_whitelist.browser.conf" >>> http_access allow GlobalWhitelistDomains >>> url_rewrite_access deny GlobalWhitelistDomains >>> http_access allow GlobalWhitelistDSTNet >>> url_rewrite_access deny GlobalWhitelistDSTNet >>> http_access allow GlobalWhitelistDomainsRx >>> url_rewrite_access deny GlobalWhitelistDomainsRx >>> http_access allow GlobalWhitelistBrowsers >>> >>> >>> Any one with the same TAG_NONE/503 error, please help!? >>> >>> Regards, >>> Hugo >>> ________________________________ >>> >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> >> >> -- >> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. > > > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users