I used the following command to send requests (see details below) but got "HTTP/1.1 403 Forbidden". curl https://www.online.citi.com -x https://10.192.197.200:3130 --verbose --proxy-insecure I understand the error was caused by "CONNECT 10.192.197.200:3130 HTTP/1.1". But curl did not send it so where did it come from? If I change "https_port 10.192.197.200:3130 ssl-bump intercept" to "https_port 10.192.197.200:3130" in the config file, then there is no error (proxy does not take part in the 2nd SSL handshake anymore). Please help me fix the errors. Thanks! ======================================================== 2018/06/29 21:07:38.718 kid1| 11,2| client_side.cc(2372) parseHttpRequest: HTTP Client local=10.192.197.200:3130 remote=172.18.78.222:53759 FD 10 flags=33 2018/06/29 21:07:38.718 kid1| 11,2| client_side.cc(2373) parseHttpRequest: HTTP Client REQUEST: --------- CONNECT 10.192.197.200:3130 HTTP/1.1 Host: 10.192.197.200:3130 ---------- --------- CONNECT www.online.citi.com:443 HTTP/1.1 Host: www.online.citi.com:443 User-Agent: curl/7.59.0 Proxy-Connection: Keep-Alive ---------- 2018/06/29 21:07:38.718 kid1| 5,3| comm.cc(553) commSetConnTimeout: local=10.192.197.200:3130 remote=172.18.78.222:53759 FD 10 flags=33 timeout 86400 2018/06/29 21:07:38.718 kid1| 23,3| url.cc(371) urlParse: urlParse: Split URL '10.192.197.200:3130' into proto='', host='10.192.197.200', port='3130', path='' 2018/06/29 21:07:38.718 kid1| 23,3| HttpRequest.h(82) SetHost: HttpRequest::SetHost() given IP: 10.192.197.200 2018/06/29 21:07:38.718 kid1| 33,3| client_side.cc(891) clientSetKeepaliveFlag: http_ver = HTTP/1.1 2018/06/29 21:07:38.718 kid1| 33,3| client_side.cc(892) clientSetKeepaliveFlag: method = CONNECT 2018/06/29 21:07:38.718 kid1| 33,3| client_side.h(98) mayUseConnection: This 0x564037b7d2f8 marked 1 2018/06/29 21:07:38.719 kid1| 85,3| client_side_request.cc(130) ClientRequestContext: 0x564037b80648 ClientRequestContext constructed 2018/06/29 21:07:38.719 kid1| 83,3| client_side_request.cc(1708) doCallouts: Doing calloutContext->hostHeaderVerify() 2018/06/29 21:07:38.719 kid1| 85,3| client_side_request.cc(635) hostHeaderVerify: validate host=10.192.197.200, port=3130, portStr=3130 2018/06/29 21:07:38.719 kid1| 85,3| client_side_request.cc(526) hostHeaderIpVerify: validate IP 10.192.197.200:3130 possible from Host: 2018/06/29 21:07:38.719 kid1| 83,3| client_side_request.cc(1715) doCallouts: Doing calloutContext->clientAccessCheck() 2018/06/29 21:07:38.719 kid1| 28,3| Checklist.cc(70) preCheck: 0x564037b807f8 checking slow rules 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: Safe_ports = 1 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: !Safe_ports = 0 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: CONNECT = 1 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: SSL_ports = 0 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: !SSL_ports = 1 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 1 2018/06/29 21:07:38.719 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1 2018/06/29 21:07:38.719 kid1| 28,3| Checklist.cc(63) markFinished: 0x564037b807f8 answer DENIED for match 2018/06/29 21:07:38.719 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x564037b807f8 answer=DENIED 2018/06/29 21:07:38.719 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request CONNECT 10.192.197.200:3130 is DENIED; last ACL checked: SSL_ports --------- HTTP/1.1 403 Forbidden Server: squid/3.5.27 Mime-Version: 1.0 Date: Sat, 30 Jun 2018 04:07:38 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3477 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from xxxxxxx Via: 1.1 xxxxxxx (squid/3.5.27) Connection: close ---------- ======================================================== $ sudo iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 1738 packets, 191K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1638 packets, 177K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35154 packets, 2119K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 35154 packets, 2119K bytes) pkts bytes target prot opt in out source destination ======================================================== $ sudo squid -v Squid Cache: Version 3.5.27 Service Name: squid This binary uses OpenSSL 1.0.2g 1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/usr' '--exec-prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--sharedstatedir=/var/lib' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid' '--enable-silent-rules' '--enable-dependency-tracking' '--enable-icmp' '--enable-delay-pools' '--enable-useragent-log' '--enable-esi' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-ssl-crtd' '--disable-arch-native' '--enable-linux-netfilter' '--with-openssl' --enable-ltdl-convenience ======================================================== $ sudo squid -k parse 2018/06/29 21:17:03| Startup: Initializing Authentication Schemes ... 2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'basic' 2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'digest' 2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'negotiate' 2018/06/29 21:17:03| Startup: Initialized Authentication Scheme 'ntlm' 2018/06/29 21:17:03| Startup: Initialized Authentication. 2018/06/29 21:17:03| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2018/06/29 21:17:03| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 2018/06/29 21:17:03| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 2018/06/29 21:17:03| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network 2018/06/29 21:17:03| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range 2018/06/29 21:17:03| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 2018/06/29 21:17:03| Processing: acl SSL_ports port 443 2018/06/29 21:17:03| Processing: acl Safe_ports port 80 # http 2018/06/29 21:17:03| Processing: acl Safe_ports port 21 # ftp 2018/06/29 21:17:03| Processing: acl Safe_ports port 443 # https 2018/06/29 21:17:03| Processing: acl Safe_ports port 70 # gopher 2018/06/29 21:17:03| Processing: acl Safe_ports port 210 # wais 2018/06/29 21:17:03| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2018/06/29 21:17:03| Processing: acl Safe_ports port 280 # http-mgmt 2018/06/29 21:17:03| Processing: acl Safe_ports port 488 # gss-http 2018/06/29 21:17:03| Processing: acl Safe_ports port 591 # filemaker 2018/06/29 21:17:03| Processing: acl Safe_ports port 777 # multiling http 2018/06/29 21:17:03| Processing: acl CONNECT method CONNECT 2018/06/29 21:17:03| Processing: debug_options ALL,3 2018/06/29 21:17:03| Processing: http_access deny !Safe_ports 2018/06/29 21:17:03| Processing: http_access deny CONNECT !SSL_ports 2018/06/29 21:17:03| Processing: http_access allow localhost manager 2018/06/29 21:17:03| Processing: http_access deny manager 2018/06/29 21:17:03| Processing: http_access allow localnet 2018/06/29 21:17:03| Processing: http_access allow localhost 2018/06/29 21:17:03| Processing: http_access allow all 2018/06/29 21:17:03| Processing: http_port 3128 2018/06/29 21:17:03| Processing: http_port 10.192.197.200:3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 2018/06/29 21:17:03| Processing: https_port 10.192.197.200:3130 ssl-bump intercept cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 2018/06/29 21:17:03| Starting Authentication on port 10.192.197.200:3130 2018/06/29 21:17:03| Disabling Authentication on port 10.192.197.200:3130 (interception enabled) 2018/06/29 21:17:03| Processing: acl step1 at_step SslBump1 2018/06/29 21:17:03| Processing: ssl_bump peek step1 2018/06/29 21:17:03| Processing: ssl_bump bump all 2018/06/29 21:17:03| Processing: ssl_bump stare all 2018/06/29 21:17:03| Processing: always_direct allow all 2018/06/29 21:17:03| Processing: coredump_dir /var/cache/squid 2018/06/29 21:17:03| Processing: refresh_pattern ^ftp: 1440 20% 10080 2018/06/29 21:17:03| Processing: refresh_pattern ^gopher: 1440 0% 1440 2018/06/29 21:17:03| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2018/06/29 21:17:03| Processing: refresh_pattern . 0 20% 4320 2018/06/29 21:17:03| Initializing https proxy context 2018/06/29 21:17:03| Initializing http_port 10.192.197.200:3129 SSL context 2018/06/29 21:17:03| Using certificate in /etc/squid/ssl_cert/myCA.pem 2018/06/29 21:17:03| Initializing https_port 10.192.197.200:3130 SSL context 2018/06/29 21:17:03| Using certificate in /etc/squid/ssl_cert/myCA.pem ======================================================== $ curl https://www.online.citi.com -x https://10.192.197.200:3130 --verbose --proxy-insecure * STATE: INIT => CONNECT handle 0x6000579c0; line 1404 (connection #-5000) * Rebuilt URL to: https://www.online.citi.com/ * Added connection 0. The cache now contains 1 members * Trying 10.192.197.200... * TCP_NODELAY set * STATE: CONNECT => WAITCONNECT handle 0x6000579c0; line 1456 (connection #0) * Connected to 10.192.197.200 (10.192.197.200) port 3130 (#0) * STATE: WAITCONNECT => WAITPROXYCONNECT handle 0x6000579c0; line 1566 (connection #0) * Marked for [keep alive]: HTTP default * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * ignoring certificate verify locations due to disabled peer verification * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Proxy certificate: * subject: CN=10.192.197.200 * start date: Jun 29 04:28:09 2018 GMT * expire date: Jun 29 04:28:09 2019 GMT * issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. * allocate connect buffer! * Establish HTTP proxy tunnel to www.online.citi.com:443 > CONNECT www.online.citi.com:443 HTTP/1.1 > Host: www.online.citi.com:443 > User-Agent: curl/7.59.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 403 Forbidden < Server: squid/3.5.27 < Mime-Version: 1.0 < Date: Sat, 30 Jun 2018 04:07:38 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 3477 < X-Squid-Error: ERR_ACCESS_DENIED 0 < Vary: Accept-Language < Content-Language: en < X-Cache: MISS from cxxxxx < Via: 1.1 xxxxx (squid/3.5.27) < Connection: close < * Marked for [closure]: proxy CONNECT failure * Received HTTP code 403 from proxy after CONNECT * CONNECT phase completed! * multi_done * Closing connection 0 * The cache now contains 0 members curl: (56) Received HTTP code 403 from proxy after CONNECT ======================================================== -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users