i'm sure that the issue is not related to firewall rules.
because if I pass traffic from client IP (using NAT, browser is not configured to use proxy) it works.
I think it is related to some SSL/TLS lib in the system.
Because today i've tried CLI browser - links.
Launching it directly from gateway (which has direct access to web), i was able to browse any site in text mode.
Except youtube.
So i guess it is related to some missing ssl lib.
Could you please suggest how can i find all required libs for my squid?
# squid -v
Squid Cache: Version 3.5.28
Service Name: squid
This binary uses OpenSSL 1.0.2p 14 Aug 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--with-included-ltdl' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-eui' '--enable-cache-digests' '--disable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--without-heimdal-krb5' '--without-mit-krb5' '--without-gss' '--disable-htcp' '--disable-icap-client' '--disable-icmp' '--disable-ident-lookups' '--disable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--disable-snmp' '--enable-ssl' '--with-openssl=/usr/local' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--disable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=none' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs ufs' '--enable-disk-io=DiskThreads AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -pthread -L/usr/local/lib -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib -fstack-protector ' 'LIBS=' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing -Wno-unknown-warning-option -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess ' 'CPP=cpp' --enable-ltdl-convenience
# uname -a
FreeBSD gate.xxxxxx.local 11.2-RELEASE-p4 FreeBSD 11.2-RELEASE-p4 #0: Thu Sep 27 08:16:24 UTC 2018 root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/GENERIC amd64
ср, 17 окт. 2018 г. в 8:48, Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 17/10/18 6:22 AM, Bruno de Paula Larini wrote:
>
> Em 16/10/2018 02:46, Timur Lagutenko escreveu:
>> Hello friends,
>>
>> recently I've updated my freebsd gateway.
>> from 11.1 to 11.2.
>> also I've updated squid form 3.5 to 4.1
>> i have no transparency, no ssl-bump/splice etc..
>> simple installation.
>> browser is configured to use proxy.
>> squid configuration is default.
Then Squid interactino wit this traffic is a simple test of whether the
client IP address is within your LAN and then blindly shovel the HTTPS
traffic through.
Problems are limited to routing, MTU/MSS misconfiguration somewhere
(network VPM tunnel?), and problems with the endpoints TLS negotiation
(browser or upstream server).
>> everything works fine except youtube.com <http://youtube.com/>
>> Browser freezes on "trying to set secure connection", and after gives
>> time-out error.
>> i've also tied to downgrade squid back to 3,5
>> no success.
That downgrade not resolving the issue indicates that it is not Squid
related.
As Bruno suggested, probably a change to the routing or firewall systems
that traffic is going through that appeared with the OS version bump. It
is pretty rare to see on small bumps, but can happen.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
