On 17/10/18 5:17 PM, Timur Lagutenko wrote: > i'm sure that the issue is not related to firewall rules. > because if I pass traffic from client IP (using NAT, browser is not > configured to use proxy) it works. Ah, you said earlier that you did not have SSL-Bump features enabled. How are you intercepting the port 443 HTTPS traffic with NAT and converting it to port 80 or 3128 syntax HTTP for Squid to handle? Squid cannot MITM the "raw" port 443 TLS without SSL-Bump being configured. Also since it is a Google service it may not be using TCP port 443 at all. It may actually be performing their QUIC protocol instead of HTTPS. That has to be blocked entirely to be sure the proxy is actually receiving all the relevant traffic. > I think it is related to some SSL/TLS lib in the system. > Because today i've tried CLI browser - links. > Launching it directly from gateway (which has direct access to web), i > was able to browse any site in text mode. > Except youtube. > So i guess it is related to some missing ssl lib. > Could you please suggest how can i find all required libs for my squid? > If Squid starts without crashing the libs it has been compiled to use are present on your machine. If you built it yourself on the same machine, it only uses library features that machine had at time of the build - so maybe a rebuild is needed to get access to newer library features. When it comes to TLS though the library itself is doing the config parse and setup for crypto things. So Squid does not particularly need to even be configured to use features the library enables by default. Which usually includes the current industry-standard ciphers etc. If Squid accepts your config file and does not produce an ERROR or FATAL message when you run "squid -k parse" all the libs required to run your config have been compiled in and loaded. > # squid -v > Squid Cache: Version 3.5.28 > Service Name: squid > > This binary uses OpenSSL 1.0.2p 14 Aug 2018. For legal restrictions on > distribution see https://www.openssl.org/source/license.html Your problem may be TLS/1.3 related. OpenSSL 1.0.* only supports a max of TLS/1.2. Squid-3.5 also only supports OpenSSL 1.0.* library. AFAIK, Google are one of the organizations heavily pushing TLS changes and bias their services towards forcing the latest crypto whenever they can. It is strange that others have not reported issues en-mass, so this is somewhat unlikely. Other admin mentioning similar behaviour with YouTube have turned out to be TLS restrictions that pretty much prohibit the weaker crypto Google services still allow and only let the very advanced ones (not supported by their Squid) work. But also those restrictions were done via SSL-Bump configs. Since you don't use SSL-Bump it is unlikely to be the same - which leaves us only with the network/firewall level issues as known things to look at. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
