Search squid archive

Connection to cache peer failed "SSL Transparent proxy'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I have a squid proxy, trying to configure it to enforce traffic from a private cloud appliance (Azure Stack) to go over to the corporate proxy. traffic is mostly https, I see the below errors, note that ParentProxy-22 is the parent proxy listening on port 9090.  also, why in the access logs I have some entries not going to parent proxy   (e.g. 1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT 52.138.216.83:443 - HIER_NONE/- -)

### error logs ### Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed 
Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello Message on FD 20 
Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) 
Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed 
Feb 4 15:26:38 azproxy squid[192272]: Detected DEAD Parent: ParentProxy-22 
Feb 4 15:26:38 azproxy squid[192272]: Detected REVIVED Parent: ParentProxy-22 
Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello Message on FD 24 
Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 24: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) 
Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed
The squid configuration is as follows:

### iptables setup ### [root@ azproxy ~] $ iptables -L -t nat -n -v Chain PREROUTING (policy ACCEPT 6089 packets, 376K bytes) pkts bytes target prot opt in out source destination 5029 261K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
 21742 1130K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8090 ### squid.conf ## dns_v4_first on

cache_peer ParentProxy-22 parent 9090 0 no-query sslcapath=/etc/pki/ca-trust/source/anchors/
acl local-network dstdomain .azcompany.com
acl everything src 10.0.0.0/8
http_access allow everything
never_direct deny local-network
never_direct allow all
http_port 8080 intercept
https_port 8090 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/ssl_certs/azproxyCA.pem dynamic_cert_mem_cache_size=16MB #connection-auth=off
http_port 8100             #forward port not used.

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
tls_outgoing_options /etc/pki/ca-trust/source/anchors/ca.crt
debug_options ALL,9### excerpts from access log ### 1549282836.118 44 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -:
1549282836.150 14 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282836.271 38 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282836.300 13 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282837.661 30 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282837.710 19 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282837.797 4 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - HIER_NONE/- -1549282837.856 42 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282840.277 15 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282840.300 17 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282848.695 19 192.168.3.17 TCP_MISS/200 2283 GET http://ocsp.aramco.com.sa/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTcIwl9uZE4WwaD1jq3IdqcP3CI0wQUBCvyP4WY3ATuQXNOru2Zj%2B6W%2BfcCExkAABWDWqKqrUfWBR8AAAAAFYM%3D - ORIGINAL_DST/10.1.152.115 application/ocsp-response
1549282853.233 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -

1549282853.266 14 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282853.299 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282853.329 14 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT 52.138.216.83:443 - HIER_NONE/- -
1549282865.552 13 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? -FIRSTUP_PARENT/ParentProxy-22 text/html 
1549282865.615 57 192.168.3.10 TCP_MISS/503 4689 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? -FIRSTUP_PARENT/ParentProxy-22 text/html 
1549282875.690 38 192.168.3.17 TCP_MISS/503 4707 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? -FIRSTUP_PARENT/ParentProxy-22 text/html 
1549282875.711 14 192.168.3.17 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282876.012 28 10.8.101.53 NONE/200 0 CONNECT 111.221.29.254:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282880.455 18 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282880.544 42 192.168.3.10 TCP_MISS_ABORTED/500 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_NONE/- text/html
1549282880.614 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282880.644 13 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282880.995 22 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282881.026 25 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
1549282882.164 19 192.168.3.17 TCP_MISS/503 4689 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html
==== squid version and build ===
[root@azproxy ~] $ squid -v
Squid Cache: Version 4.5
Service Name: squid

This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux