On 8/8/19 3:29 PM, Tom Karches wrote: > I am in the process of upgrading our Squid proxy server from 3.1 (on > RHEL6) to 3.3 (on RHEL7). It could have been worse! For example, you could ask a question about upgrading Squid from v1.0 to v2.0... I will try to help, but I do not remember much about v3.3 specifics. > The system was configured to log https transactions as such: > 1565183014.309 230 127.0.0.1 TCP_MISS/200 62539 CONNECT > entrepreneurship.ncsu.edu:443 - DIRECT/152.1.227.116 - > which requires SSL Bumping No, simply logging HTTP CONNECT requests does not require bumping SSL. > I used curl to test the new proxy. When I attempt to proxy an external > https connection, this is the result : > $ curl --proxy http://127.0.0.1:3128 https://www.google.com > curl: (56) Received HTTP code 503 from proxy after CONNECT Your Squid told curl that something went wrong. If you look at the actual response, you may know what went wrong. The same information may be available in Squid access.log, but the error response may have more details than a log record. Please share that info here if it does not point you to a solution. > http_port 3128 ssl-bump \ > cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > I now get the following error > squid[5796]: FATAL: No valid signing SSL certificate configured for > HTTP_port [::]:3128 Avoid opening the SslBump Pandora box until you have to. If all you need is CONNECT logging, then you should be able to accomplish what you want without SslBump pains. > Where should I be looking for the problem? In Squid response to curl. You can use curl tracing options or Wireshark to see it. Squid access.log may have some clues as well. Go Tuffy! Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
