Hi Alex,
i have done some more troubleshooting and my external proxy is good, i get no errors and i have got one of my DMZ hosts connected to it and i can browse the web, but my internal proxy cant contact my external proxy, this is the error when i run it -
2019/11/26 22:53:28| Error parsing SSL Server Hello Message on FD 15
2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol (1/-1/0)
2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128 failed
2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21
2019/11/26 22:53:28| Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) ( 1/0)
2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol (1/-1/0)
2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128 failed
2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21
2019/11/26 22:53:28| Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) ( 1/0)
this is my config on my internal proxy -
#
# Recommended minimum configuration:
#
#SSL
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#squid proxy in DMZ on internet
cache_peer 172.16.55.21 parent 3128 0 default
acl all src all
http_access allow all
never_direct allow all
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Recommended minimum configuration:
#
#SSL
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#squid proxy in DMZ on internet
cache_peer 172.16.55.21 parent 3128 0 default
acl all src all
http_access allow all
never_direct allow all
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
my external proxy uses the same config but without the lines "squid proxy in DMZ on internet"
thanks,
rob
On Tue, 26 Nov 2019 at 16:59, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 11/26/19 10:54 AM, robert k Wild wrote:
> as i have configured both internal proxy (non internet facing) and
> external proxy (internet facing) from source,
Please show the essential parts of both internal and external Squid
configurations for the broken setup (at least).
It is difficult to guess what went wrong because the guide you are
quoting does not talk about internal and external proxy instances _and_,
in most cases, simply adding a valid http_port line has no effect on
test cases that worked before -- the new port will be unused by the old
test traffic. It is not even clear which proxy you are adding the
SslBump configuration to.
Thank you,
Alex.
> followed this guide -
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> it works if i comment out the ssl lines -
>
> #SSL
> #http_port 3128 ssl-bump \
> #cert=/etc/squid/ssl_cert/myCA.pem \
> #generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> #sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> #acl step1 at_step SslBump1
> #ssl_bump peek step1
> #ssl_bump bump all
>
> but as soon as i uncomment them it breaks the link between both servers
>
> this is the error i get from the internal proxy when it tries to contact
> the external proxy
>
> https://i.postimg.cc/JzC29gh8/ssl.png
> --
> Regards,
>
> Robert K Wild.
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Robert K Wild.
Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users