Search squid archive

squid 5.0.4 cache_peer bug on https outgoing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

### 0x01 squid version

squid -v

Squid Cache: Version 5.0.4

Service Name: squid


This binary uses OpenSSL 1.0.2g  1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--exec-prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--sharedstatedir=/var/lib' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid' '--enable-silent-rules' '--enable-dependency-tracking' '--with-openssl' '--enable-icmp' '--enable-delay-pools' '--enable-useragent-log' '--enable-esi' '--disable-ipv6' '--enable-ssl-crtd' '--enable-follow-x-forwarded-for' '--enable-auth' --enable-ltdl-convenience


### 0x02  peers.conf

cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login=admin:squid name=crawler1


curl http://google.com -x https://admin:squid@localhost:3128 -v  -k 

< HTTP/1.1 503 Service Unavailable

< Server: squid/5.0.4

< Mime-Version: 1.0

< Date: Sun, 27 Sep 2020 15:55:05 GMT

< Content-Type: text/html;charset=utf-8

< Content-Length: 1647

< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

< Vary: Accept-Language

< Content-Language: en

< X-Cache: MISS from example.com

< Connection: keep-alive


proxy is ok. 3129 is glider
curl http://google.com -x https://admin:squid@localhost:3129 -v  -k 

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">

<TITLE>301 Moved</TITLE></HEAD><BODY>

<H1>301 Moved</H1>

The document has moved

<A HREF="http://www.google.com/">here</A>.

</BODY></HTML>



### 0x03 the possible solution. DONT_VERIFY_PEER

So.on squid 4/5,  The DONT_VERIFY_PEER flag is deprecated.
How to get the function on  squid 5.0.4 ?

### 0x04 squid.conf


acl SSL_ports port 443

acl Safe_ports port 1-65535     # unregistered ports

acl CONNECT method CONNECT

acl HEAD method HEAD


http_access deny !Safe_ports

http_access deny manager

http_access allow all




http_port 3128 ssl-bump generate-host-certificates=on \

dynamic_cert_mem_cache_size=100MB \

cert=/etc/squid/server.crt key=/etc/squid/server.key



ssl_bump allow all

#ssl_bump bump all

sslproxy_cert_error allow all



sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/ssl_db -M 400MB          



#sslproxy_flags DONT_VERIFY_PEER

tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN

sslproxy_cert_error allow all





coredump_dir /var/spool/squid3


# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=


#All File

refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)      1440 100129600 reload-into-ims

refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100129600 reload-into-ims

refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)         1440 100129600 reload-into-ims

refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))                   1440 100129600 reload-into-ims

refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)                  1440 100129600 reload-into-ims

refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))               1440 100129600 reload-into-ims


refresh_pattern -i \.(doc|pdf)$           1440   5043200 reload-into-ims

refresh_pattern -i \.(html|htm)$          1440   5040320 reload-into-ims


refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?0     0%      0

refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880

refresh_pattern .               0       20%     4320





# http options

via off

forwarded_for off

vary_ignore_expire on



# memory cache options

cache_mem 512 MB

maximum_object_size_in_memory 256 KB




forwarded_for delete

ipcache_size 4096

dns_nameservers 8.8.8.8



# error page

cache_mgr admin@xxxxxxxxxxx

visible_hostname example.com

email_err_data off

err_page_stylesheet none



#include /etc/squid/peers.conf

# use glider to build an http(s)/socks5 proxy on same port 3129

https://github.com/nadoo/glider

# glider -listen admin:squid@0.0.0.0:3129


cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login=admin:squid name=crawler1



# never_direct: outgoing only by peers

never_direct allow  all


cache_effective_user proxy





_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux