|
Hello Amos
Thank you for looking in to this. Below is the configuration ...
###########################
logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt %<tt %<pt %{Nuance-Session-ID}>h
cache_access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid
visible_hostname nuance-ak-client-test2
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
cache deny all
dns_v4_first on
http_port 443 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/squidCA.pem cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS
options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
# Below, a.b.c.d is the backend IP
cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest originserver ssl sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem sslcapath=/etc/certs/ sslflags=DONT_VERIFY_PEER name=dev
acl dev myport 443
acl dev myport 80
acl dev myport 3129
http_access allow all
cache_peer_access dev allow dev
#cache_peer_access dev deny all
#URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEERFrom: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of squid-users-request@xxxxxxxxxxxxxxxxxxxxx <squid-users-request@xxxxxxxxxxxxxxxxxxxxx>
Sent: Sunday, September 11, 2022 8:00 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: squid-users Digest, Vol 97, Issue 20 Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://lists.squid-cache.org/listinfo/squid-users or, via email, send a message with subject or body 'help' to squid-users-request@xxxxxxxxxxxxxxxxxxxxx You can reach the person managing the list at squid-users-owner@xxxxxxxxxxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of squid-users digest..." Today's Topics: 1. https on frontend (Adiseshu Channasamudhram) 2. Re: https on frontend (Amos Jeffries) ---------------------------------------------------------------------- Message: 1 Date: Sat, 10 Sep 2022 18:19:23 +0000 From: Adiseshu Channasamudhram <csadi@xxxxxxxxxxx> To: "squid-users@xxxxxxxxxxxxxxxxxxxxx" <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: https on frontend Message-ID: <PH0PR14MB530976D868BCFACDF5BF6F20B3429@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hello Squid experts I'm running in to an issue with the below setup frontend -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend When frontend is sending the http request, i see the tls exchange is successful but then on the access log of squid, i see the below error w.x.y.z is the IP of the frontend server. 10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4016 %16%03%03 %A1%DFXl%A1%90yf%1C - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:37 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:37 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:38 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - 10/Sep/2022:00:13:38 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - - On the squid interface listening to the frontend, I have pointed it to a self signed cert ... Any help/suggestion would be greatly appreciated Regards Adi -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220910/a27bfffa/attachment-0001.htm> ------------------------------ Message: 2 Date: Sun, 11 Sep 2022 09:11:35 +1200 From: Amos Jeffries <squid3@xxxxxxxxxxxxx> To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: https on frontend Message-ID: <ef33deaf-3c02-8cba-c8df-12a20fbfa258@xxxxxxxxxxxxx> Content-Type: text/plain; charset=UTF-8; format=flowed On 11/09/22 06:19, Adiseshu Channasamudhram wrote: > Hello Squid experts > > I'm running in to an issue with the below setup > > frontend > -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend > > When frontend is sending the http request, i see the tls exchange is > successful but then on the access log of squid, i see the below error > > w.x.y.z is the IP of the frontend server. > > 10/Sep/2022:00:13:34 +0000 ? ? ?0 w.x.y.z - - - TAG_NONE/400 4476 NONE > error:invalid-request - HIER_NONE/- text/html - - - ... > On the squid interface listening to the frontend, I have pointed it to a > self signed cert ... > > Any help/suggestion would be greatly appreciated > Either the HTTP request messages received from the frontend inside the TLS are invalid, or your frontend<->Squid is misconfigured. We will need to see your squid.conf details. Specifically these directives, though all settings (no comments or empty lines) would be useful for a full check: http_port, https_port, cache_peer, tls_outgoing_options Also a cache/log trace made with "debug_options ALL,0 11,2" will be helpful. Amos ------------------------------ Subject: Digest Footer _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users ------------------------------ End of squid-users Digest, Vol 97, Issue 20 ******************************************* |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
