Search squid archive

Re: site opens only without ssl bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/4/22 02:31, Majed Zouhairy wrote:

with

logformat squidx %err_code/%err_detail
access_log xsquid

squid stopped logging completely
Please try to follow the earlier sketch more closely: Keep your usual logformat codes while adding %err_code/%err_detail and keep your usual access_log destination when specifying the custom logformat name (xsquid). Use squid.conf.documented as a syntax reference for these directives. Always monitor cache.log (or equivalent) for important messages. 



with

ssl_bump splice all

now the site works
OK, so now we know that something breaks around SslBump step1. The next task is (still) getting %err_code/%err_detail working. If that is not enough, then you will also need to collect debugging logs. 


HTH,

Alex.




On 11/3/22 16:05, Alex Rousskov wrote:

On 11/3/22 05:43, Majed Zouhairy wrote:
i have 2 proxies, one with ssl bump and one without, there is a internal site that opens only on the no ssl bump proxy. 

on the ssl bump proxy it displays:
What does Squid say in access.log for this problematic request? Please configure Squid to log %err_code/%err_detail before answering this question. For example: 

logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid



Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek all
ssl_bump splice all


Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek tls_s1_connect
ssl_bump splice all


Alex.
Не удается получить доступ к сайтуВеб-страница по адресу (i was unable to gain access to website:) https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address) 
ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the "use the scenario for automatic configuration" 
in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl     tls_s1_connect        at_step SslBump1
acl     tls_s2_client_hello     at_step SslBump2
acl     tls_s3_server_hello     at_step SslBump3

# define acls for sites that must not be actively bumped

acl     tls_allowed_hsts        ssl::server_name .akamaihd.net
acl     tls_allowed_hsts        ssl::server_name .proxy.ckko.nl
acl     tls_server_is_bank         ssl::server_name "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice" acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank 

# TLS/SSL bumping steps
ssl_bump         peek                tls_s1_connect         # peek at TLS/SSL connect data ssl_bump         splice                 tls_to_splice        # splice some: no active bump ssl_bump         stare                 all                    # stare(peek) at server                                                          # properties of the webserver 
ssl_bump         bump
contents of the /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file: 

.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl
those are all the sites that are logged in on the non ssl bump proxy when ias.ckko.nl is accessed
despite all this configuration, the site does not open. in ufdbguard every site from the user is a pass. 

in avtunproxy log :
2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching https://ckko.nl/upload/certificates/8.crl 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing connection was forcibly closed by the remote host. 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing connection was forcibly closed by the remote host. 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] [addr=127.0.0.1:10544] GET /api/v2/log 


what is the solution?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux