Search squid archive

Re: site opens only without ssl bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peace,

On 11/4/22 15:46, Alex Rousskov wrote:
On 11/4/22 02:31, Majed Zouhairy wrote:
with

logformat squidx %err_code/%err_detail
access_log xsquid

squid stopped logging completely

Please try to follow the earlier sketch more closely: Keep your usual logformat codes while adding %err_code/%err_detail and keep your usual access_log destination when specifying the custom logformat name (xsquid). Use squid.conf.documented as a syntax reference for these directives. Always monitor cache.log (or equivalent) for important messages.

I think i am becoming Biden, i read the squid documented and didn't get it, am i supposed to substitute %err_code/%err_detail with something like [http:]>%h for example?
here is what cache.log displayed when i changed config to:

logformat squidx %err_code/%err_detail
access_log daemon:/var/log/squid/accessX.log squidx

acces.log stopped working and again cache.log displayed:

2022/11/09 16:58:36| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4010:c02::5f]: (101) Network is unreachable 2022/11/09 16:58:40| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4010:c0e::c6]: (101) Network is unreachable 2022/11/09 16:58:48| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1450:4010:c0d::66]: (101) Network is unreachable 2022/11/09 16:58:58| SendEcho ERROR: sending to ICMPv6 packet to [2a00:1148:db00:0:b0b0::1]: (101) Network is unreachable
2022/11/09 16:59:29 kid1| Preparing for shutdown after 593 requests
2022/11/09 16:59:29 kid1| Waiting 30 seconds for active connections to finish
2022/11/09 16:59:29 kid1| Killing master process, pid 22616
2022/11/09 16:59:29 kid1| Closing HTTP(S) port [::]:8080
2022/11/09 16:59:29 kid1| Closing Pinger socket on FD 46
2022/11/09 16:59:29 kid1| Preparing for shutdown after 593 requests
2022/11/09 16:59:29 kid1| Waiting 30 seconds for active connections to finish
2022/11/09 16:59:29 kid1| WARNING: sslcrtd_program #Hlpr1 exited
    current master transaction: master85
2022/11/09 16:59:29 kid1| Too few sslcrtd_program processes are running (need 1/32)
    current master transaction: master85
2022/11/09 16:59:29 kid1| Starting new helpers
    current master transaction: master85
2022/11/09 16:59:29 kid1| helperOpenServers: Starting 1/32 'security_file_certgen' processes
    current master transaction: master85
2022/11/09 16:59:29 kid1| WARNING: sslcrtd_program #Hlpr3 exited
2022/11/09 16:59:29 kid1| Too few sslcrtd_program processes are running (need 1/32)
2022/11/09 16:59:29 kid1| storeDirWriteCleanLogs: Starting...
2022/11/09 16:59:29 kid1|     65536 entries written so far.
2022/11/09 16:59:29 kid1|   Finished.  Wrote 90620 entries.
2022/11/09 16:59:29 kid1|   Took 0.10 seconds (914392.96 entries/sec).
2022/11/09 16:59:29 kid1| FATAL: The sslcrtd_program helpers are crashing too rapidly, need help!



with

ssl_bump splice all

now the site works

OK, so now we know that something breaks around SslBump step1. The next task is (still) getting %err_code/%err_detail working. If that is not enough, then you will also need to collect debugging logs.


HTH,

Alex.



On 11/3/22 16:05, Alex Rousskov wrote:
On 11/3/22 05:43, Majed Zouhairy wrote:

i have 2 proxies, one with ssl bump and one without, there is a internal site that opens only on the no ssl bump proxy.

on the ssl bump proxy it displays:


What does Squid say in access.log for this problematic request? Please configure Squid to log %err_code/%err_detail before answering this question. For example:

logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid



Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek all
ssl_bump splice all


Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek tls_s1_connect
ssl_bump splice all


Alex.




Не удается получить доступ к сайтуВеб-страница по адресу (i was unable to gain access to website:) https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)
ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the "use the scenario for automatic configuration"
in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:


acl     tls_s1_connect        at_step SslBump1
acl     tls_s2_client_hello     at_step SslBump2
acl     tls_s3_server_hello     at_step SslBump3

# define acls for sites that must not be actively bumped

acl     tls_allowed_hsts        ssl::server_name .akamaihd.net
acl     tls_allowed_hsts        ssl::server_name .proxy.ckko.nl
acl     tls_server_is_bank         ssl::server_name "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice" acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump         peek                tls_s1_connect         # peek at TLS/SSL connect data ssl_bump         splice                 tls_to_splice        # splice some: no active bump ssl_bump         stare                 all                    # stare(peek) at server                                                          # properties of the webserver
ssl_bump         bump

contents of the /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:

.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl

those are all the sites that are logged in on the non ssl bump proxy when ias.ckko.nl is accessed

despite all this configuration, the site does not open. in ufdbguard every site from the user is a pass.

in avtunproxy log :

2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching https://ckko.nl/upload/certificates/8.crl 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing connection was forcibly closed by the remote host. 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing connection was forcibly closed by the remote host. 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] [addr=127.0.0.1:10544] GET /api/v2/log


what is the solution?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux