I configured Squid6.3 as a MITM proxy and used Chrome to browse web pages through this Squid proxy, such as twitter.com. However, I noticed these error messages in the cache.log:
...
2023/11/22 01:33:38 kid1| ERROR: system call failure while accepting a TLS connection on conn8925690 local=10.0.0.5:3128 remote=171.221.64.188:33454 FD 12 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:50 kid1| ERROR: system call failure while accepting a TLS connection on conn8925909 local=10.0.0.5:3128 remote=171.221.64.188:33481 FD 42 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:50 kid1| ERROR: system call failure while accepting a TLS connection on conn8925915 local=10.0.0.5:3128 remote=171.221.64.188:33484 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:51 kid1| ERROR: system call failure while accepting a TLS connection on conn8925931 local=10.0.0.5:3128 remote=171.221.64.188:33488 FD 43 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
current master transaction: master128
2023/11/22 01:33:50 kid1| ERROR: system call failure while accepting a TLS connection on conn8925909 local=10.0.0.5:3128 remote=171.221.64.188:33481 FD 42 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:50 kid1| ERROR: system call failure while accepting a TLS connection on conn8925915 local=10.0.0.5:3128 remote=171.221.64.188:33484 FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:51 kid1| ERROR: system call failure while accepting a TLS connection on conn8925931 local=10.0.0.5:3128 remote=171.221.64.188:33488 FD 43 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
...
At the same time, the web pages are not displayed correctly. This error does not occur when browsing all websites, only for a certain subset of websites. I haven't found any obvious patterns regarding which websites have issues and which do not.
And here is my squid.conf:
debug_options ALL,1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl bump_exclude_domains ssl::server_name "/opt/squid/var/bump_exclude_domains.conf"
acl bump_exclude_ips dst "/opt/squid/var/bump_exclude_ips.conf"
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump tls-cert=/opt/squid/var/localCA/myCA.crt tls-key=/opt/squid/var/localCA/myCA.key generate-host-certificates=on dynamic_cert_mem_cache_size=8MB tls-dh=prime256v1:/opt/squid/var/localCA/dhparam.pem
sslpassword_program /opt/squid/var/localCA/keypass.sh
# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /opt/squid/var/cache/squid 10240 256 256 max-size=5242880
# Leave coredumps in the first cache dir
coredump_dir /opt/squid/var/cache/squid
sslcrtd_program /opt/squid/libexec/security_file_certgen -s /opt/squid/var/localCA/ssl_db -M 5120MB
sslcrtd_children 32 startup=5 idle=1
# at step 1 we're peeking at client TLS-request in order to find the "SNI"
ssl_bump peek step1 all
# peeking of bump_excludes at step2, leading to splice at step3 for them
ssl_bump peek step2 bump_exclude_domains
ssl_bump peek step2 bump_exclude_ips
ssl_bump splice step3 bump_exclude_domains
ssl_bump splice step3 bump_exclude_ips
# staring for others, leading to bump at step3
ssl_bump stare step2 all
ssl_bump bump step3 all
sslproxy_cert_error allow all
tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
forwarded_for transparent
via off
on_unsupported_protocol respond all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Does anyone know what could be causing this problem, and how may I get rid of it? thanks!
--
Regards.
Wen Yue
Wen Yue
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
