On 11/27/23 11:36, Amos Jeffries wrote:
On 27/11/23 23:05, David Komanek wrote:
On 11/27/23 10:40, Amos Jeffries wrote:
On 27/11/23 22:21, David Komanek wrote:
here are the debug logs (IP addresses redacted) after connection
attempt to https://samba.org/ :
...
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close
So, it seems it's not true that squid is using http/1.0, but the
guy on the other side told me so. According to the log, do you
think I can somehow make it working or is it definitely problem on
the samba.org webserver?
That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to
SSL-Bump the CONNECT tunnel and not understanding the protocol
inside the TLS layer - which is expected if that protocol is HTTP/2.
For now you should be able to use
<http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to
allow these tunnels. Alternatively use the "splice" action to
explicitly bypass the SSL-Bump process.
Thank you for the quick response. So I should add
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
on_unsupported_protocol tunnel foreignProtocol
to the squid.conf, right?
At the point the error exists is too late AFAIK.
I was thinking something like:
acl foo dstdomain samba.org
on_unsupported_protocol tunnel foo
Still, I don't understand, why is this case handled by my browsers
(or squid?) differently from usual HTTPS traffic to other sites. I
suppose that plenty of sites are accepting HTTP/2 nowadays. A huge
lack of knowledge on my side :-)
I'm not clear exactly why you see this only now, and only with
samba.org. Squid not supporting HTTP/2 yet is a big part of the
problem though.
Cheers
Amos
Hello,
I managed to google some options for curl useful in this context, and it
is quite interesting:
working: curl -vvvv --http2 -x cache.my.domain:3128 https://www.samba.org/
working: curl -vvvv --http1.1 -x cache.my.domain:3128 https://www.samba.org/
rejected by samba.org: curl -vvvv --http1.0 -x cache.my.domain:3128
https://www.samba.org/
this returns a simple html page with code 403:
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
not working: chrome, firefox via proxy
chrome returns "ERR_CONNECTION_CLOSED"
firefox returns "PR_END_OF_FILE_ERROR"
So, it seems to me, there squid doesn't like something with the
heavy-duty browsers in this case. Even if I disable http/2 in firefox,
it makes no difference for me. I'm really confused.
Best regards,
David
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
