[squid-users] https issues for google

glenn.groves at bradnams.com.au glenn.groves at bradnams.com.au
Sun Dec 7 08:48:11 UTC 2014


Hi All,

I have finally been able to spend time upgrading a server to a later squid version, I have tried 3.4.9.

I could not get authentication to work for this test, but proceeded to test without (also dismisses auth as the problem).

I am getting the following in the logs with secure sites now the squid is 3.4.9:

192.168.9.69 TCP_MISS/200 295 CONNECT www.google.com:443 - HIER_DIRECT/216.58.220.1
192.168.9.69 TCP_MISS/200 0 CONNECT www.google.com:443 - HIER_DIRECT/216.58.220.132

Upgrading to 3.4.9 on Centos as been a pain so far, no point in proceeding with the problem persisting. Can someone advise why I am getting TCP_MISS/200 when going to secure google sites?

Or more importantly, how to fix my squid 3.1 on centos 6.5 with this problem.

Thanks,

Glenn

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of glenn.groves at bradnams.com.au
Sent: Thursday, 9 October 2014 9:04 AM
To: eliezer at ngtech.co.il; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] https issues for google

Hi Eliezer,

The DNS we are using is the ISP default for external, our internal domain DNS for internal. Nslookup works for all tests.

I would like to update to the latest stable, but I am concerned of breaking the current setup. It took a little work to get it working correctly particularity on the multiple authentication methods working with our domain and trust.

I support what has been said - to check the logs. This will likely take time as I cannot reproduce this issue on demand - and I think users are starting to not report the issue and just living with it (or it is not getting all the way to me at least). I will have to get lucky at some point on my computer and look into it then.

Could squid be getting mixed up when mulipule https requests are to the same address (e.g. https://google.com.au)?

Thanks,

Glenn 

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Eliezer Croitoru
Sent: Wednesday, 8 October 2014 7:39 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] https issues for google

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Glenn,

Since you are not using intercept or tproxy the basic place to look at is the access.log.
You can see there if the proxy is trying for example to reach an IPV6 address (by mistake).

Also to make sure there is an issue you can use specific exception like the cacheadmin acl you are using to allow the cacheadmin access without authentication for the basic test.

Also you are indeed using the latest CentOS 6.5 squid but since the current stable version is 3.4.8 you should try to upgrade(to something else then 3.1) due to other issues.

The issue can be a network or dns related issue which was not detected until now.

Please first make sure that the access.log and cache.log files are clean for errors or issues.

What dns servers are you using?

Eliezer

On 10/07/2014 06:51 AM, glenn.groves at bradnams.com.au wrote:
> Hi All,
> 
> We have a weird issue where https sites apparently don't respond (get 
> message "this page can't be displayed"). This mainly affects google 
> websites and to a lesser affect youtube. It has been reported it may 
> have affected some banking sites but this is unconfirmed. We are 
> running centos 6.5 with up to date squid from the centos repositories.
> 
> Here is the version of squid: yum list installed | grep squid 
> squid.x86_64                         7:3.1.10-20.el6_5.3
> 
> The https sites work fine if I put a direct hole in the firewall to 
> allow internet traffic directly out - but this is not a solution.
> 
> Thanks, Glenn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNF1uAAoJENxnfXtQ8ZQUlfYH/i0o9MQDTt8g5aINRljVSMZc
btC8mcYn/JYn4WUPIoOc4/MhvuYg0JO6hXsSoPxjI1khMrq9fTV2c8eaLItWqYCf
hjioWPJs2hPwfw6WDi0I6kF0Is+hD/MGsJci7s+jg593lHnm+ZjoDIHj0aCpcdgy
u95961yZWXINbYsjTirFftnX5UC5MWbwZjaah6zW84RKZl/pa1vJM/tdgqiLdE5V
GDNhS01mbKPfin8oc/RQk4nYAK39vncSebvSHJwkvPJIKlb54Yti64j6qUfPsav3
uUvIVKSpxZjFFJoLtw1zjn1MwyynoHNGT1lP+HptsGkDoeGJ6YWU/IwB1sFKcVk=
=GKmE
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
 
This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify the Bradnam Group Helpdesk at helpdesk at bradnams.com.au 

Any information, statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of the Bradnam Group unless subsequently confirmed by an individual other than the author who is duly authorised to represent the Bradnam Group (or any of its subsidiary and associate companies).

All sent and received email from/to the Bradnam Group (or any of its subsidiary and associate companies) is automatically scanned for the presence of computer viruses, security issues and inappropriate content.

For further information on the services which the Bradnam Group provides visit our web
site(s) at www.bradnams.com.au or www.nationalglass.com.au _______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list