[squid-users] https issues for google

Tue Oct 7 07:55:52 UTC 2014

Either find the error from the log file or run tcpdump to capture the 
traffic to start with.

- CW
On 10/7/2014 11:51 AM, glenn.groves at bradnams.com.au wrote:
> Hi All,
>
> We have a weird issue where https sites apparently don't respond (get message "this page can't be displayed"). This mainly affects google websites and to a lesser affect youtube. It has been reported it may have affected some banking sites but this is unconfirmed. We are running centos 6.5 with up to date squid from the centos repositories.
>
> Here is the version of squid:
> yum list installed | grep squid
> squid.x86_64                         7:3.1.10-20.el6_5.3
>
> The https sites work fine if I put a direct hole in the firewall to allow internet traffic directly out - but this is not a solution.
>
> Thanks, Glenn
>
> Below is the conf file:
>
> ### /etc/squid/squid.conf Configuration File ####
>
> ### cache manager
> cache_mgr somone at email.com
>
> ### negotiate kerberos and ntlm authentication
> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib64/squid/squid_kerb_auth -i -d -s HTTP/proxycen.email.com
> auth_param negotiate children 50
> auth_param negotiate keep_alive off
>
> ### pure ntlm authentication
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
> auth_param ntlm children 200
> # auth_param ntlm max_challenge_lifetime 5 minutes
> auth_param ntlm keep_alive off
>
> ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=DOMAIN,dc=com " -D squid at email.com -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h SERVER.email.com
> auth_param basic children 100
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
>
> ### ldap authorisation
> # external_acl_type memberof children=300 %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=com,dc=au" -D squid at email.com -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g, ou=Internet,ou=DOMAIN Groups,ou=DOMAIN,dc=DOMAIN,dc=com,dc=au))" -h SERVER.email.com
>
> ### Squid Cache Manager
> cachemgr_passwd none info
>
> cache_dir aufs /var/spool/squid 30000 16 256
> minimum_object_size 2 KB
> maximum_object_size 10 MB
> cache_swap_low 95
> cache_swap_high 97
>
> ### acl for proxy auth and ldap authorizations
> acl SSL method CONNECT
> acl allowedsites        dstdomain "/etc/squid/allowedsites.txt"
> acl auth proxy_auth REQUIRED
> #   aclname             acltype  typename activedirectorygroup
> # acl BlockedAccess       external memberof "/etc/squid/blocked_access.txt"
> # acl RestrictedAccess    external memberof "/etc/squid/restricted_access.txt"
> # acl StandardAccess      external memberof "/etc/squid/standard_access.txt"
> # acl ExceptionAccess     external memberof "/etc/squid/exception_access.txt"
> # acl FullAccess          external memberof "/etc/squid/full_access.txt"
> # acl AnonymousAccess     external memberof "/etc/squid/anonymous_access.txt"
> # acl allowedsites        dstdomain "/etc/squid/allowedsites.txt"
> # acl blockedsites        dstdomain "/etc/squid/blockedsites.txt"
> # acl exceptedsites       dstdomain "/etc/squid/exceptedsites.txt"
> acl prioritysites       dstdomain "/etc/squid/prioritysites.txt"
>
> ### squid defaults
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl allowedsite124 src 192.168.124.0/24
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 17500       # dropbox
> #http_access deny CONNECT !SSL_ports
> #http_access allow SSL_ports
> http_access allow allowedsites
> acl CONNECT method CONNECT
> acl cacheadmin src 192.168.11.221 192.168.8.175
> http_access allow manager localhost
> http_access allow manager cacheadmin
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
>
> ### http_access rules
> # allow unrestricted access to prioritysites
> http_access allow prioritysites
> # enforce authentication, order of rules is important for authorization levels
> http_access allow allowedsite124
> http_access deny !auth
> # prevent access to basic auth prompt for BlockedAccess users
> # http_access deny BlockedAccess all
> # http_access allow allowedsites
> # http_access deny RestrictedAccess all
> # http_access allow AnonymousAccess auth
> # http_access allow FullAccess auth
> # http_access allow exceptedsites ExceptionAccess auth
> # http_access deny blockedsites
> # http_access allow StandardAccess auth
> http_access allow auth
> # http_access deny !auth
> # DO NOT REMOVE THE FOLLOWING LINE
> http_access deny all
>
> ### logging
> access_log /var/log/squid/access.log squid
>
> ### Set memory manually, to allow it to use more of the system
> cache_mem 1024 MB
>
> ### squid Debian defaults
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> [root at proxycen squid]#
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users