[squid-users] Errors in cache.log

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 23 05:26:57 UTC 2016 

On 23/09/2016 6:11 a.m., erdosain9 wrote:
> Hi.
> Im having this message in cache.log
> 
>  Error negotiating SSL on FD 121: error:00000000:lib(0):func(0):reason(0)
> (5/0/0)
> 2016/09/22 14:20:36 kid1| BUG: Unexpected state while connecting to a
> cache_peer or origin server
> 2016/09/22 14:29:23 kid1| Error negotiating SSL connection on FD 33:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/09/22 14:29:24 kid1| Error negotiating SSL connection on FD 33:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
> 2016/09/22 14:32:02 kid1| WARNING: HTTP: Invalid Response: No object data
> received for
> https://r3---sn-q4f7sn7l.googlevideo.com/videoplayback?pl=21&itag=242&dur=3973.160&source=youtube&keepalive=yes&expire=1474585097&mime=video%2Fwebm&signature=14F5607A717C8A9DD579A55C69F6CDF4C2308FC5.47CE0A2B9F54F2C8C4042FF7797A08708951C276&clen=12532131&gir=yes&key=cms1&ip=190.113.224.106&ipbits=0&id=o-ABdgV3GldzFU1c8jBp6s_27abh9g_9c3hA0dbUgDkgjM&upn=4Xlvne-1RrE&lmt=1449585312748326&sparams=clen,dur,ei,expire,gir,id,initcwndbps,ip,ipbits,itag,keepalive,lmt,mime,mm,mn,ms,mv,nh,pl,requiressl,source,upn&ei=qQ3kV7rtJNT0wQTR0I_oDg&requiressl=yes&cpn=jdZ-1Vthefy2q9Og&alr=yes&ratebypass=yes&c=WEB&cver=1.20160921&redirect_counter=1&req_id=ad722d06312b3cfc&cms_redirect=yes&mm=34&mn=sn-q4f7sn7l&ms=ltu&mt=1474563648&mv=m&nh=IgpwcjAyLmV6ZTAxKgkxMjcuMC4wLjE&range=8224151-8353222&rn=840&rbuf=585667
> AKA
> r3---sn-q4f7sn7l.googlevideo.com/videoplayback?pl=21&itag=242&dur=3973.160&source=youtube&keepalive=yes&expire=1474585097&mime=video%2Fwebm&signature=14F5607A717C8A9DD579A55C69F6CDF4C2308FC5.47CE0A2B9F54F2C8C4042FF7797A08708951C276&clen=12532131&gir=yes&key=cms1&ip=190.113.224.106&ipbits=0&id=o-ABdgV3GldzFU1c8jBp6s_27abh9g_9c3hA0dbUgDkgjM&upn=4Xlvne-1RrE&lmt=1449585312748326&sparams=clen,dur,ei,expire,gir,id,initcwndbps,ip,ipbits,itag,keepalive,lmt,mime,mm,mn,ms,mv,nh,pl,requiressl,source,upn&ei=qQ3kV7rtJNT0wQTR0I_oDg&requiressl=yes&cpn=jdZ-1Vthefy2q9Og&alr=yes&ratebypass=yes&c=WEB&cver=1.20160921&redirect_counter=1&req_id=ad722d06312b3cfc&cms_redirect=yes&mm=34&mn=sn-q4f7sn7l&ms=ltu&mt=1474563648&mv=m&nh=IgpwcjAyLmV6ZTAxKgkxMjcuMC4wLjE&range=8224151-8353222&rn=840&rbuf=585667
> Error negotiating SSL on FD 91: error:00000000:lib(0):func(0):reason(0)
> (5/-1/104)
> 

Firstly, it is not one message. It is 4 and one partial message.

They may be related log entries, or maybe not. It is hard to say when
they are occuring across ~12 minutes. A single TLS handshake should be
much faster than that, so I suspect they are a mix of at least three
different transactions worth of info.


> 
> 
> Sometimes in webbrowser give something like bad CA
> 
> or this (IPV6??)
> 

The below error is not necessarily IPv6 related. It shows an IPv6
address because you configured "dns_v4_first on", so the _last_ thing to
be tried was that IPv6 address.

What it means is that *all* the IPv4 and IPv6 ways to contact the server
are not working.


> The following error was encountered while trying to retrieve the URL:
> https://www.facebook.com/*
> 
> Connection to 2a03:2880:f105:83:face:b00c:0:25de failed.
> 
> The system returned: (101) Network is unreachable
> 
> The remote host or network may be down. Please try the request again.
> 
> Your cache administrator is webmaster.
> 
> This is my config
> 
> #
> # Recommended minimum configuration:
> #
> 

<snip commented out ACL definitions>

> 
> ####GRUPOS DE IP
> acl full src "/etc/squid/ips/full.lst"
> acl limitado src "/etc/squid/ips/limitado.lst"
> acl sistemas src "/etc/squid/ips/sistemas.lst"
> acl adminis  src "/etc/squid/ips/adminis.lst"

<snip commented out lines>

> 
> ####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
> acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
> http_access deny ads

<snip commented out lines>

> acl stream url_regex -i \.flv$
> acl stream url_regex -i \.mp4$
> acl stream url_regex -i watch?
> acl stream url_regex -i youtube
> acl stream url_regex -i facebook
> acl stream url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
> acl stream url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
> acl stream url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
> acl stream url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?
> 
> ##Dominios denegados
> acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"
> 
> ##Extensiones bloqueadas
> acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"
> 
> ##Extensiones peligrosas
> acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"
> 
> #Bypass squid
> #acl bypass_dst_dom  dstdomain "/etc/squid/listas/bypass_dst_domain.lst"
> 
> ##Redes sociales
> acl redes_sociales url_regex -i “/etc/squid/listas/redes_sociales.lst”
> 
> 
> #Puertos
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> 
> acl Safe_ports port 631		# httpCUPS
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 8443        # httpsalt
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl Safe_ports port 8080	# edesur y otros
> acl CONNECT method CONNECT
> 
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> #http_access allow adminsquid manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 

<snip commented out lines in the below rules>

> http_access allow localhost
> http_access allow limitado !dominios_denegados !multimedia !peligrosos
> http_access allow full !peligrosos
> http_access allow adminis !multimedia
> http_access allow sistemas
> http_access deny all
> 

> http_port 192.168.1.97:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem
> key=/etc/squid/ssl_cert/myca.pem 
> 
> sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt
> 

<snip commented out lines>

> 
> ############################################################
> acl excluidosSSL dstdomain "/etc/squid/listas/excluidosSSL.lst"
> ssl_bump none excluidosSSL
> 
> # SSL Bump Config
> ssl_bump stare all  
> ssl_bump bump all 

The "none" action from Squid-3.1 bumping design is not compatible with
"stare" and "bump" actions from Squid-3.4+ bumping design.

I believe this incorrect mix of bumping actions is probably the cause of
some of the TLS errors you are encountering.

Use "splice excluidosSSL" instead. To get the splice to work you may
need to peek at bumping step #1 instead of stare'ing.

> 
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> 

Very bad options. When combined they destroy all security bnefits TLS is
supposed to provide.

Remove those lines, then fix any specific issues that occur afterwards
via a more correct fix.


> #
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 5MB
> sslcrtd_children 8 startup=1 idle=1
> 
> #OJO ESTO!
> always_direct allow all

Above rule has no effect. You do not have any cache_peer configured.


> 
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir aufs /var/spool/squid 1000 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.

Notice what the above line says. It is important ...

> #
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> 
> #obliga el cache de imagenes .jgp
> 
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private

... this refresh_pattern is never reached nor used, because it does not
go above the default patterns.


<snip comments>
> 
> ###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
> via off
> forwarded_for delete
> ###
> 
> #Pools para ancho de Banda
> delay_pools 6
> 
> ###VELOCIDAD PARA REDES SOCIALES
> delay_class 1 1
> delay_parameters 1 10000/100000
> delay_access 1 allow redes_sociales limitado
> delay_access 1 allow redes_sociales full
> delay_access 1 allow redes_sociales adminis
> delay_access 1 deny all
> 
> 
> #Limitar Video Streaming a 20k
> delay_class 2 1
> delay_parameters 2 40000/100000
> delay_access 2 allow stream adminis
> delay_access 2 allow stream full
> delay_access 2 allow stream limitado
> delay_access 2 deny all
> 
> #Limitar Video Streaming a 500k
> delay_class 3 1
> delay_parameters 3 500000/500000
> delay_access 3 allow stream sistemas
> delay_access 3 deny all
> 
> #Ancho de Banda Administracion
> delay_class 4 1
> delay_parameters 4 256000/256000
> delay_access 4 allow adminis
> delay_access 4 deny all
> 

Note: requests which match the "redes_sociales adminis" ACLs have BOTH
pool #1 and pool #4 restrictions applied to them.

Note: requests which match the "stream adminis" ACLs have BOTH pool #2
and pool #4 restrictions applied to them.

> 
> #Ancho de Banda Sistemas
> delay_class 5 2
> delay_parameters 5 512000/512000 64000/256000
> delay_access 5 allow sistemas
> delay_access 5 deny all
> 

Note: requests which match the "redes_sociales sistemas" ACLs have BOTH
pool #1 and pool #5 restrictions applied to them.

Note: requests which match the "stream sistemas" ACLs have BOTH pool #3
and pool #5 restrictions applied to them.

> #Ancho de Banda Logistica
> delay_class 6 2
> delay_parameters 6 256000/256000 30000/125000
> delay_access 6 allow limitado
> delay_access 6 deny all
> 

Note: requests which match the "redes_sociales limitado" ACLs have BOTH
pool #1 and pool #6 restrictions applied to them.

Note: requests which match the "stream limitado" ACLs have BOTH pool #2
and pool #6 restrictions applied to them.


> ###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
> via off
> forwarded_for delete

These details are duplicated above the deal pool stuff. Remove the
duplication.


> visible_hostname squid

This needs to be a FQDN. That will reduce the number of problems you
have with the Via header being sent out.


> 
> # try connecting to first 25 ips of a domain name
> forward_max_tries 25
> 
> # fix some ipv6 errors (recommended to comment out)
> dns_v4_first on
> 

FYI: This does not fix any IPv6 errors. It hides IPv6 problems by making
Squid first try IPv4 when contacting servers unless their IPv4 is broken
or unavailable.

One should never consider it a "fix". At best it is a temporary
workaround that will cease working as the Internet migrates to IPv6-only
(which has already begun in some parts of the world).

Amos

More information about the squid-users mailing list