[squid-users] Intermittent 409 Error to google.com

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 17 09:06:13 UTC 2017 

On 17/08/17 20:18, hoje wrote:
> Hi,
> 
> I have setup a squid server (squid-3.5.26-20170702-r14182) to filter
> http/https. It was working fine with up to 90 users except one thing. Few
> PCs  would not be able connect to https sites (e.g google,yahoo,facebook)
> intermittently. By clearing SSL State in user PCs (Windows->Control
> Panel->Internet Properties) , it helps sometime (sometime not). Please
> advice. Thank you.

This is <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>. 
Google domains have issues due to their large numbers of DNS entries and 
rotating in and out of view. The workarounds listed at the bottom of 
that page may be of some use to reduce the problem, but unfortunately it 
is not yet completely resolvable.


There are also some improvements you can make to the config below.

> 
> my squid setup
> ----------------
> (WAN)---(router)---(linux+bridge+squid)---(user)
> 
> e.g access.log
> ---------------
> 1502955689.139      0 10.40.21.24 TAG_NONE/409 4088 CONNECT
> www.google.com:443 - HIER_NONE/- text/html
> 
> my squid.conf
> ---------------
> max_filedesc 65535
> dns_v4_first on
> request_timeout 5 minutes
> 
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> http_access deny !Safe_ports
> http_access allow localhost manager
> http_access allow localnet manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> 
> http_port 0.0.0.0:3128 intercept
> http_port 0.0.0.0:3130
> https_port 0.0.0.0:3129 intercept ssl-bump connection-auth=off
> cert=/etc/squid/squidCA.pem

Add the option sslflags=NO_DEFAULT_CA

> 
> always_direct allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

Remove these 3 lines. They are either old hacks no longer necessary, or 
outright wrong for use.

You may see some TLS/SSL errors occuring after removing. Look into those 
issues carefully and use an appropriate fix for the problems you see. 
The above is not a fix.

> 
> acl test ssl::server_name "/etc/squid/test.txt"
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump terminate test
> ssl_bump splice all
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> 
> cache_dir ufs /var/spool/squid 15360 16 256
> cache_swap_low 87
> cache_swap_high 90
> 
> coredump_dir /var/spool/squid
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> url_rewrite_program /usr/bin/squidGuard
> redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

Replace both the above lines with this line (mind the wrap):

  url_rewrite_program /usr/bin/squidGuard  -c 
/etc/squidguard/squidGuard.conf


HTH
Amos

More information about the squid-users mailing list