[squid-users] SSL TAG_NONE/503 errors
Enrico Heine
flashdown at data-core.org
Wed Dec 6 17:51:45 UTC 2017
Hi,
Can you confirm that squid is able to resolve these hostnames? If not try browsing to them without https and check if squid gives you an error message.
Did you check the cache.log as well?
Br Enrico
Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra <hugo.saavedra.oteiza at gmail.com>:
>Hi All,
>
>We have the following setup of a transparent squid box:
>OS: CentOS release 6.9 (Final)
>Squid Cache: Version 3.5.26-20170625-r14174
>Compile options:
> '--with-included-ltdl' '--enable-icap-client'
>'--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>'--enable-icmp' '--enable-snmp' '--prefix=/usr'
>'--includedir=/usr/include' '--datadir=/usr/share'
>'--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>'--localstatedir=/var' '--sysconfdir=/etc/squid'
>--enable-ltdl-convenience
>
>Endpoints are redirected to the Squid box using a policy route for
>TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>are using ssl bump for ssl, but there is an strange behavior, some
>websites opens well, but some ones breaks and getting TAG_NONE/503
>errors in the access log:
>
>1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST
>https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>text/html
>1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
>https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>- HIER_NONE/- text/html
>1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
>https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>HIER_NONE/- text/html
>1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET
>https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>- HIER_NONE/- text/html
>
>In the same time-range, other websites loads well
>
>1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET
>https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>image/gif
>1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST
>https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>ORIGINAL_DST/107.20.215.8 application/json
>1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET
>https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET
>https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>text/javascript
>
>
>IPTABLES CONFIGURATION
>=======================
># PREROUTING INTERCEPT PBR
>
>*nat
>:PREROUTING ACCEPT [0:0]
>:POSTROUTING ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>3128
>-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
>3128
>-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>3129
>COMMIT
>
>*filter
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>
>#WEB
>-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>--dport 80 -j ACCEPT
>-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>--dport 443 -j ACCEPT
>
>-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>--dport 3128 -j ACCEPT
>-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>--dport 3129 -j ACCEPT
>-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>--dport 3130 -j ACCEPT
>-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>--dport 3131 -j ACCEPT
>
>#default
>-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>-A INPUT -p icmp -j ACCEPT
>-A INPUT -i lo -j ACCEPT
>-A INPUT -j REJECT --reject-with icmp-host-prohibited
>-A FORWARD -j REJECT --reject-with icmp-host-prohibited
>COMMIT
>
>
>SQUID CONFIGURATION
>====================
>
>#WHITE LIST
>acl exclWL url_regex "/etc/squid/white_url.squid"
>acl neoWL url_regex "/etc/squid/neowl.squid"
>http_access allow exclWL
>http_access allow neoWL
>cache deny exclWL
>cache deny neoWL
>always_direct allow exclWL
>always_direct allow neoWL
>
>#Malicious URLs
>acl dom url_regex "/etc/squid/dom.squid"
>acl cc url_regex "/etc/squid/cc.squid"
>http_access deny dom
>http_access deny cc
>
>#BLACK LIST
>acl exclBL url_regex "/etc/squid/black_url.squid"
>acl neoBL url_regex "/etc/squid/neobl.squid"
>http_access deny exclBL
>http_access deny neoBL
>
>#ACLS BASE
>acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>acl localnet src fc00::/7 # RFC 4193 local private network range
>acl localnet src fe80::/10 # RFC 4291 link-local (directly
>plugged) machines
>acl SSL_ports port 443
>acl SSL_ports port 3129
>acl Safe_ports port 80 # http
>acl Safe_ports port 21 # ftp
>acl Safe_ports port 443 # https
>acl Safe_ports port 70 # gopher
>acl Safe_ports port 210 # wais
>acl Safe_ports port 1025-65535 # unregistered ports
>acl Safe_ports port 280 # http-mgmt
>acl Safe_ports port 488 # gss-http
>acl Safe_ports port 591 # filemaker
>acl Safe_ports port 777 # multiling http
>acl CONNECT method CONNECT
>acl HTTPS proto HTTPS
>
>include /etc/squid/acls_whitelist.conf
>acl useragent browser "/etc/squid/useragent.squid"
>range_offset_limit 0 !useragent
>minimum_object_size 0 bytes
>maximum_object_size 3 GB
>quick_abort_min -1
>delay_pools 1
>delay_class 1 1
>delay_parameters 1 128000/128000
>delay_access 1 deny SSL_ports
>delay_access 1 allow !useragent
>delay_access 1 deny all
>
>#cache conf
>max_filedescriptors 24576
>memory_cache_mode disk
>cache_mem 0 MB
>cache allow all
>minimum_object_size 0 bytes
>maximum_object_size 20 MB
>sslproxy_flags DONT_VERIFY_PEER
>connect_timeout 8 seconds
>
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>http_access allow localhost manager
>http_access deny manager
>http_access allow localnet
>http_access allow localhost
>http_access deny all
>reply_header_access Alternate-Protocol deny all
>
>http_port 3130
>http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>http_port 3128 intercept
>https_port 3129 intercept ssl-bump generate-host-certificates=on
>dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>
>cache_dir ufs /var/cache/squid 9000 16 256
>cache_store_log /var/log/squid/store.log
>cache_effective_user squid
>visible_hostname Proxy
>
>refresh_pattern ^ftp: 1440 20% 10080
>refresh_pattern ^gopher: 1440 0% 1440
>refresh_pattern -i (/cgi-bin/|\?) 2 20% 10
>refresh_pattern . 2 20% 10 ignore-reload
>override-expire ignore-no-cache ignore-no-store store-stale
>ignore-private ignore-must-revalidate ignore-auth
>refresh_pattern -i
>\.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>reload-into-ims
>
>
>#SSL BUMP
>include /etc/squid/ssl.conf
>
>#LOGGING
>access_log /var/log/squid/access.log
>access_log /var/log/squid/access_c2.log cc
>access_log /var/log/squid/access_c2.log dom
>access_log /var/log/squid/splc.log excludeSSL
>cache_log /dev/null
>coredump_dir /var/cache/squid
>
>#ICAP
>icap_enable on
>icap_send_client_ip on
>icap_send_client_username on
>icap_client_username_header X-Authenticated-User
>icap_service service_req reqmod_precache bypass=1
>icap://127.0.0.1:1344/squidclamav
>adaptation_access service_req allow useragent
>icap_service service_resp respmod_precache bypass=1
>icap://127.0.0.1:1344/squidclamav
>adaptation_access service_resp allow useragent
>
>#X FORWARDED FOR
>forwarded_for on
>
>SSL.conf
>=======
>
>sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>sslproxy_cafile /etc/squid/intermediate_ca.pem
>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>sslcrtd_children 16 startup=5 idle=1
>
>acl FakeCert ssl::server_name .apple.com
>acl FakeCert ssl::server_name .icloud.com
>acl FakeCert ssl::server_name .mzstatic.com
>acl FakeCert ssl::server_name .dropbox.com
>acl ssl_step1 at_step SslBump1
>acl ssl_step2 at_step SslBump2
>acl ssl_step3 at_step SslBump3
>
>ssl_bump peek ssl_step1
>ssl_bump splice GlobalWhitelistDSTNet
>ssl_bump splice GlobalWhitelistDomainsRx
>ssl_bump splice GlobalWhitelistDomains
>ssl_bump splice FakeCert
>ssl_bump bump ssl_step2 all
>ssl_bump splice all
>sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>sslproxy_cipher
>ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>sslproxy_flags DONT_VERIFY_PEER
>sslproxy_cert_error allow all
>sslproxy_cert_error deny all
>
>acls_whitelist.conf
>=============
>
>acl WindowsUpdates dstdomain officecdn.microsoft.com
>acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>acl WindowsUpdates dstdomain download.microsoft.com
>acl WindowsUpdates dstdomain .windowsupdate.com
>acl WindowsUpdates dstdomain .windowsupdate.net
>acl WindowsUpdates dstdomain .update.microsoft.com
>acl WindowsUpdates dstdomain .mp.microsoft.com
>acl WindowsUpdates dstdomain .ws.microsoft.com
>acl GlobalWhitelistDomains dstdomain
>"/etc/squid/acls_whitelist.dstdomain.conf"
>acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>acl GlobalWhitelistDomainsRx dstdom_regex -i
>"/etc/squid/acls_whitelist.dstdom_regex.conf"
>acl GlobalWhitelistBrowsers browser -i
>"/etc/squid/acls_whitelist.browser.conf"
>http_access allow GlobalWhitelistDomains
>url_rewrite_access deny GlobalWhitelistDomains
>http_access allow GlobalWhitelistDSTNet
>url_rewrite_access deny GlobalWhitelistDSTNet
>http_access allow GlobalWhitelistDomainsRx
>url_rewrite_access deny GlobalWhitelistDomainsRx
>http_access allow GlobalWhitelistBrowsers
>
>
>Any one with the same TAG_NONE/503 error, please help!?
>
>Regards,
>Hugo
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171206/76130600/attachment-0001.html>
More information about the squid-users
mailing list