[squid-users] SSL TAG_NONE/503 errors

Wed Dec 6 18:45:27 UTC 2017

Hi,
yes, squid is able to resolve those domains. Currently we have
cache.log disabled for performance. any clues?

Regards,
Hugo

2017-12-06 14:51 GMT-03:00 Enrico Heine <flashdown at data-core.org>:
> Hi,
>
> Can you confirm that squid is able to resolve these hostnames? If not try
> browsing to them without https and check if squid gives you an error
> message.
>
> Did you check the cache.log as well?
>
> Br Enrico
>
> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra
> <hugo.saavedra.oteiza at gmail.com>:
>>
>> Hi All,
>>
>> We have the following setup of a transparent squid box:
>> OS: CentOS release 6.9 (Final)
>> Squid Cache: Version 3.5.26-20170625-r14174
>> Compile options:
>>    '--with-included-ltdl' '--enable-icap-client'
>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>> '--enable-icmp' '--enable-snmp' '--prefix=/usr'
>> '--includedir=/usr/include' '--datadir=/usr/share'
>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>> '--localstatedir=/var' '--sysconfdir=/etc/squid'
>> --enable-ltdl-convenience
>>
>> Endpoints are redirected to the Squid box using a policy route for
>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>> are using ssl bump for ssl, but there is an strange behavior, some
>> websites opens well, but some ones breaks and getting TAG_NONE/503
>> errors in the access log:
>>
>> 1512561423.930      1 192.168.1.108 TAG_NONE/503 31435 POST
>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>> text/html
>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>
>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>> - HIER_NONE/- text/html
>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>> HIER_NONE/- text/html
>> 1512566858.355    186 192.168.1.104 TAG_NONE/503 31436 GET
>>
>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>> - HIER_NONE/- text/html
>>
>> In the same time-range, other websites loads well
>>
>> 1512561134.548    306 192.168.1.112 TCP_MISS/302 572 GET
>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>> image/gif
>> 1512561139.701    216 192.168.1.148 TCP_MISS/200 386 POST
>> https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>> ORIGINAL_DST/107.20.215.8 application/json
>> 1512561142.180     13 192.168.1.112 TCP_MISS/200 419 GET
>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>> 1512561142.410    243 192.168.1.112 TCP_MISS/200 286 GET
>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>> text/javascript
>>
>>
>> IPTABLES CONFIGURATION
>> =======================
>> # PREROUTING INTERCEPT PBR
>>
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>> 3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>> 3129
>> COMMIT
>>
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>>
>> #WEB
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 80 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 443 -j ACCEPT
>>
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3128 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3129 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3130 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3131 -j ACCEPT
>>
>> #default
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>> SQUID CONFIGURATION
>> ====================
>>
>> #WHITE LIST
>> acl exclWL url_regex "/etc/squid/white_url.squid"
>> acl neoWL url_regex "/etc/squid/neowl.squid"
>> http_access allow exclWL
>> http_access allow neoWL
>> cache deny exclWL
>> cache deny neoWL
>> always_direct allow exclWL
>> always_direct allow neoWL
>>
>> #Malicious URLs
>> acl dom url_regex "/etc/squid/dom.squid"
>> acl cc url_regex "/etc/squid/cc.squid"
>> http_access deny dom
>> http_access deny cc
>>
>> #BLACK LIST
>> acl exclBL url_regex "/etc/squid/black_url.squid"
>> acl neoBL url_regex "/etc/squid/neobl.squid"
>> http_access deny exclBL
>> http_access deny neoBL
>>
>> #ACLS BASE
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl localnet src fc00::/7       # RFC 4193 local private network range
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>> plugged) machines
>> acl SSL_ports port 443
>> acl SSL_ports port 3129
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>> acl CONNECT method CONNECT
>> acl HTTPS proto HTTPS
>>
>> include /etc/squid/acls_whitelist.conf
>> acl useragent browser "/etc/squid/useragent.squid"
>> range_offset_limit 0 !useragent
>> minimum_object_size 0 bytes
>> maximum_object_size 3 GB
>> quick_abort_min -1
>> delay_pools 1
>> delay_class 1 1
>> delay_parameters 1 128000/128000
>> delay_access 1 deny SSL_ports
>> delay_access 1 allow !useragent
>> delay_access 1 deny all
>>
>> #cache conf
>> max_filedescriptors 24576
>> memory_cache_mode disk
>> cache_mem 0 MB
>> cache allow all
>> minimum_object_size 0 bytes
>> maximum_object_size 20 MB
>> sslproxy_flags DONT_VERIFY_PEER
>> connect_timeout 8 seconds
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> reply_header_access Alternate-Protocol deny all
>>
>> http_port 3130
>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> http_port 3128 intercept
>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>>
>> cache_dir ufs /var/cache/squid 9000 16 256
>> cache_store_log /var/log/squid/store.log
>> cache_effective_user squid
>> visible_hostname Proxy
>>
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 2     20%     10
>> refresh_pattern .               2       20%     10      ignore-reload
>> override-expire ignore-no-cache ignore-no-store store-stale
>> ignore-private ignore-must-revalidate ignore-auth
>> refresh_pattern -i
>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>> reload-into-ims
>>
>>
>> #SSL BUMP
>> include /etc/squid/ssl.conf
>>
>> #LOGGING
>> access_log /var/log/squid/access.log
>> access_log /var/log/squid/access_c2.log cc
>> access_log /var/log/squid/access_c2.log dom
>> access_log /var/log/squid/splc.log excludeSSL
>> cache_log /dev/null
>> coredump_dir /var/cache/squid
>>
>> #ICAP
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Authenticated-User
>> icap_service service_req reqmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_req allow useragent
>> icap_service service_resp respmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_resp allow useragent
>>
>> #X FORWARDED FOR
>> forwarded_for on
>>
>> SSL.conf
>> =======
>>
>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>> sslproxy_cafile /etc/squid/intermediate_ca.pem
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>> sslcrtd_children 16 startup=5 idle=1
>>
>> acl FakeCert ssl::server_name .apple.com
>> acl FakeCert ssl::server_name .icloud.com
>> acl FakeCert ssl::server_name .mzstatic.com
>> acl FakeCert ssl::server_name .dropbox.com
>> acl ssl_step1 at_step SslBump1
>> acl ssl_step2 at_step SslBump2
>> acl ssl_step3 at_step SslBump3
>>
>> ssl_bump peek ssl_step1
>> ssl_bump splice GlobalWhitelistDSTNet
>> ssl_bump splice GlobalWhitelistDomainsRx
>> ssl_bump splice GlobalWhitelistDomains
>> ssl_bump splice FakeCert
>> ssl_bump bump ssl_step2 all
>> ssl_bump splice all
>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>> sslproxy_cipher
>>
>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>> sslproxy_cert_error deny all
>>
>> acls_whitelist.conf
>> =============
>>
>> acl WindowsUpdates dstdomain officecdn.microsoft.com
>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>> acl WindowsUpdates dstdomain download.microsoft.com
>> acl WindowsUpdates dstdomain .windowsupdate.com
>> acl WindowsUpdates dstdomain .windowsupdate.net
>> acl WindowsUpdates dstdomain .update.microsoft.com
>> acl WindowsUpdates dstdomain .mp.microsoft.com
>> acl WindowsUpdates dstdomain .ws.microsoft.com
>> acl GlobalWhitelistDomains dstdomain
>> "/etc/squid/acls_whitelist.dstdomain.conf"
>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>> acl GlobalWhitelistDomainsRx dstdom_regex -i
>> "/etc/squid/acls_whitelist.dstdom_regex.conf"
>> acl GlobalWhitelistBrowsers browser -i
>> "/etc/squid/acls_whitelist.browser.conf"
>> http_access allow GlobalWhitelistDomains
>> url_rewrite_access deny GlobalWhitelistDomains
>> http_access allow GlobalWhitelistDSTNet
>> url_rewrite_access deny GlobalWhitelistDSTNet
>> http_access allow GlobalWhitelistDomainsRx
>> url_rewrite_access deny GlobalWhitelistDomainsRx
>> http_access allow GlobalWhitelistBrowsers
>>
>>
>> Any one with the same TAG_NONE/503 error, please help!?
>>
>> Regards,
>> Hugo
>> ________________________________
>>
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-- 
Saludos,
Hugo Saavedra