[squid-users] Reverse proxy for HTTPS cloudfront server
squid3 at treenet.co.nz
Tue Feb 14 02:40:34 UTC 2017
On 14/02/2017 4:40 a.m., Philip Munaawa wrote:
> I am trying to reverse proxy a site hosted on cloudfront, using the normal
> https_port accel. I have the key/cert pair for the origin. The cloudfront
> uses TLS/SNI to negotiate an SSL connection. However, when I try to connect
> through the proxy, I get the error below in the logs:
> Error negotiating SSL on FD 39: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure (1/0/0)
> I have seen a similar issie with nginx, which was resolved by adding a
> switch to send the server_host_name. see:
> Does squid (3.5.24) have a similar switch/functionality?
The only thing that SSL23_SERVER_HELLO and SSL3_READ_BYTES have in
common is that they are errors. So no they are not "similar".
The server is closing the connection without reporting what the problem
actually is. Squid-3.5 should already be sending SNI using the
cache_peer hostname or request-URL hostname.
has some hints from Dave Thompson on how to find out what is going on
with the server.
More information about the squid-users