[squid-users] Help troubleshooting proxy<-->client https

Masha Lifshin mlifshin at phantomdesign.com
Fri May 26 06:00:53 UTC 2017

Hello Dear Squid Users,

I am trying to configure my Squid 4.0.17 to use an https connection between
the client and the proxy.  I have added an https_port directive to
squid.conf, but it must be misconfigured. When I test with a dev version of
curl that supports https proxies, I am getting
ERR_PROTOCOL_UNKNOWN errors.  Below is the curl output, my squid.conf, and
access.log and cache.log snippets.

I appreciate any insights that you can offer.  Thank you very much,

curl output
$ ~/bin/curl -v -x https://proxy.somwhere.com:443 https://github.com
* Rebuilt URL to: https://github.com/
*   Trying
* Connected to proxy.somwhere.com ( port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown

acl localnet src     # RFC1918 possible internal network
acl localnet src  # RFC1918 possible internal network
acl localnet src # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 81          # http
acl Safe_ports port 800         # http
acl Safe_ports port 8000        # http
acl Safe_ports port 8080        # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl SSL method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager to_localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny to_localhost

icp_access deny all
htcp_access deny all

http_port ssl-bump cert=/path/to/some.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port cert=/path/to/other.cert.pem
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

access_log stdio:/usr/local/squid/var/log/access.log custom
cache_store_log stdio:/usr/local/squid/var/log/store.log custom
log_mime_hdrs on

pid_filename /usr/local/squid/var/run/custom-squid.pid

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

request_header_access Proxy-Authenticate deny all
request_header_access Proxy-Authentication-Info deny all
request_header_access Proxy-Authorization deny all
request_header_access Proxy-Connection deny all
request_header_access Proxy-support deny all
request_header_access custom-version deny all
request_header_access custom-watermark deny all
request_header_access custom-token deny all
request_header_access custom-parent-host deny all
request_header_access Via deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access X-Forwarded-For deny all
reply_header_access X-XSS-Protection deny all
request_header_access Other allow all

cache_mgr cache_mgr at somewhere.com
mail_from squid at somewhere.com
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_default_options_ttl 60
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_client_username_encode off

ecap_enable on
loadable_modules /usr/local/squid/modules/libcustom_ecap.so
ecap_service custom_validate_req reqmod_precache ecap://
somewhere.com/ecap/services/validate routing=on bypass=off
ecap_service custom_validate_resp respmod_precache ecap://
somewhere.com/ecap/services/validate routing=on bypass=off
#adaptation_access custom_validate allow all

icap_service custom_req reqmod_precache routing=on icap://
icap_service custom_resp respmod_precache routing=on icap://
forwarded_for delete

# Define a service set for requests. The first service (eCAP) will
# process the request if the API token is in the local cache, and the
# user has the "Access Only" preference set. Otherwise eCAP will abort,
# causing Squid to fail over to ICAP to handle the request.
adaptation_service_set custom_req_set custom_validate_req custom_req
adaptation_service_set custom_resp_set custom_validate_resp custom_resp

adaptation_access custom_req_set allow all
adaptation_access custom_resp_set allow all

# Never stop trying to talk to the ICAP server, no matter how many times it
icap_service_failure_limit -1

# Squid uses numeric categories to control logging.
# Interesting categories:
#   93        ICAP
# debug_options ALL,3 44,0 23,0 40,0 73,0 93,3
debug_options  ALL,1 11,2 74,9,93,3

 [26/May/2017:05:35:50 +0000] "NONE error:invalid-request HTTP/1.1" 400 3824

2017/05/26 05:35:50.115 kid1| 74,9| RequestParser.cc(359) doParse: Parse
buf={length=517, data='
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(284)
parseRequestFirstLine: parsing possible request: buf.length=517
2017/05/26 05:35:50.115 kid1| 74,9| RequestParser.cc(285)
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(382) doParse:
request-line: retval -1: line={517, data='
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(383) doParse:
request-line: method: NONE
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(384) doParse:
request-line: url:
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(385) doParse:
request-line: proto: NONE/0.0
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(386) doParse: Parser:
bytes processed=0
2017/05/26 05:35:50.115 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP
Client local= remote= FD 11 flags=1
2017/05/26 05:35:50.115 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP
Client REPLY:
HTTP/1.1 400 Bad Request
Server: squid/4.0.17
Mime-Version: 1.0
Date: Fri, 26 May 2017 05:35:50 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3394
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from ip-172-30-0-67.ec2.internal
X-Cache-Lookup: NONE from ip-172-30-0-67.ec2.internal:443
Via: 1.1 ip-172-30-0-67.ec2.internal (squid/4.0.17)
Connection: close

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170525/c0d9c8b6/attachment-0001.html>

More information about the squid-users mailing list