[squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

[Amos Jeffries]

On 30/11/17 01:34, minh hưng đỗ hoàng wrote:
> Dear Amos,
> Sorry for concluded hurriedly.
> When i do a test with 1 user, it's seem ok, no more Aler from cache.log. 
> But when i test with more users, the Alert log from cache.log happen 
> again. And so i can't access some https page as chatwork.com , facebook.com.


You are understanding that this is a log entry that cannot be completely 
removed right? the problem can only be reduced in how much damage is 
done, not fixed.

Also be aware that the cache.log records every security event. Even when 
the user does not see anything unusual because Squid sends them 
transparently to the server they were trying to contact as if the proxy 
was not there (real transparency).

You seem to be doing everything that can be done about the connectivity 
issues related to that log message.


I suspect that any remaining issues you are now having with those HTTPS 
sites is a separate problem with the Squid-3 SSL-Bump code or TLS 
protocol itself. You need to take a closer look at the exact 
transactions that are going on with those remaining problem sites.

If the problem turns out to be anything in the TLS protocol messages the 
'splice' action that your Squid is currently doing means that type of 
problem has nothing to do with Squid. It is the client and server 
endpoints having the issue between themselves.

You could also try out Squid 3.5.27 or Squid-4 code for a more up to 
date SSL-Bump implementation. There are a few changes to how the 
connection management works that might show up as weird problems in 
Squid-3 despite the splice. Even the 7 months between your 3.5.20 and 
3.5.27 has a few of those.

Amos