[squid-users] Unable to open youtube.com

Timur Lagutenko timur.lagutenko at gmail.com
Wed Oct 17 04:17:53 UTC 2018


i'm sure that the issue is not related to firewall rules.
because if I pass traffic from client IP (using NAT, browser is not
configured to use proxy) it works.
I think it is related to some SSL/TLS lib in the system.
Because today i've tried CLI browser - links.
Launching it directly from gateway (which has direct access to web), i was
able to browse any site in text mode.
Except youtube.
So i guess it is related to some missing ssl lib.
Could you please suggest how can i find all required libs for my squid?

# squid -v
Squid Cache: Version 3.5.28
Service Name: squid

This binary uses OpenSSL 1.0.2p  14 Aug 2018. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var'
'--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache'
'--without-gnutls' '--with-included-ltdl' '--enable-auth'
'--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules'
'--enable-removal-policies=lru heap' '--disable-epoll'
'--disable-linux-netfilter' '--disable-linux-tproxy'
'--disable-translation' '--disable-arch-native' '--disable-eui'
'--enable-cache-digests' '--disable-delay-pools' '--disable-ecap'
'--disable-esi' '--enable-follow-x-forwarded-for' '--without-heimdal-krb5'
'--without-mit-krb5' '--without-gss' '--disable-htcp'
'--disable-icap-client' '--disable-icmp' '--disable-ident-lookups'
'--disable-ipv6' '--enable-kqueue' '--with-large-files'
'--enable-http-violations' '--without-nettle' '--disable-snmp'
'--enable-ssl' '--with-openssl=/usr/local'
'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl'
'--disable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent'
'--disable-ipfw-transparent' '--disable-pf-transparent'
'--without-nat-devpf' '--enable-forw-via-db' '--enable-wccp'
'--enable-wccpv2' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM
POP3 RADIUS fake getpwnam' '--enable-auth-digest=file'
'--enable-external-acl-helpers=file_userip time_quota unix_group'
'--enable-auth-negotiate=none' '--enable-auth-ntlm=fake smb_lm'
'--enable-storeio=aufs ufs' '--enable-disk-io=DiskThreads AIO Blocking
IpcIo Mmapped' '--enable-log-daemon-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file'
'--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules'
'--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2'
'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe
-fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -pthread
-L/usr/local/lib -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib
-fstack-protector ' 'LIBS=' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++'
'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing
-Wno-unknown-warning-option -Wno-undefined-bool-conversion
-Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess '
'CPP=cpp' --enable-ltdl-convenience

# uname -a
FreeBSD gate.xxxxxx.local 11.2-RELEASE-p4 FreeBSD 11.2-RELEASE-p4 #0: Thu
Sep 27 08:16:24 UTC 2018
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
amd64



ср, 17 окт. 2018 г. в 8:48, Amos Jeffries <squid3 at treenet.co.nz>:

> On 17/10/18 6:22 AM, Bruno de Paula Larini wrote:
> >
> > Em 16/10/2018 02:46, Timur Lagutenko escreveu:
> >> Hello friends,
> >>
> >> recently I've updated my freebsd gateway.
> >> from 11.1 to 11.2.
> >> also I've updated squid form 3.5 to 4.1
> >> i have no transparency, no ssl-bump/splice etc..
> >> simple installation.
> >> browser is configured to use proxy.
> >> squid configuration is default.
>
> Then Squid interactino wit this traffic is a simple test of whether the
> client IP address is within your LAN and then blindly shovel the HTTPS
> traffic through.
>
> Problems are limited to routing, MTU/MSS misconfiguration somewhere
> (network VPM tunnel?), and problems with the endpoints TLS negotiation
> (browser or upstream server).
>
>
>
> >> everything works fine except youtube.com <http://youtube.com/>
> >> Browser freezes on "trying to set secure connection", and after gives
> >> time-out error.
> >> i've also tied to downgrade squid back to 3,5
> >> no success.
>
> That downgrade not resolving the issue indicates that it is not Squid
> related.
>
> As Bruno suggested, probably a change to the routing or firewall systems
> that traffic is going through that appeared with the OS version bump. It
> is pretty rare to see on small bumps, but can happen.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181017/a3fca13b/attachment.html>


More information about the squid-users mailing list