[squid-users] Problems with squid 3.1 to 3.3 upgrade
Tom Karches
twk at ncsu.edu
Thu Aug 8 19:29:36 UTC 2019
I am in the process of upgrading our Squid proxy server from 3.1 (on RHEL6)
to 3.3 (on RHEL7). It is configured as a explicit (not transparent) proxy
that listens on port 3128. Clients are explicitly configured to use the
proxy.
On the 3.3 system with the same squid.conf as the 3.1 system (I have made
changes to fix warnings), the system is able to proxy internal (*.ncsu.edu)
http traffic and https traffic. Anything https outside the ncsu.edu domain
fails.
The system (which does not use caching) was configured to log https
transactions as such :
1565183014.309 230 127.0.0.1 TCP_MISS/200 62539 CONNECT
entrepreneurship.ncsu.edu:443 - DIRECT/152.1.227.116 -
which requires SSL Bumping (I believe), though there is no reference in the
current configs to the use of SSL bumping .
I used curl to test the new proxy. When I attempt to proxy an external
https connection, this is the result :
$ curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (56) Received HTTP code 503 from proxy after CONNECT
Proxying internal (ncsu.edu) connections this way is working correctly for
http and https
When I change my squid.conf from :
http_port 3128
to
http_port 3128 ssl-bump \
cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
I now get the following error
squid[5796]: FATAL: No valid signing SSL certificate configured for
> HTTP_port [::]:3128
The certs on the new server are newer, but otherwise appear to be correct.
Are there changes in the SSL bump config between 3.1 and 3.3 that would
cause this kind of failure? Where should I be looking for the problem?
No previous experience with squid until this project. I've been doing much
RTM (including the O'Reilly Squid book) searching online and debugging
these past few days. Suggestions appreciated.
Thanks,
Tom
--
Thomas Karches
NCSU OIT CSI - Systems Specialist
M.E Student - STEM Education
Hillsborough 319 / 919.515.5508
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190808/874d8603/attachment.html>
More information about the squid-users
mailing list