[squid-users] Problems with squid 3.1 to 3.3 upgrade
rousskov at measurement-factory.com
Thu Aug 8 22:05:18 UTC 2019
On 8/8/19 3:29 PM, Tom Karches wrote:
> I am in the process of upgrading our Squid proxy server from 3.1 (on
> RHEL6) to 3.3 (on RHEL7).
It could have been worse! For example, you could ask a question about
upgrading Squid from v1.0 to v2.0... I will try to help, but I do not
remember much about v3.3 specifics.
> The system was configured to log https transactions as such:
> 1565183014.309 230 127.0.0.1 TCP_MISS/200 62539 CONNECT
> entrepreneurship.ncsu.edu:443 - DIRECT/220.127.116.11 -
> which requires SSL Bumping
No, simply logging HTTP CONNECT requests does not require bumping SSL.
> I used curl to test the new proxy. When I attempt to proxy an external
> https connection, this is the result :
> $ curl --proxy http://127.0.0.1:3128 https://www.google.com
> curl: (56) Received HTTP code 503 from proxy after CONNECT
Your Squid told curl that something went wrong. If you look at the
actual response, you may know what went wrong. The same information may
be available in Squid access.log, but the error response may have more
details than a log record. Please share that info here if it does not
point you to a solution.
> http_port 3128 ssl-bump \
> cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> I now get the following error
> squid: FATAL: No valid signing SSL certificate configured for
> HTTP_port [::]:3128
Avoid opening the SslBump Pandora box until you have to. If all you need
is CONNECT logging, then you should be able to accomplish what you want
without SslBump pains.
> Where should I be looking for the problem?
In Squid response to curl. You can use curl tracing options or Wireshark
to see it. Squid access.log may have some clues as well.
More information about the squid-users