[squid-users] making proxy-int to talk to proxy-ext

robert k Wild robertkwild at gmail.com
Tue Nov 26 22:56:39 UTC 2019 

Hi Alex,

i have done some more troubleshooting and my external proxy is good, i get
no errors and i have got one of my DMZ hosts connected to it and i can
browse the web, but my internal proxy cant contact my external proxy, this
is the error when i run it -

2019/11/26 22:53:28| Error parsing SSL Server Hello Message on FD 15
2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:          unknown protocol (1/-1/0)
2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128 failed
2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21
2019/11/26 22:53:28| Error negotiating SSL connection on FD 13:
error:00000001:lib(0):func(0):reason(1) (          1/0)

this is my config on my internal proxy -

#
# Recommended minimum configuration:
#

#SSL
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#squid proxy in DMZ on internet
cache_peer 172.16.55.21 parent 3128 0 default
acl all src all
http_access allow all
never_direct allow all

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

my external proxy uses the same config but without the lines "squid proxy
in DMZ on internet"

thanks,
rob

On Tue, 26 Nov 2019 at 16:59, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 11/26/19 10:54 AM, robert k Wild wrote:
>
> > as i have configured both internal proxy (non internet facing) and
> > external proxy (internet facing) from source,
>
> Please show the essential parts of both internal and external Squid
> configurations for the broken setup (at least).
>
> It is difficult to guess what went wrong because the guide you are
> quoting does not talk about internal and external proxy instances _and_,
> in most cases, simply adding a valid http_port line has no effect on
> test cases that worked before -- the new port will be unused by the old
> test traffic. It is not even clear which proxy you are adding the
> SslBump configuration to.
>
>
> Thank you,
>
> Alex.
>
>
> > followed this guide -
> > https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> >
> > it works if i comment out the ssl lines -
> >
> > #SSL
> > #http_port 3128 ssl-bump \
> > #cert=/etc/squid/ssl_cert/myCA.pem \
> > #generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > #sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> > /var/lib/ssl_db -M 4MB
> > #acl step1 at_step SslBump1
> > #ssl_bump peek step1
> > #ssl_bump bump all
> >
> > but as soon as i uncomment them it breaks the link between both servers
> >
> > this is the error i get from the internal proxy when it tries to contact
> > the external proxy
> >
> > https://i.postimg.cc/JzC29gh8/ssl.png
> > --
> > Regards,
> >
> > Robert K Wild.
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,

Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191126/89c62184/attachment-0001.html>

More information about the squid-users mailing list