[squid-users] SSL termination problem - squid's requests using https

Sam Holden sam.holden at steeprockinc.com
Tue Sep 17 21:02:55 UTC 2019

On Tue, Sep 17, 2019 at 4:07 PM Alex Rousskov
<rousskov at measurement-factory.com> wrote:
> On 9/17/19 2:07 PM, Sam Holden wrote:
> > https_port 4277 accel ... protocol=http
> > sees port 4227 act as an http port (no ssl)
> Assuming you meant "4277" when you said "4227" (or vice versa), your
> statement sounds like an indication of a Squid bug to me: The "protocol"
> option is documented to affect Squid-to-origin URL reconstruction. It
> should have no effect on client-to-Squid communication (and https_port,
> of course, expects TLS connections). In other words, the above
> configuration should do what you want in principle AFAICT.
> How does Squid report the above https_port at startup? Look for the
> "Accepting ... at ..." line early in your cache.log.

Yes I made typo on the port number in my text.

When I have protocol=http is reports:
 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections
at local= remote=[::] FD 13 flags=9

When I don't set the protocol is reports:
2019/09/17 20:17:38| Accepting reverse-proxy HTTPS Socket connections
at local= remote=[::] FD 13 flags=9

So it seems to be following the protocol= for the incoming protocol
rather than just the outgoing. I've tried compiling the 4.6 source
tarball and building the debian source package (to add openssl) which
is a few minor versions older but with the normal debian back porting.

I'm going to try the old stock debian one again - I think it was
working with gnutls though I couldn't see a way to make the screen
long options list work with  gnutls.

> What happens when you connect to the above https_port using a TLS
> connection?

When I have the protocol=http I get (443 is being mapped to 4277 elsewhere):

$  wget --no-check-certificate
--2019-09-17 20:53:04--
Connecting to connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.
$  wget
--2019-09-17 20:54:17--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 61979 (61K) [text/html]

> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list