[squid-users] Gateway Proxy failure - but only with one browser ...
Walter H.
Walter.H at mathemainzel.info
Wed Apr 29 17:26:59 UTC 2020
I have two squids,
one does SSL bump (3.5latest CentOS 6)
the other doesn't SSL bump (3.4latest CentOS 6)
everything works,
I have a site that uses SSL/TLS, and two different browsers (one in a VM
with old windows),
when I use the squid without SSL bump, the site works with both browsers,
but when I use the squid with SSL bump, with the old browser I get a
"Gateway Proxy failure"
the log shows this:
host - - [29/Apr/2020:19:04:11 +0200] "CONNECT ssl.mathemainzel.info:443
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US;
rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_DIRECT
SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:04:11 +0200] "GET
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-"
"Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217
Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info
in compare to the log when using the other browser ...
host - - [29/Apr/2020:19:05:53 +0200] "CONNECT ssl.mathemainzel.info:443
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9)
Goanna/4.5 PaleMoon/28.9.1" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:05:53 +0200] "GET
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977
"https://ssl.mathemainzel.info/" "Mozilla/5.0 (Windows NT 10.0; Win64;
x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT
SNI:ssl.mathemainzel.info
is this caused by the browser on old OS itself?
squid.conf (of squid with SSL bump)
reply_header_access Public-Key-Pins deny all
reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all
sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem
options=NO_SSLv2,NO_SSLv3
Thanks,
Walter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200429/6a293d6b/attachment.bin>
More information about the squid-users
mailing list