[squid-users] ssl-bump connect issues

Jernej Porenta jernej.porenta at 3fs.si
Mon May 23 05:41:32 UTC 2022 

Hey,

I am trying to establish a caching squid proxy - 5.5 openssl -  ( to be used with our CI/CD system and cache npm modules (we configure http_proxy in our npm configuration).

I've created a configuration with ssl bump-ing and aggressive npm module caching. When a client starts fetching the modules through proxy, everything works fine however quite soon the connections start stalling and all end up timeouting.

The logs show that clients did issue a CONNECT, however the connections are stuck (and eventually timeout) and netstat is showing exactly 10 connections in SYN_SENT state towards npm registry. I am kinda puzzled, where this number comes from.

I am wondering whether npm registry starts throttling me or I am hitting some networking issue or squid misconfiguration.

Does anyone has any idea what could be the issue? (or if someone is using squid for npm module caching, are you willing to share your working squid.conf ;))?

Big thank you in advance, br, Jernej

The "relevant" parts of my configurations are:

acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_port 80 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/certs/squid-self-signed.crt tls-key=/etc/squid/certs/squid-self-signed.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/certs/squid-self-signed_dhparam.pem disable-pmtu-discovery=transparent

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 20MB
sslcrtd_children 8
ssl_bump server-first all
sslproxy_cert_error deny all

forwarded_for delete
via off
request_header_access X-Forwarded-For deny all
request_header_access Via  deny all

# dns
positive_dns_ttl 31 seconds
negative_dns_ttl 30 seconds
httpd_suppress_version_string on
connect_timeout 10 seconds


squid -v: https://pastebin.com/KRywK3rN <https://pastebin.com/KRywK3rN>
Full config: https://pastebin.com/xsgS5J38 <https://pastebin.com/xsgS5J38>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220523/367b7d2b/attachment.htm>

More information about the squid-users mailing list