[squid-users] site opens only without ssl bump
Alex Rousskov
rousskov at measurement-factory.com
Fri Nov 4 12:46:39 UTC 2022
On 11/4/22 02:31, Majed Zouhairy wrote:
> with
>
> logformat squidx %err_code/%err_detail
> access_log xsquid
>
> squid stopped logging completely
Please try to follow the earlier sketch more closely: Keep your usual
logformat codes while adding %err_code/%err_detail and keep your usual
access_log destination when specifying the custom logformat name
(xsquid). Use squid.conf.documented as a syntax reference for these
directives. Always monitor cache.log (or equivalent) for important messages.
> with
>
> ssl_bump splice all
>
> now the site works
OK, so now we know that something breaks around SslBump step1. The next
task is (still) getting %err_code/%err_detail working. If that is not
enough, then you will also need to collect debugging logs.
HTH,
Alex.
>>> On 11/3/22 16:05, Alex Rousskov wrote:
>>>> On 11/3/22 05:43, Majed Zouhairy wrote:
>>>>
>>>>> i have 2 proxies, one with ssl bump and one without, there is a
>>>>> internal site that opens only on the no ssl bump proxy.
>>>>>
>>>>> on the ssl bump proxy it displays:
>>>>
>>>>
>>>> What does Squid say in access.log for this problematic request?
>>>> Please configure Squid to log %err_code/%err_detail before answering
>>>> this question. For example:
>>>>
>>>> logformat xsquid ...your regular %codes... %err_code/%err_detail
>>>> access_log ... xsquid
>>>>
>>>>
>>>>
>>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>>
>>>> ssl_bump peek all
>>>> ssl_bump splice all
>>>>
>>>>
>>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>>
>>>> ssl_bump peek tls_s1_connect
>>>> ssl_bump splice all
>>>>
>>>>
>>>> Alex.
>>>>
>>>>
>>>>
>>>>
>>>>> Не удается получить доступ к сайтуВеб-страница по адресу (i was
>>>>> unable to gain access to website:)
>>>>> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback,
>>>>> возможно, временно недоступна или постоянно перемещена по новому
>>>>> адресу. (it is possible that it can not bbe reached or it has been
>>>>> permanently relocated to a new address)
>>>>> ERR_TUNNEL_CONNECTION_FAILED
>>>>>
>>>>> the site needs special configurations to run:
>>>>> it needs a local proxy to run, avtunproxy.nl
>>>>> in the internet explorer settings:
>>>>> the second box in the proxy settings needs to be checked called the
>>>>> "use the scenario for automatic configuration"
>>>>> in it, the proxy address is plugged
>>>>> http://127.0.0.1:10224/proxy.pac
>>>>>
>>>>> my bump settings are as follows:
>>>>>
>>>>>
>>>>> acl tls_s1_connect at_step SslBump1
>>>>> acl tls_s2_client_hello at_step SslBump2
>>>>> acl tls_s3_server_hello at_step SslBump3
>>>>>
>>>>> # define acls for sites that must not be actively bumped
>>>>>
>>>>> acl tls_allowed_hsts ssl::server_name .akamaihd.net
>>>>> acl tls_allowed_hsts ssl::server_name .proxy.ckko.nl
>>>>> acl tls_server_is_bank ssl::server_name
>>>>> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
>>>>> acl tls_to_splice any-of tls_allowed_hsts
>>>>> tls_server_is_bank
>>>>>
>>>>> # TLS/SSL bumping steps
>>>>>
>>>>> ssl_bump peek tls_s1_connect # peek
>>>>> at TLS/SSL connect data
>>>>> ssl_bump splice tls_to_splice #
>>>>> splice some: no active bump
>>>>> ssl_bump stare all #
>>>>> stare(peek) at server
>>>>> #
>>>>> properties of the webserver
>>>>> ssl_bump bump
>>>>>
>>>>> contents of the
>>>>> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>>>>>
>>>>> .ckko.nl
>>>>> .ias.ckko.nl
>>>>> .test-auth.ias.ckko.nl
>>>>> .config.avtunproxy.nl
>>>>> .rand.avtunproxy.nl
>>>>> .avast.nl
>>>>> .dev.avast.nl
>>>>> .ncis.nl
>>>>> .cdn.nlpost.nl
>>>>>
>>>>> those are all the sites that are logged in on the non ssl bump
>>>>> proxy when ias.ckko.nl is accessed
>>>>>
>>>>> despite all this configuration, the site does not open. in
>>>>> ufdbguard every site from the user is a pass.
>>>>>
>>>>> in avtunproxy log :
>>>>>
>>>>> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching
>>>>> https://ckko.nl/upload/certificates/8.crl
>>>>> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e]
>>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> EOF
>>>>> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e]
>>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>>> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf]
>>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing
>>>>> connection was forcibly closed by the remote host.
>>>>> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf]
>>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
>>>>> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021]
>>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> EOF
>>>>> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021]
>>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>>> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59]
>>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> EOF
>>>>> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59]
>>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
>>>>> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a]
>>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> EOF
>>>>> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a]
>>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
>>>>> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178]
>>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing
>>>>> connection was forcibly closed by the remote host.
>>>>> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178]
>>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>>> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c]
>>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 -
>>>>> EOF
>>>>> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c]
>>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>>> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559]
>>>>> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
>>>>> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e]
>>>>> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
>>>>> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903]
>>>>> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
>>>>> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f]
>>>>> [addr=127.0.0.1:10544] GET /api/v2/log
>>>>>
>>>>>
>>>>> what is the solution?
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list