[squid-users] site opens only without ssl bump
Majed Zouhairy
m_zouhairy at ckta.by
Wed Nov 9 14:12:28 UTC 2022
Peace,
On 11/4/22 15:46, Alex Rousskov wrote:
> On 11/4/22 02:31, Majed Zouhairy wrote:
>> with
>>
>> logformat squidx %err_code/%err_detail
>> access_log xsquid
>>
>> squid stopped logging completely
>
> Please try to follow the earlier sketch more closely: Keep your usual
> logformat codes while adding %err_code/%err_detail and keep your usual
> access_log destination when specifying the custom logformat name
> (xsquid). Use squid.conf.documented as a syntax reference for these
> directives. Always monitor cache.log (or equivalent) for important
> messages.
I think i am becoming Biden, i read the squid documented and didn't get
it, am i supposed to substitute %err_code/%err_detail with something
like [http:]>%h for example?
here is what cache.log displayed when i changed config to:
logformat squidx %err_code/%err_detail
access_log daemon:/var/log/squid/accessX.log squidx
acces.log stopped working and again cache.log displayed:
2022/11/09 16:58:36| SendEcho ERROR: sending to ICMPv6 packet to
[2a00:1450:4010:c02::5f]: (101) Network is unreachable
2022/11/09 16:58:40| SendEcho ERROR: sending to ICMPv6 packet to
[2a00:1450:4010:c0e::c6]: (101) Network is unreachable
2022/11/09 16:58:48| SendEcho ERROR: sending to ICMPv6 packet to
[2a00:1450:4010:c0d::66]: (101) Network is unreachable
2022/11/09 16:58:58| SendEcho ERROR: sending to ICMPv6 packet to
[2a00:1148:db00:0:b0b0::1]: (101) Network is unreachable
2022/11/09 16:59:29 kid1| Preparing for shutdown after 593 requests
2022/11/09 16:59:29 kid1| Waiting 30 seconds for active connections to
finish
2022/11/09 16:59:29 kid1| Killing master process, pid 22616
2022/11/09 16:59:29 kid1| Closing HTTP(S) port [::]:8080
2022/11/09 16:59:29 kid1| Closing Pinger socket on FD 46
2022/11/09 16:59:29 kid1| Preparing for shutdown after 593 requests
2022/11/09 16:59:29 kid1| Waiting 30 seconds for active connections to
finish
2022/11/09 16:59:29 kid1| WARNING: sslcrtd_program #Hlpr1 exited
current master transaction: master85
2022/11/09 16:59:29 kid1| Too few sslcrtd_program processes are running
(need 1/32)
current master transaction: master85
2022/11/09 16:59:29 kid1| Starting new helpers
current master transaction: master85
2022/11/09 16:59:29 kid1| helperOpenServers: Starting 1/32
'security_file_certgen' processes
current master transaction: master85
2022/11/09 16:59:29 kid1| WARNING: sslcrtd_program #Hlpr3 exited
2022/11/09 16:59:29 kid1| Too few sslcrtd_program processes are running
(need 1/32)
2022/11/09 16:59:29 kid1| storeDirWriteCleanLogs: Starting...
2022/11/09 16:59:29 kid1| 65536 entries written so far.
2022/11/09 16:59:29 kid1| Finished. Wrote 90620 entries.
2022/11/09 16:59:29 kid1| Took 0.10 seconds (914392.96 entries/sec).
2022/11/09 16:59:29 kid1| FATAL: The sslcrtd_program helpers are
crashing too rapidly, need help!
>
>> with
>>
>> ssl_bump splice all
>>
>> now the site works
>
> OK, so now we know that something breaks around SslBump step1. The next
> task is (still) getting %err_code/%err_detail working. If that is not
> enough, then you will also need to collect debugging logs.
>
>
> HTH,
>
> Alex.
>
>
>
>>>> On 11/3/22 16:05, Alex Rousskov wrote:
>>>>> On 11/3/22 05:43, Majed Zouhairy wrote:
>>>>>
>>>>>> i have 2 proxies, one with ssl bump and one without, there is a
>>>>>> internal site that opens only on the no ssl bump proxy.
>>>>>>
>>>>>> on the ssl bump proxy it displays:
>>>>>
>>>>>
>>>>> What does Squid say in access.log for this problematic request?
>>>>> Please configure Squid to log %err_code/%err_detail before
>>>>> answering this question. For example:
>>>>>
>>>>> logformat xsquid ...your regular %codes... %err_code/%err_detail
>>>>> access_log ... xsquid
>>>>>
>>>>>
>>>>>
>>>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>>>
>>>>> ssl_bump peek all
>>>>> ssl_bump splice all
>>>>>
>>>>>
>>>>> Does the site works if you temporary replace your ssl_bump rules with:
>>>>>
>>>>> ssl_bump peek tls_s1_connect
>>>>> ssl_bump splice all
>>>>>
>>>>>
>>>>> Alex.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Не удается получить доступ к сайтуВеб-страница по адресу (i was
>>>>>> unable to gain access to website:)
>>>>>> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, возможно, временно недоступна или постоянно перемещена по новому адресу. (it is possible that it can not bbe reached or it has been permanently relocated to a new address)
>>>>>> ERR_TUNNEL_CONNECTION_FAILED
>>>>>>
>>>>>> the site needs special configurations to run:
>>>>>> it needs a local proxy to run, avtunproxy.nl
>>>>>> in the internet explorer settings:
>>>>>> the second box in the proxy settings needs to be checked called
>>>>>> the "use the scenario for automatic configuration"
>>>>>> in it, the proxy address is plugged
>>>>>> http://127.0.0.1:10224/proxy.pac
>>>>>>
>>>>>> my bump settings are as follows:
>>>>>>
>>>>>>
>>>>>> acl tls_s1_connect at_step SslBump1
>>>>>> acl tls_s2_client_hello at_step SslBump2
>>>>>> acl tls_s3_server_hello at_step SslBump3
>>>>>>
>>>>>> # define acls for sites that must not be actively bumped
>>>>>>
>>>>>> acl tls_allowed_hsts ssl::server_name .akamaihd.net
>>>>>> acl tls_allowed_hsts ssl::server_name .proxy.ckko.nl
>>>>>> acl tls_server_is_bank ssl::server_name
>>>>>> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
>>>>>> acl tls_to_splice any-of tls_allowed_hsts
>>>>>> tls_server_is_bank
>>>>>>
>>>>>> # TLS/SSL bumping steps
>>>>>>
>>>>>> ssl_bump peek tls_s1_connect # peek
>>>>>> at TLS/SSL connect data
>>>>>> ssl_bump splice tls_to_splice #
>>>>>> splice some: no active bump
>>>>>> ssl_bump stare all #
>>>>>> stare(peek) at server
>>>>>> #
>>>>>> properties of the webserver
>>>>>> ssl_bump bump
>>>>>>
>>>>>> contents of the
>>>>>> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>>>>>>
>>>>>> .ckko.nl
>>>>>> .ias.ckko.nl
>>>>>> .test-auth.ias.ckko.nl
>>>>>> .config.avtunproxy.nl
>>>>>> .rand.avtunproxy.nl
>>>>>> .avast.nl
>>>>>> .dev.avast.nl
>>>>>> .ncis.nl
>>>>>> .cdn.nlpost.nl
>>>>>>
>>>>>> those are all the sites that are logged in on the non ssl bump
>>>>>> proxy when ias.ckko.nl is accessed
>>>>>>
>>>>>> despite all this configuration, the site does not open. in
>>>>>> ufdbguard every site from the user is a pass.
>>>>>>
>>>>>> in avtunproxy log :
>>>>>>
>>>>>> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware]
>>>>>> fetching https://ckko.nl/upload/certificates/8.crl
>>>>>> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e]
>>>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - EOF
>>>>>> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e]
>>>>>> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>>>> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf]
>>>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing
>>>>>> connection was forcibly closed by the remote host.
>>>>>> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf]
>>>>>> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
>>>>>> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021]
>>>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - EOF
>>>>>> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021]
>>>>>> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>>>> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59]
>>>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - EOF
>>>>>> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59]
>>>>>> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
>>>>>> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a]
>>>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - EOF
>>>>>> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a]
>>>>>> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
>>>>>> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178]
>>>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing
>>>>>> connection was forcibly closed by the remote host.
>>>>>> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178]
>>>>>> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
>>>>>> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c]
>>>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500
>>>>>> - EOF
>>>>>> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c]
>>>>>> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT
>>>>>> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
>>>>>> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559]
>>>>>> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
>>>>>> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e]
>>>>>> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
>>>>>> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903]
>>>>>> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
>>>>>> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f]
>>>>>> [addr=127.0.0.1:10544] GET /api/v2/log
>>>>>>
>>>>>>
>>>>>> what is the solution?
>>>>>> _______________________________________________
>>>>>> squid-users mailing list
>>>>>> squid-users at lists.squid-cache.org
>>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>>
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list