<div dir="ltr">Hi all,<div><br></div><div>I have a weird problem connecting to one specific domain:</div><div><br></div><div><a href="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js">https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js</a></div><div><br></div><div>this site works fine if I connect directly, but if I go via my squid instance, it fails (see below).</div><div><br></div><div>I have squid 3.3.11 with optional SSL-bump set up and working fine for the most part, but it will not allow me onto this one domain. Its not in any filtered list (I've connected out SSLBump and all filtering/redirecting on my test server). <br clear="all"><div><div class="gmail_signature"><div dir="ltr"><br></div><div>It says unavailable to establish SSL connection... one point is when I connect to this site via chrome it tells me the encryption method is outdated - is squid refusing to connect due to this?</div><div><br></div><div>thanks in advance for any help.</div><div><br></div><div dir="ltr"><div dir="ltr">root@dirvish:~# wget <a href="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js">https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js</a> -dv</div><div dir="ltr">Setting --verbose (verbose) to 1</div><div dir="ltr">DEBUG output created by Wget 1.13.4 on linux-gnu.</div><div dir="ltr"><br></div><div dir="ltr">URI encoding = `UTF-8'</div><div dir="ltr">URI encoding = `UTF-8'</div><div dir="ltr">--2015-01-08 13:14:56-- <a href="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js">https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js</a></div><div dir="ltr">Resolving dirvish (dirvish)... 10.15.244.47</div><div dir="ltr">Caching dirvish => 10.15.244.47</div><div dir="ltr">Connecting to dirvish (dirvish)|10.15.244.47|:3128... connected.</div><div dir="ltr">Created socket 4.</div><div dir="ltr">Releasing 0x000000000171a990 (new refcount 1).</div><div dir="ltr"><br></div><div dir="ltr">---request begin---</div><div dir="ltr">CONNECT <a href="http://cdnjs.cloudflare.com:443">cdnjs.cloudflare.com:443</a> HTTP/1.1</div><div dir="ltr">User-Agent: Wget/1.13.4 (linux-gnu)</div><div dir="ltr"><br></div><div dir="ltr">---request end---</div><div dir="ltr">proxy responded with: [HTTP/1.1 503 Service Unavailable</div><div dir="ltr">Server: squid/3.3.11</div><div dir="ltr">Mime-Version: 1.0</div><div dir="ltr">Date: Thu, 08 Jan 2015 13:14:57 GMT</div><div dir="ltr">Content-Type: text/html</div><div dir="ltr">Content-Length: 3129</div><div dir="ltr">X-Squid-Error: ERR_CONNECT_FAIL 101</div><div dir="ltr">Vary: Accept-Language</div><div dir="ltr">Content-Language: en</div><div dir="ltr"><br></div><div dir="ltr">]</div><div dir="ltr">Proxy tunneling failed: Service UnavailableUnable to establish SSL connection.</div><div dir="ltr">root@dirvish:~#</div><div><br></div><div>squid config:</div><div><div>cache_effective_user proxy</div><div>shutdown_lifetime 2 seconds</div><div><br></div><div>cache_peer <a href="http://courage.bristol-cyps.org.uk">courage.bristol-cyps.org.uk</a> parent 3128 0 round-robin</div><div><br></div><div>forwarded_for off</div><div><br></div><div>#url_rewrite_program /usr/bin/squidGuard -c /var/lib/squidguard/squidGuard.conf</div><div><br></div><div>#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp</div><div>#auth_param ntlm children 30 startup=5 idle=10</div><div>#auth_param ntlm keep_alive on</div><div><br></div><div>#acl authdUsers proxy_auth REQUIRED</div><div><br></div><div>acl unchecked_sites dstdomain "/var/lib/squidguard/db/BEC/alwaysAllowed/domains"</div><div>acl unchecked_regex dstdom_regex "/var/lib/squidguard/db/BEC/alwaysAllowed/regex"</div><div><br></div><div>acl bumpedDomains dstdomain .<a href="http://google.com">google.com</a> .<a href="http://youtube.com">youtube.com</a></div><div>acl localDomains dstdomain .bec.lan .bcc.lan .<a href="http://because.org.uk">because.org.uk</a></div><div>acl directDomains dstdomain .<a href="http://gcsepod.com">gcsepod.com</a> .<a href="http://cloudflare.com">cloudflare.com</a></div><div><br></div><div>#acl localhost src <a href="http://127.0.0.0/8">127.0.0.0/8</a></div><div>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC1918 possible internal network</div><div>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a> # RFC1918 possible internal network</div><div>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC1918 possible internal network</div><div>acl localnet src fc00::/7 # RFC 4193 local private network range</div><div>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines</div><div>acl HTTPS proto HTTPS</div><div><br></div><div>acl SSL_ports port 443</div><div>acl Safe_ports port 80 # http</div><div>acl Safe_ports port 81 # Jamie 'Fish lips' Oliver</div><div>acl Safe_ports port 21 # ftp</div><div>acl Safe_ports port 443 # https</div><div>acl Safe_ports port 4433 ## VPN</div><div>acl Safe_ports port 70 # gopher</div><div>acl Safe_ports port 210 # wais</div><div>acl Safe_ports port 1025-65535 # unregistered ports</div><div>acl Safe_ports port 280 # http-mgmt</div><div>acl Safe_ports port 488 # gss-http</div><div>acl Safe_ports port 591 # filemaker</div><div>acl Safe_ports port 777 # multiling http</div><div>acl CONNECT method CONNECT</div><div><br></div><div>#</div><div># Recommended minimum Access Permission configuration:</div><div>#</div><div># Only allow cachemgr access from localhost</div><div>http_access allow localhost manager</div><div>http_access deny manager</div><div><br></div><div># Deny requests to certain unsafe ports</div><div>http_access deny !Safe_ports</div><div><br></div><div># Deny CONNECT to other than secure SSL ports</div><div>http_access deny CONNECT !SSL_ports</div><div><br></div><div># We strongly recommend the following be uncommented to protect innocent</div><div># web applications running on the proxy server who think the only</div><div># one who can access services on "localhost" is a local user</div><div>http_access deny to_localhost</div></div><div><div><br></div><div>#</div><div># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</div><div>#</div><div><br></div><div># Example rule allowing access from your local networks.</div><div># Adapt localnet in the ACL section to list your (internal) IP networks</div><div># from where browsing should be allowed</div><div>http_access allow unchecked_sites</div><div>http_access allow localhost</div><div>#http_access allow authdUsers</div><div>http_access allow localnet</div><div>#http_access deny all</div><div><br></div><div>always_direct allow localDomains</div><div>always_direct allow directDomains</div><div>#always_direct allow bumpedDomains</div><div>#always_direct deny HTTPS</div><div>#always_direct allow bumpedDomains</div><div>#always_direct allow HTTPS</div><div>#always_direct allow bumpedDomains</div><div>always_direct deny all</div><div>#never_direct allow all</div><div>#always_direct deny all</div><div><br></div><div>strip_query_terms off</div><div><br></div><div>#logformat squid %ts.%03tu %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt</div><div>#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh</div><div>access_log daemon:/var/log/squid/access.log common</div><div>#access_log syslog:local4 common</div><div><br></div><div>dns_nameservers 10.15.244.8 10.15.244.13</div><div>append_domain .<a href="http://because.org.uk">because.org.uk</a></div><div><br></div><div># Squid normally listens to port 3128</div><div>http_port 3128</div><div>icp_port 3130</div><div><br></div><div># Uncomment and adjust the following to add a disk cache directory.</div><div>#cache_dir ufs /var/spool/squid3/cache/ 1000 16 256</div><div>max_filedesc 4096</div><div><br></div><div>cache_mem 2048 MB</div><div><br></div><div># Leave coredumps in the first cache dir</div><div>coredump_dir /var/log/squid3</div><div><br></div><div># Add any of your own refresh_pattern entries above these.</div><div>refresh_pattern ^ftp: 1440 20% 10080</div><div>refresh_pattern ^gopher: 1440 0% 1440</div><div>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</div><div>refresh_pattern . 0 20% 4320</div><div><br></div><div>acl swingbin snmp_community swingbin</div><div>snmp_access allow swingbin all</div><div>snmp_port 3401</div></div><div><br></div><div><br></div><div>-------</div><div><br></div><div>build script::</div><div><div>./configure \</div><div> --prefix=/usr \</div><div> --datadir=/usr/share/squid3 \</div><div> --sysconfdir=/etc/squid3 \</div><div> --mandir=/usr/share/man \</div><div> --enable-inline \</div><div> --enable-async-io=8 \</div><div> --enable-storeio="ufs,aufs,diskd,rock" \</div><div> --enable-removal-policies="lru,heap" \</div><div> --enable-delay-pools \</div><div> --enable-cache-digests \</div><div> --enable-underscores \</div><div> --enable-icap-client \</div><div> --enable-follow-x-forwarded-for \</div><div> --enable-auth-basic="DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \</div><div> --enable-auth-digest="file,LDAP" \</div><div> --enable-auth-negotiate="kerberos,wrapper" \</div><div> --enable-auth-ntlm="fake,smb_lm" \</div><div> --enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group" \</div><div> --enable-url-rewrite-helpers="fake" \</div><div> --enable-eui \</div><div> --enable-esi \</div><div> --enable-icmp \</div><div> --enable-zph-qos \</div><div> --disable-translation \</div><div> --with-swapdir=/var/spool/squid3 \</div><div> --with-logdir=/var/log/squid3 \</div><div> --with-pidfile=/var/run/squid3.pid \</div><div> --with-filedescriptors=65536 \</div><div> --with-large-files \</div><div> --with-default-user=proxy \</div><div> --enable-ssl --enable-ssl-crtd</div></div><div><br></div><div><br></div><div><br></div></div><div dir="ltr">thanks,<br><br>Jim Potter<br>Network Manager<br>Brislington Enterprise College<br></div></div></div>
</div></div>