<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Hello,<div><br></div><div><div class="gmail_default"><font face="tahoma, sans-serif">I have a squid proxy, trying to configure it to enforce traffic from a private cloud appliance (Azure Stack) to go over to the corporate proxy. traffic is mostly https, I see the below errors, note that</font> ParentProxy-22 is the parent proxy listening on port 9090.  also, why in the access logs I have some entries not going to parent proxy   (e.g. 1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT <a href="http://52.138.216.83:443/" target="_blank">52.138.216.83:443</a> - HIER_NONE/- -)</div><div class="gmail_default"><br></div><div class="gmail_default">### error logs ###<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">

</span>Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello Message on FD 20 </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: Detected DEAD Parent: ParentProxy-22 </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: Detected REVIVED Parent: ParentProxy-22 </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello Message on FD 24 </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 24: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) </div><div class="gmail_default">Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
<br></span></div>The squid configuration is as follows:<div class="gmail_default"><span style="color:rgb(37,37,37);font-family:Overpass,"Open Sans",Helvetica,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)"><br></span></div><div class="gmail_default">### iptables setup ###<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
[</span>root@ azproxy ~] $ iptables -L -t nat -n -v<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
</span>Chain PREROUTING (policy ACCEPT 6089 packets, 376K bytes)<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
</span>pkts bytes target prot opt in out source destination<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
 </span>5029 261K REDIRECT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80 redir ports 8080</div><div class="gmail_default"> 21742 1130K REDIRECT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:443 redir ports 8090<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">

</span>### squid.conf ##<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
</span>dns_v4_first on</div><div class="gmail_default"><br></div><div class="gmail_default">cache_peer ParentProxy-22 parent 9090 0 no-query sslcapath=/etc/pki/ca-trust/source/anchors/<br>acl local-network dstdomain .<a href="http://azcompany.com/" target="_blank">azcompany.com</a><br>acl everything src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>http_access allow everything<br>never_direct deny local-network<br>never_direct allow all<br>http_port 8080 intercept<br>https_port 8090 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/ssl_certs/azproxyCA.pem dynamic_cert_mem_cache_size=16MB #connection-auth=off<br>http_port 8100             #forward port not used.</div><div class="gmail_default"><br></div><div class="gmail_default">sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB</div>acl step1 at_step SslBump1<br>ssl_bump peek step1<br>ssl_bump bump all<br>tls_outgoing_options /etc/pki/ca-trust/source/anchors/ca.crt</div><div>debug_options ALL,9### excerpts from access log ### 1549282836.118 44 192.168.3.11 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -:<br>1549282836.150 14 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282836.271 38 192.168.3.11 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282836.300 13 192.168.3.11 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282837.661 30 192.168.3.11 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282837.710 19 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282837.797 4 192.168.3.11 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - HIER_NONE/- -1549282837.856 42 192.168.3.11 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282840.277 15 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282840.300 17 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282848.695 19 192.168.3.17 TCP_MISS/200 2283 GET <a href="http://ocsp.aramco.com.sa/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTcIwl9uZE4WwaD1jq3IdqcP3CI0wQUBCvyP4WY3ATuQXNOru2Zj%2B6W%2BfcCExkAABWDWqKqrUfWBR8AAAAAFYM%3D" target="_blank">http://ocsp.aramco.com.sa/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTcIwl9uZE4WwaD1jq3IdqcP3CI0wQUBCvyP4WY3ATuQXNOru2Zj%2B6W%2BfcCExkAABWDWqKqrUfWBR8AAAAAFYM%3D</a> - ORIGINAL_DST/<a href="http://10.1.152.115/" target="_blank">10.1.152.115</a> application/ocsp-response<br>1549282853.233 17 192.168.3.10 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<div class="gmail_default"><span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)"><br></span></div>1549282853.266 14 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282853.299 17 192.168.3.10 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282853.329 14 192.168.3.10 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT <a href="http://52.138.216.83:443/" target="_blank">52.138.216.83:443</a> - HIER_NONE/- -<br>1549282865.552 13 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab</a>? -FIRSTUP_PARENT/ParentProxy-22 text/html </div><div>1549282865.615 57 192.168.3.10 TCP_MISS/503 4689 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</a>? -FIRSTUP_PARENT/ParentProxy-22 text/html </div><div>1549282875.690 38 192.168.3.17 TCP_MISS/503 4707 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab</a>? -FIRSTUP_PARENT/ParentProxy-22 text/html </div><div>1549282875.711 14 192.168.3.17 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab</a>? -<span class="gmail_default"> </span>FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282876.012 28 10.8.101.53 NONE/200 0 CONNECT <a href="http://111.221.29.254:443/" target="_blank">111.221.29.254:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282880.455 18 192.168.3.10 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282880.544 42 192.168.3.10 TCP_MISS_ABORTED/500 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</a>? - HIER_NONE/- text/html<br>1549282880.614 17 192.168.3.10 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -<br>1549282880.644 13 192.168.3.10 NONE/200 0 CONNECT <a href="http://23.50.187.199:443/" target="_blank">23.50.187.199:443</a> - FIRSTUP_PARENT/ParentProxy-22 -</div><div>1549282880.995 22 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282881.026 25 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<br>1549282882.164 19 192.168.3.17 TCP_MISS/503 4689 GET <a href="http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab" target="_blank">http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab</a>? - FIRSTUP_PARENT/ParentProxy-22 text/html<div class="gmail_default"><span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
==== squid version and build  ===</span></div><div class="gmail_default">[root@azproxy ~] $ squid -v<br>Squid Cache: Version 4.5<br>Service Name: squid<span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
</span></div><div class="gmail_default"><br></div><div class="gmail_default"><span style="font-family:Arial,Helvetica,sans-serif">This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on distribution see </span><a href="https://www.openssl.org/source/license.html" target="_blank" style="font-family:Arial,Helvetica,sans-serif">https://www.openssl.org/source/license.html</a><span style="font-family:Overpass,"Open Sans",Helvetica,sans-serif;color:rgb(37,37,37);font-size:14px;white-space:pre-wrap;background-color:rgb(240,240,240)">
</span><span style="font-family:Arial,Helvetica,sans-serif">configure options: '--build=x86_64-redhat-linux-</span><span style="font-family:Arial,Helvetica,sans-serif">gnu' '--host=x86_64-redhat-linux-</span><span style="font-family:Arial,Helvetica,sans-serif">gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/</span><span style="font-family:Arial,Helvetica,sans-serif">squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/</span><span style="font-family:Arial,Helvetica,sans-serif">squid.pid' '--disable-dependency-</span><span style="font-family:Arial,Helvetica,sans-serif">tracking' '--enable-follow-x-forwarded-</span><span style="font-family:Arial,Helvetica,sans-serif">for' '--enable-auth' '--enable-auth-basic=DB,LDAP,</span><span style="font-family:Arial,Helvetica,sans-serif">NCSA,NIS,PAM,POP3,RADIUS,SASL,</span><span style="font-family:Arial,Helvetica,sans-serif">SMB,getpwnam,fake' '--enable-auth-ntlm=fake' '--enable-auth-digest=file,</span><span style="font-family:Arial,Helvetica,sans-serif">LDAP,eDirectory' '--enable-auth-negotiate=</span><span style="font-family:Arial,Helvetica,sans-serif">kerberos,wrapper' '--enable-external-acl-</span><span style="font-family:Arial,Helvetica,sans-serif">helpers=wbinfo_group,kerberos_</span><span style="font-family:Arial,Helvetica,sans-serif">ldap_group,LDAP_group,delayer,</span><span style="font-family:Arial,Helvetica,sans-serif">file_userip,SQL_session,unix_</span><span style="font-family:Arial,Helvetica,sans-serif">group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=</span><span style="font-family:Arial,Helvetica,sans-serif">localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=</span><span style="font-family:Arial,Helvetica,sans-serif">heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,</span><span style="font-family:Arial,Helvetica,sans-serif">ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-security-cert-</span><span style="font-family:Arial,Helvetica,sans-serif">generators' '--enable-security-cert-</span><span style="font-family:Arial,Helvetica,sans-serif">validators' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-</span><span style="font-family:Arial,Helvetica,sans-serif">linux-gnu' 'host_alias=x86_64-redhat-</span><span style="font-family:Arial,Helvetica,sans-serif">linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/</span><span style="font-family:Arial,Helvetica,sans-serif">pkgconfig:/usr/share/</span><span style="font-family:Arial,Helvetica,sans-serif">pkgconfig' --enable-ltdl-convenience</span><div class="gmail-yj6qo" style="font-family:Arial,Helvetica,sans-serif"></div><br class="gmail-Apple-interchange-newline"></div></div></div></div>