<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body><div data-html-editor-font-wrapper="true" style="font-family: arial, sans-serif; font-size: 13px;">Hi Squid Users,<br><br>with Squid 4.6 I cannot open these 2 domains when SSL bump is enabled:<br><br>https://www.hays.de<br>https://www.plantronics.com<br><br>Both are showing me a different type of error, details below.<br>I could not find any HPKP site or subdomain there, so I guess Squid has another problem with this domains.<br>Can somebody explain me how I should debug that correctly, to open a bugreport?<br><br>### Bump Settings:<br><br> acl domains_dont_sslbump ssl::server_name_regex "/etc/squid/ka/domains_dont_sslbump.acl"<br> acl domains_dont_sslbump ssl::server_name_regex "/etc/squid/blacklists/blacklist_ut1/blacklists/bank/domains"<br> acl domains_dont_sslbump ssl::server_name_regex "/etc/squid/blacklists/blacklist_shallalist/BL/finance/banking/domains"<br> acl domains_dont_sslbump ssl::server_name_regex "/etc/squid/blacklists/blacklist_shallalist/BL/finance/other/domains"<br> <br> http_port proxy02:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/cert.pem key=/etc/squid/certs/key.ohnersa.pem<br> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB<br> always_direct allow all<br> acl step1 at_step SslBump1<br> ssl_bump peek step1<br> ssl_bump bump all !domains_dont_sslbump<br><br>#### hays.de:<br>1555577795.968 1 172.16.x.x TCP_DENIED/407 4995 GET http://hays.de/ - HIER_NONE/- text/html<br>1555577796.067 63 172.16.x.x TCP_MISS/301 465 GET http://hays.de/ user1 HIER_DIRECT/149.126.72.70 -<br>1555577796.083 0 172.16.x.x TCP_DENIED/407 4124 CONNECT hays.de:443 - HIER_NONE/- text/html<br>1555577796.101 1 172.16.x.x TCP_DENIED/407 4460 CONNECT hays.de:443 - HIER_NONE/- text/html<br>1555577796.202 86 172.16.x.x NONE/200 0 CONNECT hays.de:443 user1 HIER_DIRECT/149.126.72.70 -<br>1555577796.302 15 172.16.x.x TCP_MISS/301 345 GET https://hays.de/ user1 HIER_DIRECT/149.126.72.70 -<br>1555577796.320 0 172.16.x.x TCP_DENIED/407 4140 CONNECT www.hays.de:443 - HIER_NONE/- text/html<br>1555577796.333 1 172.16.x.x TCP_DENIED/407 4476 CONNECT www.hays.de:443 - HIER_NONE/- text/html<br>1555577796.507 158 172.16.x.x NONE/200 0 CONNECT www.hays.de:443 user1 HIER_DIRECT/149.126.77.70 -<br>1555577796.602 30 172.16.x.x TCP_MISS_ABORTED/000 0 GET https://www.hays.de/ user1 HIER_DIRECT/149.126.77.70 -<br><br>Error displayed on https://www.hays.de (from the Browser Chrome/or Firefox):<br><br> Chrome: ERR_EMPTY_RESPONSE<br> Firefox: Secure Connection Failed // An error occurred during a connection to www.hays.de. // The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. // Please contact the website owners to inform them of this problem.<br><br>Header Response while this error message is displayed:<br><br> HTTP/1.1 200 Connection established<br> Server: squid<br> Mime-Version: 1.0<br> Date: Thu, 18 Apr 2019 09:05:28 GMT<br> Content-Type: text/html;charset=utf-8<br> Content-Length: 3759<br> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0<br> Proxy-Authenticate: NTLM VNTUAACAAAADAAMAD(...)<br> X-Cache: MISS from proxy02<br> X-Cache-Lookup: NONE from proxy02:8080<br> Via: 1.1 proxy02 (squid)<br> Connection: keep-alive<br><br>#### plantronics.com<br>1555577912.476 391 172.16.x.x TCP_MISS/301 869 GET http://plantronics.com/ user1 HIER_DIRECT/198.231.10.19 text/html<br>1555577912.514 0 172.16.x.x TCP_DENIED/407 4172 CONNECT www.plantronics.com:443 - HIER_NONE/- text/html<br>1555577912.529 1 172.16.x.x TCP_DENIED/407 4508 CONNECT www.plantronics.com:443 - HIER_NONE/- text/html<br>1555577912.864 324 172.16.x.x NONE/200 0 CONNECT www.plantronics.com:443 user1 HIER_DIRECT/54.192.94.216 -<br>1555577913.564 521 172.16.x.x TCP_MISS/403 745 GET https://www.plantronics.com/ user1 HIER_DIRECT/54.192.94.216 text/html<br><br>Error displayed on frontpage https://www.plantronics.com (from their Apache or Nginx):<br><br> Forbidden<br> You don't have permission to access /.noindex.html on this server.<br><br><signature></signature> </div></body></html>