<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Hello Amos</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Thank you for looking in to this. Below is the configuration ...</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
###########################</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt %<tt %<pt %{Nuance-Session-ID}>h
<div><br>
</div>
<div>cache_access_log /var/log/squid/access.log squid</div>
<div>pid_filename /var/run/squid.pid</div>
<div><br>
</div>
<div>visible_hostname nuance-ak-client-test2</div>
<div><br>
</div>
<div>acl Safe_ports port 80</div>
<div>acl Safe_ports port 443</div>
<div>acl SSL_ports port 443</div>
<div>acl SSL method CONNECT</div>
<div>acl CONNECT method CONNECT</div>
<div><br>
</div>
<div>cache deny all</div>
<div><span style="color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;">dns_v4_first on</span><br>
</div>
<div><span style="color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;">http_port 443 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/squidCA.pem cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS
options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem<br>
</span></div>
<div><br>
</div>
<div># Below, a.b.c.d is the backend IP</div>
<div>cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest originserver ssl sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem sslcapath=/etc/certs/ sslflags=DONT_VERIFY_PEER name=dev<br>
</div>
<div><span style="color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;">acl dev myport 443
<div>acl dev myport 80</div>
<div>acl dev myport 3129</div>
<div><br>
</div>
<div>http_access allow all</div>
<div><br>
</div>
<div>cache_peer_access dev allow dev</div>
<div>#cache_peer_access dev deny all</div>
<div>#URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl</div>
<div>sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB</div>
<div>sslcrtd_children 5</div>
<div>ssl_bump server-first all</div>
<div>sslproxy_cert_error allow all</div>
sslproxy_flags DONT_VERIFY_PEER<br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;"><br>
</span></div>
<div><span style="color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif; font-size: 12pt;"><br>
</span></div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> squid-users <squid-users-bounces@lists.squid-cache.org> on behalf of squid-users-request@lists.squid-cache.org <squid-users-request@lists.squid-cache.org><br>
<b>Sent:</b> Sunday, September 11, 2022 8:00 AM<br>
<b>To:</b> squid-users@lists.squid-cache.org <squid-users@lists.squid-cache.org><br>
<b>Subject:</b> squid-users Digest, Vol 97, Issue 20</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Send squid-users mailing list submissions to<br>
squid-users@lists.squid-cache.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
squid-users-request@lists.squid-cache.org<br>
<br>
You can reach the person managing the list at<br>
squid-users-owner@lists.squid-cache.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of squid-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. https on frontend (Adiseshu Channasamudhram)<br>
2. Re: https on frontend (Amos Jeffries)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sat, 10 Sep 2022 18:19:23 +0000<br>
From: Adiseshu Channasamudhram <csadi@hotmail.com><br>
To: "squid-users@lists.squid-cache.org"<br>
<squid-users@lists.squid-cache.org><br>
Subject: [squid-users] https on frontend<br>
Message-ID:<br>
<PH0PR14MB530976D868BCFACDF5BF6F20B3429@PH0PR14MB5309.namprd14.prod.outlook.com><br>
<br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hello Squid experts<br>
<br>
I'm running in to an issue with the below setup<br>
<br>
frontend -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend<br>
<br>
When frontend is sending the http request, i see the tls exchange is successful but then on the access log of squid, i see the below error<br>
<br>
w.x.y.z is the IP of the frontend server.<br>
<br>
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4016 %16%03%03 %A1%DFXl%A1%90yf%1C - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:37 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:37 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:38 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
10/Sep/2022:00:13:38 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -<br>
<br>
On the squid interface listening to the frontend, I have pointed it to a self signed cert ...<br>
<br>
Any help/suggestion would be greatly appreciated<br>
<br>
Regards<br>
<br>
Adi<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20220910/a27bfffa/attachment-0001.htm">http://lists.squid-cache.org/pipermail/squid-users/attachments/20220910/a27bfffa/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sun, 11 Sep 2022 09:11:35 +1200<br>
From: Amos Jeffries <squid3@treenet.co.nz><br>
To: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] https on frontend<br>
Message-ID: <ef33deaf-3c02-8cba-c8df-12a20fbfa258@treenet.co.nz><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
On 11/09/22 06:19, Adiseshu Channasamudhram wrote:<br>
> Hello Squid experts<br>
> <br>
> I'm running in to an issue with the below setup<br>
> <br>
> frontend <br>
> -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend<br>
> <br>
> When frontend is sending the http request, i see the tls exchange is <br>
> successful but then on the access log of squid, i see the below error<br>
> <br>
> w.x.y.z is the IP of the frontend server.<br>
> <br>
> 10/Sep/2022:00:13:34 +0000 ? ? ?0 w.x.y.z - - - TAG_NONE/400 4476 NONE <br>
> error:invalid-request - HIER_NONE/- text/html - - -<br>
...<br>
> On the squid interface listening to the frontend, I have pointed it to a <br>
> self signed cert ...<br>
> <br>
> Any help/suggestion would be greatly appreciated<br>
> <br>
<br>
Either the HTTP request messages received from the frontend inside the <br>
TLS are invalid, or your frontend<->Squid is misconfigured.<br>
<br>
We will need to see your squid.conf details. Specifically these <br>
directives, though all settings (no comments or empty lines) would be <br>
useful for a full check:<br>
http_port, https_port, cache_peer, tls_outgoing_options<br>
<br>
Also a cache/log trace made with "debug_options ALL,0 11,2" will be helpful.<br>
<br>
<br>
Amos<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 97, Issue 20<br>
*******************************************<br>
</div>
</span></font></div>
</body>
</html>