[squid-users] 2 way SSL on a non standard SSL Port

Bart Spedden bart.spedden at 3sharecorp.com
Tue Dec 1 00:01:44 UTC 2015


In the cache.log I have found the following:

CONNECT tv1var.merchantlink-lab.com:8184 HTTP/1.1^M

User-Agent: Java/1.8.0_05^M

Host: tv1var.merchantlink-lab.com:8184^M

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2^M

Proxy-Connection: keep-alive^M

^M


----------

2015/11/30 17:18:47.517 kid1| 85,2| client_side_request.cc(741)
clientAccessCheckDone: The request CONNECT tv1var.merchantlink-lab.com:8184
is ALLOWED; last ACL checked: localnet

2015/11/30 17:18:47.517 kid1| 85,2| client_side_request.cc(717)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW

2015/11/30 17:18:47.517 kid1| 85,2| client_side_request.cc(741)
clientAccessCheckDone: The request CONNECT tv1var.merchantlink-lab.com:8184
is ALLOWED; last ACL checked: localnet

2015/11/30 17:18:47.517 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths:
Find IP destination for: tv1var.merchantlink-lab.com:8184' via
tv1var.merchantlink-lab.com

2015/11/30 17:18:47.533 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths:
Found sources for 'tv1var.merchantlink-lab.com:8184'

2015/11/30 17:18:47.533 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths:
  always_direct = DENIED

2015/11/30 17:18:47.533 kid1| 44,2| peer_select.cc(282)
peerSelectDnsPaths:    never_direct = DENIED

2015/11/30 17:18:47.533 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=
104.153.8.184:8184 flags=1

2015/11/30 17:18:47.533 kid1| 44,2| peer_select.cc(295)
peerSelectDnsPaths:        timedout = 0

2015/11/30 17:18:47.534 kid1| 4,2| errorpage.cc(1262) BuildContent: No
existing error page language negotiated for ERR_CONNECT_FAIL. Using default
error file.

2015/11/30 17:18:47.534 kid1| 33,2| client_side.cc(815) swanSong: local=
10.1.0.57:3128 remote=192.168.55.103:56395 flags=1

2015/11/30 17:18:47.689 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New
connection on FD 11

2015/11/30 17:18:47.689 kid1| 5,2| TcpAcceptor.cc(295) acceptNext:
connection on local=[::]:3128 remote=[::] FD 11 flags=9

2015/11/30 17:18:47.695 kid1| 11,2| client_side.cc(2345) parseHttpRequest:
HTTP Client local=10.1.0.57:3128 remote=192.168.55.103:56396 FD 10 flags=1

2015/11/30 17:18:47.695 kid1| 11,2| client_side.cc(2346) parseHttpRequest:
HTTP Client REQUEST:

versus

a successful call to google:

User-Agent: Java/1.8.0_05^M

Host: www.google.com^M

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2^M

Proxy-Connection: keep-alive^M

^M


----------

2015/11/30 17:18:47.849 kid1| 85,2| client_side_request.cc(741)
clientAccessCheckDone: The request CONNECT www.google.com:443 is ALLOWED;
last ACL checked: localnet

2015/11/30 17:18:47.849 kid1| 85,2| client_side_request.cc(717)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW

2015/11/30 17:18:47.849 kid1| 85,2| client_side_request.cc(741)
clientAccessCheckDone: The request CONNECT www.google.com:443 is ALLOWED;
last ACL checked: localnet

2015/11/30 17:18:47.849 kid1| 44,2| peer_select.cc(258) peerSelectDnsPaths:
Find IP destination for: www.google.com:443' via www.google.com

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths:
Found sources for 'www.google.com:443'

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths:
  always_direct = DENIED

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(282)
peerSelectDnsPaths:    never_direct = DENIED

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=[::]
remote=[2607:f8b0:400d:c06::63]:443 flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=74.125.22.99:443
flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=74.125.22.105:443
flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=74.125.22.106:443
flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=74.125.22.103:443
flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=74.125.22.104:443
flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(286)
peerSelectDnsPaths:          DIRECT = local=0.0.0.0 remote=74.125.22.147:443
flags=1

2015/11/30 17:18:47.853 kid1| 44,2| peer_select.cc(295)
peerSelectDnsPaths:        timedout = 0

2015/11/30 17:18:48.008 kid1| 33,2| client_side.cc(815) swanSong: local=
10.1.0.57:3128 remote=192.168.55.103:56396 flags=1

2015/11/30 17:18:48.196 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New
connection on FD 11

2015/11/30 17:18:48.196 kid1| 5,2| TcpAcceptor.cc(295) acceptNext:
connection on local=[::]:3128 remote=[::] FD 11 flags=9

2015/11/30 17:18:48.196 kid1| 11,2| client_side.cc(2345) parseHttpRequest:
HTTP Client local=10.1.0.57:3128 remote=10.1.0.43:42281 FD 10 flags=1

2015/11/30 17:18:48.196 kid1| 11,2| client_side.cc(2346) parseHttpRequest:
HTTP Client REQUEST:




On Mon, Nov 30, 2015 at 4:37 PM, Bart Spedden <bart.spedden at 3sharecorp.com>
wrote:

> Good idea Anthony.
>
> Here's what I found.
>
> On the squid server when I use the following command to monitor a call to
> https://www.google.com
>
> tcpdump -i eth0 -vv 'port 443'
>
> I get the following:
>
> 17:32:56.373772 IP (tos 0x0, ttl 64, id 33502, offset 0, flags [DF], proto
> TCP (6), length 60)
>
>     d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [S], cksum
> 0x62f0 (correct), seq 3198653455, win 14600, options [mss 1460,sackOK,TS
> val 530978513 ecr 0,nop,wscale 7], length 0
>
> 17:32:56.390214 IP (tos 0x0, ttl 42, id 42485, offset 0, flags [none],
> proto TCP (6), length 60)
>
>     qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [S.], cksum
> 0x40d0 (correct), seq 558417168, ack 3198653456, win 42540, options [mss
> 1380,nop,nop,TS val 953915655 ecr 530978513,nop,wscale 7], length 0
>
> 17:32:56.390423 IP (tos 0x0, ttl 64, id 33503, offset 0, flags [DF], proto
> TCP (6), length 52)
>
>     d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [.], cksum
> 0x11f5 (correct), seq 1, ack 1, win 115, options [nop,nop,TS val 530978529
> ecr 953915655], length 0
>
> 17:32:56.605977 IP (tos 0x0, ttl 64, id 33504, offset 0, flags [DF], proto
> TCP (6), length 329)
>
>     d6uxpci.lq.com.46591 > qh-in-f104.1e100.net.https: Flags [P.], cksum
> 0x6c5a (incorrect -> 0xc57a), seq 1:278, ack 1, win 115, options
> [nop,nop,TS val 530978745 ecr 953915655], length 277
>
> 17:32:56.622191 IP (tos 0x0, ttl 42, id 42578, offset 0, flags [none],
> proto TCP (6), length 52)
>
>     qh-in-f104.1e100.net.https > d6uxpci.lq.com.46591: Flags [.], cksum
> 0x0e3e (correct), seq 1, ack 278, win 341, options [nop,nop,TS val
> 953915887 ecr 530978745], length 0
>
> but when I monitor on the non-stand https port (8184) that I'm trying to
> connect to I do not see any traffic at all.  So this leads me to believe
> that squid is not actually trying to make the call on the client's behalf.
>
> So I'm feeling a bit lost.
>
> I've upgraded to 3.5.11.
>
> The only change I made to the default /etc/squid/squid.conf is to add the
> two non stand https ports that I need to connect to via:
>
> acl SSL_ports port 443 8184 8185
>
> Is there anyway to get more logging out of squid?  I tried adding
> debug_option ALL to the squid.conf but didn't see any more logging.
>
> On Mon, Nov 30, 2015 at 10:59 AM, Antony Stone <
> Antony.Stone at squid.open.source.it> wrote:
>
>> On Monday 30 November 2015 at 18:53:54, Bart Spedden wrote:
>>
>> > I can successfully connect as long as I don't use squid for either 1
>> way or
>> > 2 way TLS connections. I've also successfully connect via curl. So, I
>> feel
>> > like the site's certs are working well. I could be totally off base here
>> > but my interpretation of the the 503 (service unavailable) is that
>> squid is
>> > timing out on tls handshake? But what is weird is that when using squid
>> I
>> > can successfully connect to google using https. So, that is what makes
>> me
>> > wonder if it has something to do with the non-standard https port?
>>
>> If it's a timeout, you should be able to see this with a standard
>> wireshark /
>> tcpdump packet capture (no SSL inspection necessary) on your
>> external-facing
>> router (or anywhere else which is a common path both when going direct
>> from
>> the client, and via Squid).
>>
>> Comparing the two (even though you can't decode the content of the
>> packets)
>> may well give a clue as to what's going on differently between the two
>> types of
>> connection.
>>
>>
>> Antony.
>>
>> --
>> Users don't know what they want until they see what they get.
>>
>>                                                    Please reply to the
>> list;
>>                                                          please *don't*
>> CC me.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
> Bart Spedden  |  Senior Developer
> +1.720.210.7041  |
> *bart.spedden at 3sharecorp.com <bart.spedden at 3sharecorp.com>*
> 3 | S H A R E  |  Adobe Digital Marketing Experts  |  An AdobeĀ®  Business
> Plus Level Solution PartnerConsulting  |  Training  |  Remote Operations
> Management
> <http://www.3sharecorp.com/en/services/rom.html>
> <http://www.3sharecorp.com/en/services/rom.html>
> <http://www.3sharecorp.com/en/services/rom.html>
>



-- 
Bart Spedden  |  Senior Developer
+1.720.210.7041  |
*bart.spedden at 3sharecorp.com <bart.spedden at 3sharecorp.com>*
3 | S H A R E  |  Adobe Digital Marketing Experts  |  An AdobeĀ®  Business
Plus Level Solution PartnerConsulting  |  Training  |  Remote Operations
Management
<http://www.3sharecorp.com/en/services/rom.html>
<http://www.3sharecorp.com/en/services/rom.html>
<http://www.3sharecorp.com/en/services/rom.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151130/75013a9d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rom-email-sig4_600x100.png
Type: image/png
Size: 16361 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151130/75013a9d/attachment-0001.png>


More information about the squid-users mailing list