[squid-users] Issues with SSL from specific sites,

Mr J Potter jpotter833 at because.org.uk
Thu Jan 8 13:19:55 UTC 2015


Hi all,

I have a weird problem connecting to one specific domain:

https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js

this site works fine if I connect directly, but if I go via my squid
instance, it fails (see below).

I have squid 3.3.11 with optional SSL-bump set up and working fine for the
most part, but it will not allow me onto this one domain. Its not in any
filtered list (I've connected out SSLBump and all filtering/redirecting on
my test server).

It says unavailable to establish SSL connection... one point is when I
connect to this site via chrome it tells me the encryption method is
outdated - is squid refusing to connect due to this?

thanks in advance for any help.

root at dirvish:~# wget
https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js -dv
Setting --verbose (verbose) to 1
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
URI encoding = `UTF-8'
--2015-01-08 13:14:56--
https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.0.5/es5-shim.min.js
Resolving dirvish (dirvish)... 10.15.244.47
Caching dirvish => 10.15.244.47
Connecting to dirvish (dirvish)|10.15.244.47|:3128... connected.
Created socket 4.
Releasing 0x000000000171a990 (new refcount 1).

---request begin---
CONNECT cdnjs.cloudflare.com:443 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)

---request end---
proxy responded with: [HTTP/1.1 503 Service Unavailable
Server: squid/3.3.11
Mime-Version: 1.0
Date: Thu, 08 Jan 2015 13:14:57 GMT
Content-Type: text/html
Content-Length: 3129
X-Squid-Error: ERR_CONNECT_FAIL 101
Vary: Accept-Language
Content-Language: en

]
Proxy tunneling failed: Service UnavailableUnable to establish SSL
connection.
root at dirvish:~#

squid config:
cache_effective_user proxy
shutdown_lifetime 2 seconds

cache_peer courage.bristol-cyps.org.uk  parent    3128  0  round-robin

forwarded_for off

#url_rewrite_program /usr/bin/squidGuard -c
/var/lib/squidguard/squidGuard.conf

#auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 30 startup=5 idle=10
#auth_param ntlm keep_alive on

#acl authdUsers proxy_auth REQUIRED

acl unchecked_sites dstdomain
"/var/lib/squidguard/db/BEC/alwaysAllowed/domains"
acl unchecked_regex dstdom_regex
"/var/lib/squidguard/db/BEC/alwaysAllowed/regex"

acl bumpedDomains dstdomain .google.com .youtube.com
acl localDomains dstdomain .bec.lan .bcc.lan .because.org.uk
acl directDomains dstdomain .gcsepod.com .cloudflare.com

#acl localhost src 127.0.0.0/8
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl HTTPS proto HTTPS

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 81          # Jamie 'Fish lips' Oliver
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 4433        ## VPN
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow unchecked_sites
http_access allow localhost
#http_access allow authdUsers
http_access allow localnet
#http_access deny all

always_direct allow localDomains
always_direct allow directDomains
#always_direct allow bumpedDomains
#always_direct deny HTTPS
#always_direct allow bumpedDomains
#always_direct allow HTTPS
#always_direct allow bumpedDomains
always_direct deny all
#never_direct allow all
#always_direct deny all

strip_query_terms off

#logformat squid      %ts.%03tu %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt
#logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
%Ss:%Sh
access_log daemon:/var/log/squid/access.log common
#access_log syslog:local4 common

dns_nameservers 10.15.244.8 10.15.244.13
append_domain .because.org.uk

# Squid normally listens to port 3128
http_port 3128
icp_port 3130

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid3/cache/ 1000 16 256
max_filedesc 4096

cache_mem 2048 MB

# Leave coredumps in the first cache dir
coredump_dir /var/log/squid3

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

acl swingbin snmp_community swingbin
snmp_access allow swingbin all
snmp_port 3401


-------

build script::
./configure \
                --prefix=/usr \
                --datadir=/usr/share/squid3 \
                --sysconfdir=/etc/squid3 \
                --mandir=/usr/share/man \
                --enable-inline \
                --enable-async-io=8 \
                --enable-storeio="ufs,aufs,diskd,rock" \
                --enable-removal-policies="lru,heap" \
                --enable-delay-pools \
                --enable-cache-digests \
                --enable-underscores \
                --enable-icap-client \
                --enable-follow-x-forwarded-for \

--enable-auth-basic="DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB"
\
                --enable-auth-digest="file,LDAP" \
                --enable-auth-negotiate="kerberos,wrapper" \
                --enable-auth-ntlm="fake,smb_lm" \

--enable-external-acl-helpers="file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group"
\
                --enable-url-rewrite-helpers="fake" \
                --enable-eui \
                --enable-esi \
                --enable-icmp \
                --enable-zph-qos \
                --disable-translation \
                --with-swapdir=/var/spool/squid3 \
                --with-logdir=/var/log/squid3 \
                --with-pidfile=/var/run/squid3.pid \
                --with-filedescriptors=65536 \
                --with-large-files \
                --with-default-user=proxy \
                --enable-ssl --enable-ssl-crtd



thanks,

Jim Potter
Network Manager
Brislington Enterprise College
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150108/ba9fbb42/attachment.html>


More information about the squid-users mailing list