[squid-users] 503 issue after accessing https svn
Amos Jeffries
squid3 at treenet.co.nz
Wed Dec 6 10:18:35 UTC 2017
On 06/12/17 21:07, G~D~Lunatic wrote:
> my squid is a transparent proxy. and the problem is that i can't access
> the svn server.
> the access.log shows that
> 1512545348.844 380 192.168.51.15 TAG_NONE/200 0 CONNECT
> 192.168.52.6:443 - ORIGINAL_DST/192.168.52.6 -
> 1512545348.920 0 192.168.51.15 TAG_NONE/503 4324 OPTIONS
> https://192.168.52.6/svn/WATMdev/trunk/development/third_period/icapServer
> - HIER_NONE/- text/html
>
> but when i use splice step . the access is normal. so i want to know
> what's the problem.
>
You will have to check the 503 that Squid is delivering there.
There does not appear to be any server name known, which might have
something to do with it. Its not easy to generate a proper server
certificate without a server name.
> Here is my configure
>
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2
>
It may have something to with these restrictions against SSLv2 and v3.
Do you have anything similar on the sslproxy_* options?
>
> acl broken_sites ssl::server_name matchweb.sports.qq.com
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump splice broken_sites
> #ssl_bump splice all
> ssl_bump stare ssl_step1
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Limitations>
The splice above is likely not possible to be done with the step1 or
step2 data after this stare happens.
Note that is a *maybe*. You will have to check the traffic, the error
messages etc to know for sure what is going on.
> ssl_bump bump ssl_step2
> ssl_bump terminate ssl_step3
>
Amos
More information about the squid-users
mailing list