[squid-users] SSL TAG_NONE/503 errors
Hugo Saavedra
hugo.saavedra.oteiza at gmail.com
Wed Dec 6 16:38:24 UTC 2017
Hi All,
We have the following setup of a transparent squid box:
OS: CentOS release 6.9 (Final)
Squid Cache: Version 3.5.26-20170625-r14174
Compile options:
'--with-included-ltdl' '--enable-icap-client'
'--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
'--enable-icmp' '--enable-snmp' '--prefix=/usr'
'--includedir=/usr/include' '--datadir=/usr/share'
'--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--sysconfdir=/etc/squid'
--enable-ltdl-convenience
Endpoints are redirected to the Squid box using a policy route for
TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
are using ssl bump for ssl, but there is an strange behavior, some
websites opens well, but some ones breaks and getting TAG_NONE/503
errors in the access log:
1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST
https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
text/html
1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
- HIER_NONE/- text/html
1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
HIER_NONE/- text/html
1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET
https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
- HIER_NONE/- text/html
In the same time-range, other websites loads well
1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET
https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
image/gif
1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST
https://cloud-ecs.gravityzone.bitdefender.com/hydra-
ORIGINAL_DST/107.20.215.8 application/json
1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET
https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET
https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
text/javascript
IPTABLES CONFIGURATION
=======================
# PREROUTING INTERCEPT PBR
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#WEB
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 80 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 443 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3128 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3129 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3130 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3131 -j ACCEPT
#default
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
SQUID CONFIGURATION
====================
#WHITE LIST
acl exclWL url_regex "/etc/squid/white_url.squid"
acl neoWL url_regex "/etc/squid/neowl.squid"
http_access allow exclWL
http_access allow neoWL
cache deny exclWL
cache deny neoWL
always_direct allow exclWL
always_direct allow neoWL
#Malicious URLs
acl dom url_regex "/etc/squid/dom.squid"
acl cc url_regex "/etc/squid/cc.squid"
http_access deny dom
http_access deny cc
#BLACK LIST
acl exclBL url_regex "/etc/squid/black_url.squid"
acl neoBL url_regex "/etc/squid/neobl.squid"
http_access deny exclBL
http_access deny neoBL
#ACLS BASE
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl SSL_ports port 3129
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl HTTPS proto HTTPS
include /etc/squid/acls_whitelist.conf
acl useragent browser "/etc/squid/useragent.squid"
range_offset_limit 0 !useragent
minimum_object_size 0 bytes
maximum_object_size 3 GB
quick_abort_min -1
delay_pools 1
delay_class 1 1
delay_parameters 1 128000/128000
delay_access 1 deny SSL_ports
delay_access 1 allow !useragent
delay_access 1 deny all
#cache conf
max_filedescriptors 24576
memory_cache_mode disk
cache_mem 0 MB
cache allow all
minimum_object_size 0 bytes
maximum_object_size 20 MB
sslproxy_flags DONT_VERIFY_PEER
connect_timeout 8 seconds
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
reply_header_access Alternate-Protocol deny all
http_port 3130
http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
cache_dir ufs /var/cache/squid 9000 16 256
cache_store_log /var/log/squid/store.log
cache_effective_user squid
visible_hostname Proxy
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 2 20% 10
refresh_pattern . 2 20% 10 ignore-reload
override-expire ignore-no-cache ignore-no-store store-stale
ignore-private ignore-must-revalidate ignore-auth
refresh_pattern -i
\.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
reload-into-ims
#SSL BUMP
include /etc/squid/ssl.conf
#LOGGING
access_log /var/log/squid/access.log
access_log /var/log/squid/access_c2.log cc
access_log /var/log/squid/access_c2.log dom
access_log /var/log/squid/splc.log excludeSSL
cache_log /dev/null
coredump_dir /var/cache/squid
#ICAP
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow useragent
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow useragent
#X FORWARDED FOR
forwarded_for on
SSL.conf
=======
sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
sslproxy_cafile /etc/squid/intermediate_ca.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
sslcrtd_children 16 startup=5 idle=1
acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice GlobalWhitelistDSTNet
ssl_bump splice GlobalWhitelistDomainsRx
ssl_bump splice GlobalWhitelistDomains
ssl_bump splice FakeCert
ssl_bump bump ssl_step2 all
ssl_bump splice all
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
sslproxy_cert_error deny all
acls_whitelist.conf
=============
acl WindowsUpdates dstdomain officecdn.microsoft.com
acl WindowsUpdates dstdomain windowsupdate.microsoft.com
acl WindowsUpdates dstdomain ntservicepack.microsoft.com
acl WindowsUpdates dstdomain download.microsoft.com
acl WindowsUpdates dstdomain .windowsupdate.com
acl WindowsUpdates dstdomain .windowsupdate.net
acl WindowsUpdates dstdomain .update.microsoft.com
acl WindowsUpdates dstdomain .mp.microsoft.com
acl WindowsUpdates dstdomain .ws.microsoft.com
acl GlobalWhitelistDomains dstdomain "/etc/squid/acls_whitelist.dstdomain.conf"
acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
acl GlobalWhitelistDomainsRx dstdom_regex -i
"/etc/squid/acls_whitelist.dstdom_regex.conf"
acl GlobalWhitelistBrowsers browser -i "/etc/squid/acls_whitelist.browser.conf"
http_access allow GlobalWhitelistDomains
url_rewrite_access deny GlobalWhitelistDomains
http_access allow GlobalWhitelistDSTNet
url_rewrite_access deny GlobalWhitelistDSTNet
http_access allow GlobalWhitelistDomainsRx
url_rewrite_access deny GlobalWhitelistDomainsRx
http_access allow GlobalWhitelistBrowsers
Any one with the same TAG_NONE/503 error, please help!?
Regards,
Hugo
More information about the squid-users
mailing list