[squid-users] SSL TAG_NONE/503 errors

Alex Rousskov rousskov at measurement-factory.com
Wed Dec 6 18:54:20 UTC 2017


On 12/06/2017 11:45 AM, Hugo Saavedra wrote:

> Currently we have cache.log disabled for performance. 

With default debug_options, cache.log should not affect performance. If
it does in your setup, then there is probably a problem that you should
solve (without disabling cache.log).


> any clues?

You are probably not supplying enough information for others to guess
what the problem is. Enabling cache.log may be the best next step. You
can also try logging %err_code/%err_detail to access.log but not all
errors populate those two logformat %codes so YMMV.

Alex.


> 2017-12-06 14:51 GMT-03:00 Enrico Heine <flashdown at data-core.org>:
>> Hi,
>>
>> Can you confirm that squid is able to resolve these hostnames? If not try
>> browsing to them without https and check if squid gives you an error
>> message.
>>
>> Did you check the cache.log as well?
>>
>> Br Enrico
>>
>> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra
>> <hugo.saavedra.oteiza at gmail.com>:
>>>
>>> Hi All,
>>>
>>> We have the following setup of a transparent squid box:
>>> OS: CentOS release 6.9 (Final)
>>> Squid Cache: Version 3.5.26-20170625-r14174
>>> Compile options:
>>>    '--with-included-ltdl' '--enable-icap-client'
>>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>>> '--enable-icmp' '--enable-snmp' '--prefix=/usr'
>>> '--includedir=/usr/include' '--datadir=/usr/share'
>>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>>> '--localstatedir=/var' '--sysconfdir=/etc/squid'
>>> --enable-ltdl-convenience
>>>
>>> Endpoints are redirected to the Squid box using a policy route for
>>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>>> are using ssl bump for ssl, but there is an strange behavior, some
>>> websites opens well, but some ones breaks and getting TAG_NONE/503
>>> errors in the access log:
>>>
>>> 1512561423.930      1 192.168.1.108 TAG_NONE/503 31435 POST
>>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>>> text/html
>>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>>
>>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>>> - HIER_NONE/- text/html
>>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>>> HIER_NONE/- text/html
>>> 1512566858.355    186 192.168.1.104 TAG_NONE/503 31436 GET
>>>
>>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>>> - HIER_NONE/- text/html
>>>
>>> In the same time-range, other websites loads well
>>>
>>> 1512561134.548    306 192.168.1.112 TCP_MISS/302 572 GET
>>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>>> image/gif
>>> 1512561139.701    216 192.168.1.148 TCP_MISS/200 386 POST
>>> https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>>> ORIGINAL_DST/107.20.215.8 application/json
>>> 1512561142.180     13 192.168.1.112 TCP_MISS/200 419 GET
>>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>>> 1512561142.410    243 192.168.1.112 TCP_MISS/200 286 GET
>>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>>> text/javascript
>>>
>>>
>>> IPTABLES CONFIGURATION
>>> =======================
>>> # PREROUTING INTERCEPT PBR
>>>
>>> *nat
>>> :PREROUTING ACCEPT [0:0]
>>> :POSTROUTING ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>>> 3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>>> 3129
>>> COMMIT
>>>
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>>
>>> #WEB
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 80 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 443 -j ACCEPT
>>>
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3128 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3129 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3130 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3131 -j ACCEPT
>>>
>>> #default
>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> -A INPUT -p icmp -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>> COMMIT
>>>
>>>
>>> SQUID CONFIGURATION
>>> ====================
>>>
>>> #WHITE LIST
>>> acl exclWL url_regex "/etc/squid/white_url.squid"
>>> acl neoWL url_regex "/etc/squid/neowl.squid"
>>> http_access allow exclWL
>>> http_access allow neoWL
>>> cache deny exclWL
>>> cache deny neoWL
>>> always_direct allow exclWL
>>> always_direct allow neoWL
>>>
>>> #Malicious URLs
>>> acl dom url_regex "/etc/squid/dom.squid"
>>> acl cc url_regex "/etc/squid/cc.squid"
>>> http_access deny dom
>>> http_access deny cc
>>>
>>> #BLACK LIST
>>> acl exclBL url_regex "/etc/squid/black_url.squid"
>>> acl neoBL url_regex "/etc/squid/neobl.squid"
>>> http_access deny exclBL
>>> http_access deny neoBL
>>>
>>> #ACLS BASE
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>>> plugged) machines
>>> acl SSL_ports port 443
>>> acl SSL_ports port 3129
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl CONNECT method CONNECT
>>> acl HTTPS proto HTTPS
>>>
>>> include /etc/squid/acls_whitelist.conf
>>> acl useragent browser "/etc/squid/useragent.squid"
>>> range_offset_limit 0 !useragent
>>> minimum_object_size 0 bytes
>>> maximum_object_size 3 GB
>>> quick_abort_min -1
>>> delay_pools 1
>>> delay_class 1 1
>>> delay_parameters 1 128000/128000
>>> delay_access 1 deny SSL_ports
>>> delay_access 1 allow !useragent
>>> delay_access 1 deny all
>>>
>>> #cache conf
>>> max_filedescriptors 24576
>>> memory_cache_mode disk
>>> cache_mem 0 MB
>>> cache allow all
>>> minimum_object_size 0 bytes
>>> maximum_object_size 20 MB
>>> sslproxy_flags DONT_VERIFY_PEER
>>> connect_timeout 8 seconds
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> reply_header_access Alternate-Protocol deny all
>>>
>>> http_port 3130
>>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> http_port 3128 intercept
>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>>>
>>> cache_dir ufs /var/cache/squid 9000 16 256
>>> cache_store_log /var/log/squid/store.log
>>> cache_effective_user squid
>>> visible_hostname Proxy
>>>
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern -i (/cgi-bin/|\?) 2     20%     10
>>> refresh_pattern .               2       20%     10      ignore-reload
>>> override-expire ignore-no-cache ignore-no-store store-stale
>>> ignore-private ignore-must-revalidate ignore-auth
>>> refresh_pattern -i
>>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>>> reload-into-ims
>>>
>>>
>>> #SSL BUMP
>>> include /etc/squid/ssl.conf
>>>
>>> #LOGGING
>>> access_log /var/log/squid/access.log
>>> access_log /var/log/squid/access_c2.log cc
>>> access_log /var/log/squid/access_c2.log dom
>>> access_log /var/log/squid/splc.log excludeSSL
>>> cache_log /dev/null
>>> coredump_dir /var/cache/squid
>>>
>>> #ICAP
>>> icap_enable on
>>> icap_send_client_ip on
>>> icap_send_client_username on
>>> icap_client_username_header X-Authenticated-User
>>> icap_service service_req reqmod_precache bypass=1
>>> icap://127.0.0.1:1344/squidclamav
>>> adaptation_access service_req allow useragent
>>> icap_service service_resp respmod_precache bypass=1
>>> icap://127.0.0.1:1344/squidclamav
>>> adaptation_access service_resp allow useragent
>>>
>>> #X FORWARDED FOR
>>> forwarded_for on
>>>
>>> SSL.conf
>>> =======
>>>
>>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>>> sslproxy_cafile /etc/squid/intermediate_ca.pem
>>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>>> sslcrtd_children 16 startup=5 idle=1
>>>
>>> acl FakeCert ssl::server_name .apple.com
>>> acl FakeCert ssl::server_name .icloud.com
>>> acl FakeCert ssl::server_name .mzstatic.com
>>> acl FakeCert ssl::server_name .dropbox.com
>>> acl ssl_step1 at_step SslBump1
>>> acl ssl_step2 at_step SslBump2
>>> acl ssl_step3 at_step SslBump3
>>>
>>> ssl_bump peek ssl_step1
>>> ssl_bump splice GlobalWhitelistDSTNet
>>> ssl_bump splice GlobalWhitelistDomainsRx
>>> ssl_bump splice GlobalWhitelistDomains
>>> ssl_bump splice FakeCert
>>> ssl_bump bump ssl_step2 all
>>> ssl_bump splice all
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>>> sslproxy_cipher
>>>
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>> sslproxy_cert_error deny all
>>>
>>> acls_whitelist.conf
>>> =============
>>>
>>> acl WindowsUpdates dstdomain officecdn.microsoft.com
>>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>>> acl WindowsUpdates dstdomain download.microsoft.com
>>> acl WindowsUpdates dstdomain .windowsupdate.com
>>> acl WindowsUpdates dstdomain .windowsupdate.net
>>> acl WindowsUpdates dstdomain .update.microsoft.com
>>> acl WindowsUpdates dstdomain .mp.microsoft.com
>>> acl WindowsUpdates dstdomain .ws.microsoft.com
>>> acl GlobalWhitelistDomains dstdomain
>>> "/etc/squid/acls_whitelist.dstdomain.conf"
>>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>>> acl GlobalWhitelistDomainsRx dstdom_regex -i
>>> "/etc/squid/acls_whitelist.dstdom_regex.conf"
>>> acl GlobalWhitelistBrowsers browser -i
>>> "/etc/squid/acls_whitelist.browser.conf"
>>> http_access allow GlobalWhitelistDomains
>>> url_rewrite_access deny GlobalWhitelistDomains
>>> http_access allow GlobalWhitelistDSTNet
>>> url_rewrite_access deny GlobalWhitelistDSTNet
>>> http_access allow GlobalWhitelistDomainsRx
>>> url_rewrite_access deny GlobalWhitelistDomainsRx
>>> http_access allow GlobalWhitelistBrowsers
>>>
>>>
>>> Any one with the same TAG_NONE/503 error, please help!?
>>>
>>> Regards,
>>> Hugo
>>> ________________________________
>>>
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> --
>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
> 
> 
> 



More information about the squid-users mailing list