[squid-users] Help troubleshooting proxy<-->client https
Masha Lifshin
mlifshin at phantomdesign.com
Fri May 26 06:00:53 UTC 2017
Hello Dear Squid Users,
I am trying to configure my Squid 4.0.17 to use an https connection between
the client and the proxy. I have added an https_port directive to
squid.conf, but it must be misconfigured. When I test with a dev version of
curl that supports https proxies, I am getting
ERR_PROTOCOL_UNKNOWN errors. Below is the curl output, my squid.conf, and
access.log and cache.log snippets.
I appreciate any insights that you can offer. Thank you very much,
-Masha
----------------------------------------
curl output
----------------------------------------
$ ~/bin/curl -v -x https://proxy.somwhere.com:443 https://github.com
* Rebuilt URL to: https://github.com/
* Trying 54.210.69.61...
* TCP_NODELAY set
* Connected to proxy.somwhere.com (54.210.69.61) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol
----------------------------------------
squid.conf
----------------------------------------
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 800 # http
acl Safe_ports port 8000 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl SSL method CONNECT
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager to_localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
# ICAP CONFIG
icp_access deny all
htcp_access deny all
http_port 172.30.0.67:443 ssl-bump cert=/path/to/some.cert.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
tls-dh=/usr/local/squid/etc/dhparam.pem
https_port 172.30.0.67:443 cert=/path/to/other.cert.pem
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
access_log stdio:/usr/local/squid/var/log/access.log custom
cache_store_log stdio:/usr/local/squid/var/log/store.log custom
log_mime_hdrs on
pid_filename /usr/local/squid/var/run/custom-squid.pid
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access Proxy-Authenticate deny all
request_header_access Proxy-Authentication-Info deny all
request_header_access Proxy-Authorization deny all
request_header_access Proxy-Connection deny all
request_header_access Proxy-support deny all
request_header_access custom-version deny all
request_header_access custom-watermark deny all
request_header_access custom-token deny all
request_header_access custom-parent-host deny all
request_header_access Via deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access X-Forwarded-For deny all
reply_header_access X-XSS-Protection deny all
request_header_access Other allow all
cache_mgr cache_mgr at somewhere.com
mail_from squid at somewhere.com
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_default_options_ttl 60
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_client_username_encode off
ecap_enable on
loadable_modules /usr/local/squid/modules/libcustom_ecap.so
ecap_service custom_validate_req reqmod_precache ecap://
somewhere.com/ecap/services/validate routing=on bypass=off
ecap_service custom_validate_resp respmod_precache ecap://
somewhere.com/ecap/services/validate routing=on bypass=off
#adaptation_access custom_validate allow all
icap_service custom_req reqmod_precache routing=on icap://
127.0.0.1:1344/custom_req
icap_service custom_resp respmod_precache routing=on icap://
127.0.0.1:1344/custom_resp
forwarded_for delete
# Define a service set for requests. The first service (eCAP) will
# process the request if the API token is in the local cache, and the
# user has the "Access Only" preference set. Otherwise eCAP will abort,
# causing Squid to fail over to ICAP to handle the request.
adaptation_service_set custom_req_set custom_validate_req custom_req
adaptation_service_set custom_resp_set custom_validate_resp custom_resp
adaptation_access custom_req_set allow all
adaptation_access custom_resp_set allow all
# Never stop trying to talk to the ICAP server, no matter how many times it
fails.
icap_service_failure_limit -1
# Squid uses numeric categories to control logging.
# Interesting categories:
# 93 ICAP
# debug_options ALL,3 44,0 23,0 40,0 73,0 93,3
debug_options ALL,1 11,2 74,9,93,3
(END)
----------------------------------------
access.log
----------------------------------------
[26/May/2017:05:35:50 +0000] "NONE error:invalid-request HTTP/1.1" 400 3824
----------------------------------------
cache.log
----------------------------------------
2017/05/26 05:35:50.115 kid1| 74,9| RequestParser.cc(359) doParse: Parse
buf={length=517, data='
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(284)
parseRequestFirstLine: parsing possible request: buf.length=517
2017/05/26 05:35:50.115 kid1| 74,9| RequestParser.cc(285)
parseRequestFirstLine:
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(382) doParse:
request-line: retval -1: line={517, data='
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(383) doParse:
request-line: method: NONE
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(384) doParse:
request-line: url:
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(385) doParse:
request-line: proto: NONE/0.0
2017/05/26 05:35:50.115 kid1| 74,5| RequestParser.cc(386) doParse: Parser:
bytes processed=0
2017/05/26 05:35:50.115 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP
Client local=172.30.0.67:443 remote=75.147.129.242:64540 FD 11 flags=1
2017/05/26 05:35:50.115 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 400 Bad Request
Server: squid/4.0.17
Mime-Version: 1.0
Date: Fri, 26 May 2017 05:35:50 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3394
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from ip-172-30-0-67.ec2.internal
X-Cache-Lookup: NONE from ip-172-30-0-67.ec2.internal:443
Via: 1.1 ip-172-30-0-67.ec2.internal (squid/4.0.17)
Connection: close
----------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170525/c0d9c8b6/attachment-0001.html>
More information about the squid-users
mailing list