[squid-users] SSL Accel Connection Reset

Robert Gabriel squid at ephemeric.online
Mon Nov 20 13:24:45 UTC 2017 

Hi,

I've tried to setup SSL accel AKA reverse proxy. The HTTP accel part works but no joy
for the SSL side. Maybe I've misunderstood or misconfigured something?

Thank you for the help.

[root at node03 tmp]# export https_proxy="https://192.168.122.130:443"

[root at node03 tmp]# curl -v --insecure https://data.ephemeric.local/test.tgz
* About to connect() to proxy 192.168.122.130 port 443 (#0)
*   Trying 192.168.122.130...
* Connected to 192.168.122.130 (192.168.122.130) port 443 (#0)
* Establish HTTP proxy tunnel to data.ephemeric.local:443
> CONNECT data.ephemeric.local:443 HTTP/1.1
> Host: data.ephemeric.local:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
> 
* Recv failure: Connection reset by peer
* Received HTTP code 0 from proxy after CONNECT
* Connection #0 to host 192.168.122.130 left intact
curl: (56) Recv failure: Connection reset by peer

I have run "squid -NX" and nothing in stdout. I have enabled debug log too.
I have tailed access and cache logs, nothing.
This is so frustrating as the connection is reset and no logs to help.

I followed this example and generated the certs etc:
https://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

debug_options rotate=1 ALL,9
prefer_direct on
forwarded_for on

acl localnet src 192.168.122.0/24
acl localnet src fc00::/7       
acl localnet src fe80::/10     
acl SSL_ports port 443
acl Safe_ports port 80	
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280	
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777	
acl CONNECT method CONNECT

acl our_sites dstdomain download.fedoraproject.org centos mirror.centos.org artifacts.elastic.co data.ephemeric.local dl.google.com dl-ssl.google.com

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow our_sites
http_access deny all

cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel

cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

http_port 8000
http_port 3128 accel defaultsite=data.ephemeric.local
http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.crt key=/etc/squid/squid.key

https_port 443 accel defaultsite=data.ephemeric.local cert=/etc/squid/myCA.pem

maximum_object_size 4096 MB
cache_dir ufs /media/data/var/spool/squid 10000 16 256
coredump_dir /media/data/var/spool/squid
cache_replacement_policy heap LFUDA

[root at data squid]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 

[root at data squid]# uname -r
3.10.0-693.5.2.el7.x86_64

[root at data squid]# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig

More information about the squid-users mailing list