[squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config
Amos Jeffries
squid3 at treenet.co.nz
Wed Nov 29 13:29:59 UTC 2017
On 30/11/17 01:34, minh hưng đỗ hoàng wrote:
> Dear Amos,
> Sorry for concluded hurriedly.
> When i do a test with 1 user, it's seem ok, no more Aler from cache.log.
> But when i test with more users, the Alert log from cache.log happen
> again. And so i can't access some https page as chatwork.com , facebook.com.
You are understanding that this is a log entry that cannot be completely
removed right? the problem can only be reduced in how much damage is
done, not fixed.
Also be aware that the cache.log records every security event. Even when
the user does not see anything unusual because Squid sends them
transparently to the server they were trying to contact as if the proxy
was not there (real transparency).
You seem to be doing everything that can be done about the connectivity
issues related to that log message.
I suspect that any remaining issues you are now having with those HTTPS
sites is a separate problem with the Squid-3 SSL-Bump code or TLS
protocol itself. You need to take a closer look at the exact
transactions that are going on with those remaining problem sites.
If the problem turns out to be anything in the TLS protocol messages the
'splice' action that your Squid is currently doing means that type of
problem has nothing to do with Squid. It is the client and server
endpoints having the issue between themselves.
You could also try out Squid 3.5.27 or Squid-4 code for a more up to
date SSL-Bump implementation. There are a few changes to how the
connection management works that might show up as weird problems in
Squid-3 despite the splice. Even the 7 months between your 3.5.20 and
3.5.27 has a few of those.
Amos
More information about the squid-users
mailing list