[squid-users] Unable to open youtube.com
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 17 05:06:37 UTC 2018
On 17/10/18 5:17 PM, Timur Lagutenko wrote:
> i'm sure that the issue is not related to firewall rules.
> because if I pass traffic from client IP (using NAT, browser is not
> configured to use proxy) it works.
Ah, you said earlier that you did not have SSL-Bump features enabled.
How are you intercepting the port 443 HTTPS traffic with NAT and
converting it to port 80 or 3128 syntax HTTP for Squid to handle?
Squid cannot MITM the "raw" port 443 TLS without SSL-Bump being configured.
Also since it is a Google service it may not be using TCP port 443 at
all. It may actually be performing their QUIC protocol instead of HTTPS.
That has to be blocked entirely to be sure the proxy is actually
receiving all the relevant traffic.
> I think it is related to some SSL/TLS lib in the system.
> Because today i've tried CLI browser - links.
> Launching it directly from gateway (which has direct access to web), i
> was able to browse any site in text mode.
> Except youtube.
> So i guess it is related to some missing ssl lib.
> Could you please suggest how can i find all required libs for my squid?
>
If Squid starts without crashing the libs it has been compiled to use
are present on your machine.
If you built it yourself on the same machine, it only uses library
features that machine had at time of the build - so maybe a rebuild is
needed to get access to newer library features.
When it comes to TLS though the library itself is doing the config parse
and setup for crypto things. So Squid does not particularly need to even
be configured to use features the library enables by default. Which
usually includes the current industry-standard ciphers etc.
If Squid accepts your config file and does not produce an ERROR or FATAL
message when you run "squid -k parse" all the libs required to run your
config have been compiled in and loaded.
> # squid -v
> Squid Cache: Version 3.5.28
> Service Name: squid
>
> This binary uses OpenSSL 1.0.2p 14 Aug 2018. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
Your problem may be TLS/1.3 related. OpenSSL 1.0.* only supports a max
of TLS/1.2. Squid-3.5 also only supports OpenSSL 1.0.* library.
AFAIK, Google are one of the organizations heavily pushing TLS changes
and bias their services towards forcing the latest crypto whenever they
can. It is strange that others have not reported issues en-mass, so this
is somewhat unlikely.
Other admin mentioning similar behaviour with YouTube have turned out to
be TLS restrictions that pretty much prohibit the weaker crypto Google
services still allow and only let the very advanced ones (not supported
by their Squid) work.
But also those restrictions were done via SSL-Bump configs. Since you
don't use SSL-Bump it is unlikely to be the same - which leaves us only
with the network/firewall level issues as known things to look at.
Amos
More information about the squid-users
mailing list