[squid-users] Connection to cache peer failed "SSL Transparent proxy'
Walid A. Shaari
walid.shaari at linux.com
Mon Feb 4 15:07:46 UTC 2019
Hello,
I have a squid proxy, trying to configure it to enforce traffic from a
private cloud appliance (Azure Stack) to go over to the corporate proxy.
traffic is mostly https, I see the below errors, note that ParentProxy-22
is the parent proxy listening on port 9090. also, why in the access logs I
have some entries not going to parent proxy (e.g. 1549282865.527 13
192.168.3.10 NONE/200 0 CONNECT 52.138.216.83:443 - HIER_NONE/- -)
### error logs ### Feb 4 15:26:38 azproxy squid[192272]: TCP connection to
ParentProxy-22/9090 failed
Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello
Message on FD 20
Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 20:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
(1/-1/0)
Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090
failed
Feb 4 15:26:38 azproxy squid[192272]: Detected DEAD Parent: ParentProxy-22
Feb 4 15:26:38 azproxy squid[192272]: Detected REVIVED Parent:
ParentProxy-22
Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello
Message on FD 24
Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 24:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
(1/-1/0)
Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090
failed
The squid configuration is as follows:
### iptables setup ### [root@ azproxy ~] $ iptables -L -t nat -n -v Chain
PREROUTING (policy ACCEPT 6089 packets, 376K bytes) pkts bytes target prot
opt in out source destination 5029 261K REDIRECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 8080
21742 1130K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir
ports 8090 ### squid.conf ## dns_v4_first on
cache_peer ParentProxy-22 parent 9090 0 no-query
sslcapath=/etc/pki/ca-trust/source/anchors/
acl local-network dstdomain .azcompany.com
acl everything src 10.0.0.0/8
http_access allow everything
never_direct deny local-network
never_direct allow all
http_port 8080 intercept
https_port 8090 intercept ssl-bump generate-host-certificates=on
cert=/etc/squid/ssl_certs/azproxyCA.pem dynamic_cert_mem_cache_size=16MB
#connection-auth=off
http_port 8100 #forward port not used.
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/spool/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
tls_outgoing_options /etc/pki/ca-trust/source/anchors/ca.crt
debug_options ALL,9### excerpts from access log ### 1549282836.118 44
192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -:
1549282836.150 14 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282836.271 38 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282836.300 13 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282837.661 30 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282837.710 19 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282837.797 4 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 -
HIER_NONE/- -1549282837.856 42 192.168.3.11 NONE/200 0 CONNECT
23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -
1549282840.277 15 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282840.300 17 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282848.695 19 192.168.3.17 TCP_MISS/200 2283 GET
http://ocsp.aramco.com.sa/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTcIwl9uZE4WwaD1jq3IdqcP3CI0wQUBCvyP4WY3ATuQXNOru2Zj%2B6W%2BfcCExkAABWDWqKqrUfWBR8AAAAAFYM%3D
-
ORIGINAL_DST/10.1.152.115 application/ocsp-response
1549282853.233 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282853.266 14 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282853.299 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282853.329 14 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT 52.138.216.83:443 -
HIER_NONE/- -
1549282865.552 13 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
-FIRSTUP_PARENT/ParentProxy-22 text/html
1549282865.615 57 192.168.3.10 TCP_MISS/503 4689 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
-FIRSTUP_PARENT/ParentProxy-22 text/html
1549282875.690 38 192.168.3.17 TCP_MISS/503 4707 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
-FIRSTUP_PARENT/ParentProxy-22 text/html
1549282875.711 14 192.168.3.17 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282876.012 28 10.8.101.53 NONE/200 0 CONNECT 111.221.29.254:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282880.455 18 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282880.544 42 192.168.3.10 TCP_MISS_ABORTED/500 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- HIER_NONE/- text/html
1549282880.614 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282880.644 13 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 -
FIRSTUP_PARENT/ParentProxy-22 -
1549282880.995 22 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282881.026 25 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
1549282882.164 19 192.168.3.17 TCP_MISS/503 4689 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?
- FIRSTUP_PARENT/ParentProxy-22 text/html
==== squid version and build ===
[root at azproxy ~] $ squid -v
Squid Cache: Version 4.5
Service Name: squid
This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on
distribution see https://www.openssl.org/source/license.html configure
options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--disable-dependency-tracking' '--enable-follow-x-forwarded-for'
'--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake'
'--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-
helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,
file_userip,SQL_session,unix_group,session,time_quota'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi'
'--enable-security-cert-generators' '--enable-security-cert-validators'
'--enable-icmp' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=16384' '--with-dl' '--with-openssl'
'--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl'
'--disable-arch-native' '--without-nettle'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
--enable-ltdl-convenience
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190204/07b00ae1/attachment-0001.html>
More information about the squid-users
mailing list