[squid-users] making proxy-int to talk to proxy-ext

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 27 13:35:22 UTC 2019


On 27/11/19 11:56 am, robert k Wild wrote:
> Hi Alex,
> 
> i have done some more troubleshooting and my external proxy is good, i
> get no errors and i have got one of my DMZ hosts connected to it and i
> can browse the web, but my internal proxy cant contact my external
> proxy, this is the error when i run it -
> 
> 2019/11/26 22:53:28| Error parsing SSL Server Hello Message on FD 15
> 2019/11/26 22:53:28| ERROR: negotiating TLS on FD 15: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:          unknown protocol (1/-1/0)
> 2019/11/26 22:53:28| TCP connection to 172.16.55.21/3128
> <http://172.16.55.21/3128> failed
> 2019/11/26 22:53:28| Detected DEAD Parent: 172.16.55.21
> 2019/11/26 22:53:28| Error negotiating SSL connection on FD 13:
> error:00000001:lib(0):func(0):reason(1) (          1/0)
> 
> this is my config on my internal proxy -
> 
> #
> # Recommended minimum configuration:
> #
> 
> #SSL
> http_port 3128 ssl-bump \
> cert=/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> 
...
> #squid proxy in DMZ on internet
> cache_peer 172.16.55.21 parent 3128 0 default
...
> never_direct allow all
> 

So, all traffic MUST use the cache_peer which cannot handle TLS input.


You need to either configure TLS/SSL in the peer and set the cache_peer
line appropriately for that so this proxy can re-encrypt traffic going
there,

OR, upgrade to Squid-5 which has the ability to re-encrypt and send to a
regular peer proxy.


Amos


More information about the squid-users mailing list