[squid-users] SSL termination problem - squid's requests using https
Sam Holden
sam.holden at steeprockinc.com
Tue Sep 17 21:02:55 UTC 2019
On Tue, Sep 17, 2019 at 4:07 PM Alex Rousskov
<rousskov at measurement-factory.com> wrote:
>
> On 9/17/19 2:07 PM, Sam Holden wrote:
>
> > https_port 4277 accel ... protocol=http
>
> > sees port 4227 act as an http port (no ssl)
>
> Assuming you meant "4277" when you said "4227" (or vice versa), your
> statement sounds like an indication of a Squid bug to me: The "protocol"
> option is documented to affect Squid-to-origin URL reconstruction. It
> should have no effect on client-to-Squid communication (and https_port,
> of course, expects TLS connections). In other words, the above
> configuration should do what you want in principle AFAICT.
>
> How does Squid report the above https_port at startup? Look for the
> "Accepting ... at ..." line early in your cache.log.
Yes I made typo on the port number in my text.
When I have protocol=http is reports:
2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections
at local=0.0.0.0:4277 remote=[::] FD 13 flags=9
When I don't set the protocol is reports:
2019/09/17 20:17:38| Accepting reverse-proxy HTTPS Socket connections
at local=0.0.0.0:4277 remote=[::] FD 13 flags=9
So it seems to be following the protocol= for the incoming protocol
rather than just the outgoing. I've tried compiling the 4.6 source
tarball and building the debian source package (to add openssl) which
is a few minor versions older but with the normal debian back porting.
I'm going to try the old stock debian one again - I think it was
working with gnutls though I couldn't see a way to make the screen
long options list work with gnutls.
>
> What happens when you connect to the above https_port using a TLS
> connection?
When I have the protocol=http I get (443 is being mapped to 4277 elsewhere):
$ wget https://127.0.0.1:4277/ --no-check-certificate
--2019-09-17 20:53:04-- https://127.0.0.1:4277/
Connecting to 127.0.0.1:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.
$ wget http://127.0.0.1:4277/
--2019-09-17 20:54:17-- http://127.0.0.1:4277/
Connecting to 127.0.0.1:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 61979 (61K) [text/html]
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list