[squid-users] squid 5.0.4 cache_peer bug on https outgoing

sec openwrt.jp at gmail.com
Sun Sep 27 16:07:45 UTC 2020 

X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

### 0x01 squid version

squid -v

Squid Cache: Version 5.0.4

Service Name: squid


This binary uses OpenSSL 1.0.2g  1 Mar 2016. For legal restrictions on
distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--exec-prefix=/usr'
'--includedir=/usr/include' '--datadir=/usr/share' '--libdir=/usr/lib64'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--sysconfdir=/etc/squid' '--sharedstatedir=/var/lib'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-default-user=squid' '--enable-silent-rules'
'--enable-dependency-tracking' '--with-openssl' '--enable-icmp'
'--enable-delay-pools' '--enable-useragent-log' '--enable-esi'
'--disable-ipv6' '--enable-ssl-crtd' '--enable-follow-x-forwarded-for'
'--enable-auth' --enable-ltdl-convenience

### 0x02  peers.conf

cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login
=admin:squid name=crawler1

curl http://google.com -x https://admin:squid@localhost:3128 -v  -k

< HTTP/1.1 503 Service Unavailable

< Server: squid/5.0.4

< Mime-Version: 1.0

< Date: Sun, 27 Sep 2020 15:55:05 GMT

< Content-Type: text/html;charset=utf-8

< Content-Length: 1647

< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

< Vary: Accept-Language

< Content-Language: en

< X-Cache: MISS from example.com

< Connection: keep-alive

proxy is ok. 3129 is glider
curl http://google.com -x https://admin:squid@localhost:3129 -v  -k

<HTML><HEAD><meta http-equiv="content-type" content=
"text/html;charset=utf-8">

<TITLE>301 Moved</TITLE></HEAD><BODY>

<H1>301 Moved</H1>

The document has moved

<A HREF="http://www.google.com/">here</A>.

</BODY></HTML>


### 0x03 the possible solution. DONT_VERIFY_PEER

So.on squid 4/5,  The DONT_VERIFY_PEER flag is deprecated.
How to get the function on  squid 5.0.4 ?

### 0x04 squid.conf


acl SSL_ports port 443

acl Safe_ports port 1-65535     # unregistered ports

acl CONNECT method CONNECT

acl HEAD method HEAD


http_access deny !Safe_ports

http_access deny manager

http_access allow all




http_port 3128 ssl-bump generate-host-certificates=on \

dynamic_cert_mem_cache_size=100MB \

cert=/etc/squid/server.crt key=/etc/squid/server.key



ssl_bump allow all

#ssl_bump bump all

sslproxy_cert_error allow all



sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/usr/local/squid/ssl_db -M 400MB



#sslproxy_flags DONT_VERIFY_PEER

tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN

sslproxy_cert_error allow all





coredump_dir /var/spool/squid3


# based on
http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=


#All File

refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)
    1440 100% 129600 reload-into-ims

refresh_pattern -i \.
(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600
 reload-into-ims

refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)
    1440 100% 129600 reload-into-ims

refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))
    1440 100% 129600 reload-into-ims

refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)
    1440 100% 129600 reload-into-ims

refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))
    1440 100% 129600 reload-into-ims


refresh_pattern -i \.(doc|pdf)$           1440   50% 43200 reload-into-ims

refresh_pattern -i \.(html|htm)$          1440   50% 40320 reload-into-ims


refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880

refresh_pattern .               0       20%     4320





# http options

via off

forwarded_for off

vary_ignore_expire on



# memory cache options

cache_mem 512 MB

maximum_object_size_in_memory 256 KB




forwarded_for delete

ipcache_size 4096

dns_nameservers 8.8.8.8



# error page

cache_mgr admin at example.com

visible_hostname example.com

email_err_data off

err_page_stylesheet none



#include /etc/squid/peers.conf

# use glider to build an http(s)/socks5 proxy on same port 3129

# https://github.com/nadoo/glider

# glider -listen admin:squid at 0.0.0.0:3129


cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login
=admin:squid name=crawler1



# never_direct: outgoing only by peers

never_direct allow  all


cache_effective_user proxy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200928/0c2d6e38/attachment-0001.htm>

More information about the squid-users mailing list