[squid-users] site opens only without ssl bump
Alex Rousskov
rousskov at measurement-factory.com
Thu Nov 3 13:05:24 UTC 2022
On 11/3/22 05:43, Majed Zouhairy wrote:
> i have 2 proxies, one with ssl bump and one without, there is a internal
> site that opens only on the no ssl bump proxy.
>
> on the ssl bump proxy it displays:
What does Squid say in access.log for this problematic request? Please
configure Squid to log %err_code/%err_detail before answering this
question. For example:
logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid
Does the site works if you temporary replace your ssl_bump rules with:
ssl_bump peek all
ssl_bump splice all
Does the site works if you temporary replace your ssl_bump rules with:
ssl_bump peek tls_s1_connect
ssl_bump splice all
Alex.
> Не удается получить доступ к сайтуВеб-страница по адресу (i was unable
> to gain access to website:)
> https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback,
> возможно, временно недоступна или постоянно перемещена по новому адресу.
> (it is possible that it can not bbe reached or it has been permanently
> relocated to a new address)
> ERR_TUNNEL_CONNECTION_FAILED
>
> the site needs special configurations to run:
> it needs a local proxy to run, avtunproxy.nl
> in the internet explorer settings:
> the second box in the proxy settings needs to be checked called the "use
> the scenario for automatic configuration"
> in it, the proxy address is plugged
> http://127.0.0.1:10224/proxy.pac
>
> my bump settings are as follows:
>
>
> acl tls_s1_connect at_step SslBump1
> acl tls_s2_client_hello at_step SslBump2
> acl tls_s3_server_hello at_step SslBump3
>
> # define acls for sites that must not be actively bumped
>
> acl tls_allowed_hsts ssl::server_name .akamaihd.net
> acl tls_allowed_hsts ssl::server_name .proxy.ckko.nl
> acl tls_server_is_bank ssl::server_name
> "/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
> acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
>
> # TLS/SSL bumping steps
>
> ssl_bump peek tls_s1_connect # peek at
> TLS/SSL connect data
> ssl_bump splice tls_to_splice # splice
> some: no active bump
> ssl_bump stare all #
> stare(peek) at server
> # properties of
> the webserver
> ssl_bump bump
>
> contents of the
> /usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:
>
> .ckko.nl
> .ias.ckko.nl
> .test-auth.ias.ckko.nl
> .config.avtunproxy.nl
> .rand.avtunproxy.nl
> .avast.nl
> .dev.avast.nl
> .ncis.nl
> .cdn.nlpost.nl
>
> those are all the sites that are logged in on the non ssl bump proxy
> when ias.ckko.nl is accessed
>
> despite all this configuration, the site does not open. in ufdbguard
> every site from the user is a pass.
>
> in avtunproxy log :
>
> 2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching
> https://ckko.nl/upload/certificates/8.crl
> 2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e]
> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> 2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e]
> [addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
> 2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf]
> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read
> tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing connection
> was forcibly closed by the remote host.
> 2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf]
> [addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
> 2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021]
> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> 2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021]
> [addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
> 2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59]
> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> 2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59]
> [addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
> 2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a]
> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> 2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a]
> [addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
> 2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178]
> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - read
> tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing connection
> was forcibly closed by the remote host.
> 2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178]
> [addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
> 2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c]
> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
> 2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c]
> [addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT
> test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
> 2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559]
> [addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
> 2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e]
> [addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
> 2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903]
> [addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
> 2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f]
> [addr=127.0.0.1:10544] GET /api/v2/log
>
>
> what is the solution?
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list