[squid-users] squid-users Digest, Vol 97, Issue 20

Adiseshu Channasamudhram csadi at hotmail.com
Mon Sep 12 12:39:59 UTC 2022 

Hello Amos

Thank you for looking in to this. Below is the configuration ...


###########################
logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt %<tt %<pt %{Nuance-Session-ID}>h

cache_access_log /var/log/squid/access.log  squid
pid_filename /var/run/squid.pid

visible_hostname nuance-ak-client-test2

acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT

cache deny all
dns_v4_first on
http_port 443 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/squidCA.pem  cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem

# Below, a.b.c.d is the backend IP
cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest originserver ssl sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem sslcapath=/etc/certs/ sslflags=DONT_VERIFY_PEER name=dev
acl dev myport 443
acl dev myport 80
acl dev myport 3129

http_access allow all

cache_peer_access dev allow dev
#cache_peer_access dev deny all
#URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER


________________________________
From: squid-users <squid-users-bounces at lists.squid-cache.org> on behalf of squid-users-request at lists.squid-cache.org <squid-users-request at lists.squid-cache.org>
Sent: Sunday, September 11, 2022 8:00 AM
To: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Subject: squid-users Digest, Vol 97, Issue 20

Send squid-users mailing list submissions to
        squid-users at lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        squid-users-request at lists.squid-cache.org

You can reach the person managing the list at
        squid-users-owner at lists.squid-cache.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. https on frontend (Adiseshu Channasamudhram)
   2. Re: https on frontend (Amos Jeffries)


----------------------------------------------------------------------

Message: 1
Date: Sat, 10 Sep 2022 18:19:23 +0000
From: Adiseshu Channasamudhram <csadi at hotmail.com>
To: "squid-users at lists.squid-cache.org"
        <squid-users at lists.squid-cache.org>
Subject: [squid-users] https on frontend
Message-ID:
        <PH0PR14MB530976D868BCFACDF5BF6F20B3429 at PH0PR14MB5309.namprd14.prod.outlook.com>

Content-Type: text/plain; charset="iso-8859-1"

Hello Squid experts

I'm running in to an issue with the below setup

frontend -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend

When frontend is sending the http request, i see the tls exchange is successful but then on the access log of squid, i see the below error

w.x.y.z is the IP of the frontend server.

10/Sep/2022:00:13:34 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:34 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:34 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:34 +0000      0 w.x.y.z - - - TAG_NONE/400 4016 %16%03%03 %A1%DFXl%A1%90yf%1C - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:37 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:37 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:38 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:38 +0000      0 w.x.y.z - - - TAG_NONE/400 4476 NONE error:invalid-request - HIER_NONE/- text/html - - -

On the squid interface listening to the frontend, I have pointed it to a self signed cert ...

Any help/suggestion would be greatly appreciated

Regards

Adi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220910/a27bfffa/attachment-0001.htm>

------------------------------

Message: 2
Date: Sun, 11 Sep 2022 09:11:35 +1200
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] https on frontend
Message-ID: <ef33deaf-3c02-8cba-c8df-12a20fbfa258 at treenet.co.nz>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 11/09/22 06:19, Adiseshu Channasamudhram wrote:
> Hello Squid experts
>
> I'm running in to an issue with the below setup
>
> frontend
> -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend
>
> When frontend is sending the http request, i see the tls exchange is
> successful but then on the access log of squid, i see the below error
>
> w.x.y.z is the IP of the frontend server.
>
> 10/Sep/2022:00:13:34 +0000 ? ? ?0 w.x.y.z - - - TAG_NONE/400 4476 NONE
> error:invalid-request - HIER_NONE/- text/html - - -
...
> On the squid interface listening to the frontend, I have pointed it to a
> self signed cert ...
>
> Any help/suggestion would be greatly appreciated
>

Either the HTTP request messages received from the frontend inside the
TLS are invalid, or your frontend<->Squid is misconfigured.

We will need to see your squid.conf details. Specifically these
directives, though all settings (no comments or empty lines) would be
useful for a full check:
  http_port, https_port, cache_peer, tls_outgoing_options

Also a cache/log trace made with "debug_options ALL,0 11,2" will be helpful.


Amos


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 97, Issue 20
*******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220912/58c01b39/attachment.htm>

More information about the squid-users mailing list