[squid-users] Unable to access a device over port 4434
Piana, Josh
Josh.Piana at hexcel.com
Thu Oct 17 20:40:09 UTC 2024
Hey Amos,
Thanks for replying.
To clarify on the test, port 4434 is the port that was assigned to get access to that device, one of our firewalls.
I looked at the old Squid config that we have, and it seems this was setup in a way that internal networks were not being passed through the proxy. This was done be either an ACL, or the PAC file, is what we're thinking. The issue is, we don't exactly know how to implement the PAC file on our new Squid box.
With that said, I agree with your statement that its difficult to troubleshoot an issue as opposed to go around it. Unfortunately, that's how it was done before and that's the direction our current management is going again. So I need to reconfigure the squid.conf file to ignore internal traffic, networks, and IP's, and only web filter and proxy internet connections. We can't just copy the old config because it doesn't carry over 1:1, and its an old version from 2.5.
Is there additional testing I could do or anything I should know to make this happen?
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Wednesday, October 16, 2024 11:45 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Unable to access a device over port 4434
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 16/10/24 09:39, Piana, Josh wrote:
> Amos,
>
> Thank you for getting back to me and clarifying.
>
> I ran this command:
> #wget -Y off 172.27.46.253
>
> Response:
> --2024-10-15 16:36:15--
> http://172.0.0.2/
> 7.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cf595ea81629e4e5db
> 45f08dcee5e2c12%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638647335
> 455212558%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIi
> LCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ZfzWSAFz5VpiHcYtQy4p
> c%2BHj08G%2FvUSWdLaU2RckxlA%3D&reserved=0
> Connecting to 172.27.46.253:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location:
> https://0.0.0.172/.
> 27.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cf595ea81629e4e5d
> b45f08dcee5e2c12%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864733
> 5458181374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z%2F5YhuDe5d2cz6KUm
> TbGhMV6Dpgs3T%2B%2BrlqRewDCmCM%3D&reserved=0 [following]
> --2024-10-15 16:36:15--
> https://0.0.0.172/.
> 27.46.253%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7Cf595ea81629e4e5d
> b45f08dcee5e2c12%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C63864733
> 5458181374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI
> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z%2F5YhuDe5d2cz6KUm
> TbGhMV6Dpgs3T%2B%2BrlqRewDCmCM%3D&reserved=0
> Connecting to 172.27.46.253:443... connected.
The TCP here is fully working, on both ports.
The followup hang you mentioned was likely due to a mistake in your followup test (that extra '4' typo?).
> ERROR: The certificate of '172.27.46.253' is not trusted.
> ERROR: The certificate of '172.27.46.253' doesn't have a known issuer.
> The certificate's owner does not match hostname '172.27.46.253'
>
There you go. Two problems to resolve.
First Problem; unknown "Issuer" (aka root or intermediate CA certificate).
Please use this to find out what details need to be retrieved:
wget -v --no-proxy https://172.27.46.253/
Find the public CA certificate for the missing "Issuer".
Further tests with wget should use:
wget -v --no-proxy \
--ca-certificate=/path/to/server.ca https://172.27.46.253/
When wget test shows trust of the server certificate working, Squid should be configured to use it for checking too:
tsl_outgoing_options ca=/path/to/server.ca or
cache_peer 172.27.46.253 443 0 originserver tls-ca=/path/to/server.ca
Second Problem; mismatch between "172.27.46.253" and "Owner" (or maybe"SubjectAltName" fields).
The wget output when troubleshooting for the first problem should give more hints about what this means.
> So with the errors given, would that stop us from connecting to it? Typically with sites with trust issues or certification issues, you can still bypass it. We'd like to do the same here if applicable.
One could, but your wget command does not.
FYI, It is also a bad idea to bypass unless you really have to.
Especially bad to bypass unknown amount of things when trying to identify reasons for failure.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list