On 17/06/2014 10:30 a.m., Mike wrote:
> Running into another issue, not sure whats going on here.
>
> ALL HTTPS connections are being denied. Temporarily, selinux is disabled
> and firewall is off. We have it working on 2 other servers with same OS,
> same kernel, same settings but it is just this one that refuses to allow
> connections to HTTPS sites.
>
> We went with this version since none of the other rpms (3.4x and newer)
> we could find included the ssl_crtd without manually compiling the
> entire thing, which we wanted to stay away from if possible, due to ease
> of updating squid at some point down the road on many servers without
> having to recompile on dozens (or maybe hundreds by then) when it comes
> time.
>
> The cache.log shows no errors. "squid -k parse" shows no errors.
>
> [root_at_servername $]# yum info squid
> Loaded plugins: security
> Installed Packages
> Name : squid
> Arch : x86_64
> Epoch : 7
> Version : 3.5.0.001
> Release : 1.el6
> Size : 8.2 M
> Repo : installed
>
> [root_at_servername $]# squid -v
> Squid Cache: Version 3.HEAD-20140127-r13248
Hi Mike,
that package is several months old now and this sounds like one of the
bugs now fixed. I'm sending Eliezer a request to update the package, you
may want to do so as well.
I dont see any http_access lines at all in the below config file. Squid
security policy is "closed by default", so if you omit all access
permissions noting is permitted.
> From access.log:
> TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/- text/html
> TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html
> TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html
>
> Rules are same as previously mentioned:
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
> sslcrtd_children 50 startup=5 idle=1
> ssl_bump server-first all
> ssl_bump none localhost
> always_direct allow all
>
> visible_hostname xxxxx.xx.net
> cache_mgr xxxx_at_xx.net
> dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz
> hosts_file /etc/hosts
>
> #cache_access_log /dev/null
> #cache_store_log none
> #cache_log /dev/null
> # acl blacklist dstdomain -i "/etc/squid/domains"
> # http_access deny blacklist
>
>
> # Below line is for troubleshooting only, comment out when sys goes to
> production
> cache_access_log /var/log/squid/access.log
The above line should be:
access_log /var/log/squid/access.log
Also, the cache_log and debug_options lines shoud remain like this in
production if at all possible. You can start Squid with the -s command
line option to pipe the cache critical messages to syslog but Squid
should always have a cache.log for a backup troubleshooting information
source.
> cache_store_log /var/log/squid/store.log
> cache_log /var/log/squid/cache.log
> debug_options ALL,0
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/spool/squid 10000 32 512
> cache_effective_user squid
>
> The cache store (store.log) shows a lot of entries like this:
> RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F ? ?
> ? ? ?/? ?/? ? ?
Not to worry, temporary files used as disk-backing store for some
transactions. We have not yet fully removed the need for this type of
file from Squid.
HTH
Amos
Received on Tue Jun 17 2014 - 05:34:42 MDT
This archive was generated by hypermail 2.2.0 : Thu Jun 19 2014 - 12:00:05 MDT