Re: [squid-users] Issues with ssl-bump in 3.HEAD

From: Mike <mcsnv96_at_afo.net>
Date: Wed, 18 Jun 2014 16:59:54 -0500

I got it figured out... seemed that port 3128 was the problem... not
sure why this provider blocks that port but as soon as I changed the
squid.conf http_port to 8080, it worked right away.

Thanks for everyones help!

Mike

On 6/18/2014 12:35 PM, Mike wrote:
> I compiled source 3.4.5 from squid-cache.org with all the needed rules
> and it is still refusing all connections.
> OS (on all 3 tested systems) is Scientific Linux 6.5, kernel is
> 2.6.32.431.17.1.el6. The latest squid version available in their repo
> is 3.1.10 which does not have the needed SSL related options.
>
> No unusual errors with configure, make or make install.
>
>
>
>
> So any suggestions or other items to check?
>
>
> Mike
>
> On 6/17/2014 12:34 AM, Amos Jeffries wrote:
>> On 17/06/2014 10:30 a.m., Mike wrote:
>>> Running into another issue, not sure whats going on here.
>>>
>>> ALL HTTPS connections are being denied. Temporarily, selinux is
>>> disabled
>>> and firewall is off. We have it working on 2 other servers with same
>>> OS,
>>> same kernel, same settings but it is just this one that refuses to
>>> allow
>>> connections to HTTPS sites.
>>>
>>> We went with this version since none of the other rpms (3.4x and newer)
>>> we could find included the ssl_crtd without manually compiling the
>>> entire thing, which we wanted to stay away from if possible, due to
>>> ease
>>> of updating squid at some point down the road on many servers without
>>> having to recompile on dozens (or maybe hundreds by then) when it comes
>>> time.
>>>
>>> The cache.log shows no errors. "squid -k parse" shows no errors.
>>>
>>> [root_at_servername $]# yum info squid
>>> Loaded plugins: security
>>> Installed Packages
>>> Name : squid
>>> Arch : x86_64
>>> Epoch : 7
>>> Version : 3.5.0.001
>>> Release : 1.el6
>>> Size : 8.2 M
>>> Repo : installed
>>>
>>> [root_at_servername $]# squid -v
>>> Squid Cache: Version 3.HEAD-20140127-r13248
>> Hi Mike,
>> that package is several months old now and this sounds like one of the
>> bugs now fixed. I'm sending Eliezer a request to update the package, you
>> may want to do so as well.
>>
>> I dont see any http_access lines at all in the below config file. Squid
>> security policy is "closed by default", so if you omit all access
>> permissions noting is permitted.
>>
>>
>>> From access.log:
>>> TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/-
>>> text/html
>>> TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html
>>> TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html
>>>
>>> Rules are same as previously mentioned:
>>>
>>> # Squid normally listens to port 3128
>>> http_port 3128
>>> http_port 3129 intercept
>>> https_port 3130 intercept ssl-bump connection-auth=off
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
>>> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db
>>> -M 16MB
>>> sslcrtd_children 50 startup=5 idle=1
>>> ssl_bump server-first all
>>> ssl_bump none localhost
>>> always_direct allow all
>>>
>>> visible_hostname xxxxx.xx.net
>>> cache_mgr xxxx_at_xx.net
>>> dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz
>>> hosts_file /etc/hosts
>>>
>>> #cache_access_log /dev/null
>>> #cache_store_log none
>>> #cache_log /dev/null
>>> # acl blacklist dstdomain -i "/etc/squid/domains"
>>> # http_access deny blacklist
>>>
>>>
>>> # Below line is for troubleshooting only, comment out when sys goes to
>>> production
>>> cache_access_log /var/log/squid/access.log
>> The above line should be:
>> access_log /var/log/squid/access.log
>>
>> Also, the cache_log and debug_options lines shoud remain like this in
>> production if at all possible. You can start Squid with the -s command
>> line option to pipe the cache critical messages to syslog but Squid
>> should always have a cache.log for a backup troubleshooting information
>> source.
>>
>>> cache_store_log /var/log/squid/store.log
>>> cache_log /var/log/squid/cache.log
>>> debug_options ALL,0
>>>
>>> # Uncomment and adjust the following to add a disk cache directory.
>>> cache_dir ufs /var/spool/squid 10000 32 512
>>> cache_effective_user squid
>>>
>>> The cache store (store.log) shows a lot of entries like this:
>>> RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F ? ?
>>> ? ? ?/? ?/? ? ?
>> Not to worry, temporary files used as disk-backing store for some
>> transactions. We have not yet fully removed the need for this type of
>> file from Squid.
>>
>>
>> HTH
>> Amos
>>
>
Received on Wed Jun 18 2014 - 21:59:58 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 20 2014 - 12:00:05 MDT