[squid-users] https pages

From: Michael Johnston <mikej84_at_yahoo.com>
Date: Sun, 8 Jun 2008 10:38:23 -0700 (PDT)

I am using 2.6.STABLE20 for Windows. I am not using the transparent option, nor am I using accelerator mode. Based on what I have read, Squid should by default allow a client to access HTTPS pages.

This is not working with my setup, and I'm trying to figure out why. HTTP pages work fine when I use the proxy from a client machine, or when I try from the proxy server itself. HTTPS pages work fine from the proxy server, but from a client machine I am getting "page cannot be displayed."

I am including a section from cache.log, as well as pieces from my squid.conf that may or may not be relevant (using defaults for options I've not included here).

Thanks in advance for any help.

Mike

###

2008/06/03 15:57:02| fd_open FD 17 HTTP Request
2008/06/03 15:57:02| httpAccept: FD 17: accepted port 3128 client CLIENT.EXTERNAL.IP:53591
2008/06/03 15:57:02| cbdataLock: 015AAE40
2008/06/03 15:57:02| comm_add_close_handler: FD 17, handler=0041C529, data=01535D30
2008/06/03 15:57:02| cbdataLock: 01535D30
2008/06/03 15:57:02| commSetTimeout: FD 17 timeout 300
2008/06/03 15:57:02| aclCheckFast: list: 010973C8
2008/06/03 15:57:02| aclMatchAclList: checking all
2008/06/03 15:57:02| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/06/03 15:57:02| aclMatchIp: 'CLIENT.EXTERNAL.IP' found
2008/06/03 15:57:02| aclMatchAclList: returning 1
2008/06/03 15:57:02| commSetSelect: FD 17 type 1
2008/06/03 15:57:02| comm_accept: FD 11: (10035) WSAEWOULDBLOCK, Resource temporarily unavailable.
2008/06/03 15:57:02| comm_select: timeout 219
2008/06/03 15:57:02| comm_call_handlers(): got fd=17 read_event=1 write_event=0 F->read_handler=0041D180 F->write_handler=00000000
2008/06/03 15:57:02| comm_call_handlers(): Calling read handler on fd=17
2008/06/03 15:57:02| clientReadRequest: FD 17: reading request...
2008/06/03 15:57:02| cbdataLock: 01535D30
2008/06/03 15:57:02| parseHttpRequest: Client HTTP version 1.0.
2008/06/03 15:57:02| parseHttpRequest: Method is 'CONNECT'
2008/06/03 15:57:02| parseHttpRequest: URI is 'www.google.com:443'
2008/06/03 15:57:02| parseHttpRequest: req_hdr = {User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET

CLR 3.0.04506.30)Proxy-Connection: Keep-AliveContent-Length: 0Host: www.google.comPragma: no-cache}
2008/06/03 15:57:02| parseHttpRequest: end = {}
2008/06/03 15:57:02| parseHttpRequest: prefix_sz = 254, req_line_sz = 37
2008/06/03 15:57:02| parseHttpRequest: Request Header is
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)Proxy-Connection: Keep-

AliveContent-Length: 0Host: www.google.comPragma: no-cache
2008/06/03 15:57:02| parseHttpRequest: Complete request received
2008/06/03 15:57:02| conn->in.offset = 0
2008/06/03 15:57:02| commSetTimeout: FD 17 timeout 86400
2008/06/03 15:57:02| init-ing hdr: 014D71C0 owner: 2
2008/06/03 15:57:02| parsing hdr: (014D71C0)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)Proxy-Connection: Keep-

AliveContent-Length: 0Host: www.google.comPragma: no-cache
2008/06/03 15:57:02| creating entry 016E2590: near 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322;

.NET CLR 3.0.04506.30)'
2008/06/03 15:57:02| created entry 016E2590: 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR

3.0.04506.30)'
2008/06/03 15:57:02| 014D71C0 adding entry: 50 at 0
2008/06/03 15:57:02| creating entry 010F1BD8: near 'Proxy-Connection: Keep-Alive'
2008/06/03 15:57:02| created entry 010F1BD8: 'Proxy-Connection: Keep-Alive'
2008/06/03 15:57:02| 014D71C0 adding entry: 41 at 1
2008/06/03 15:57:02| creating entry 016F3250: near 'Content-Length: 0'
2008/06/03 15:57:02| created entry 016F3250: 'Content-Length: 0'
2008/06/03 15:57:02| 014D71C0 adding entry: 14 at 2
2008/06/03 15:57:02| creating entry 016EE018: near 'Host: www.google.com'
2008/06/03 15:57:02| created entry 016EE018: 'Host: www.google.com'
2008/06/03 15:57:02| 014D71C0 adding entry: 27 at 3
2008/06/03 15:57:02| creating entry 016D06F0: near 'Pragma: no-cache'
2008/06/03 15:57:02| created entry 016D06F0: 'Pragma: no-cache'
2008/06/03 15:57:02| 014D71C0 adding entry: 37 at 4
2008/06/03 15:57:02| 014D71C0 lookup for 20
2008/06/03 15:57:02| clientSetKeepaliveFlag: http_ver = 1.0
2008/06/03 15:57:02| clientSetKeepaliveFlag: method = CONNECT
2008/06/03 15:57:02| 014D71C0 lookup for 41
2008/06/03 15:57:02| 014D71C0: joining for id 41
2008/06/03 15:57:02| 014D71C0: joined for id 41: Keep-Alive
2008/06/03 15:57:02| 014D71C0 lookup for 52
2008/06/03 15:57:02| 014D71C0 lookup for 41
2008/06/03 15:57:02| 014D71C0: joining for id 41
2008/06/03 15:57:02| 014D71C0: joined for id 41: Keep-Alive
2008/06/03 15:57:02| commSetSelect: FD 17 type 1
2008/06/03 15:57:02| 014D71C0 lookup for 59
2008/06/03 15:57:02| cbdataLock: 01107388
2008/06/03 15:57:02| cbdataLock: 01535D30
2008/06/03 15:57:02| cbdataLock: 01511C80
2008/06/03 15:57:02| cbdataValid: 01107388
2008/06/03 15:57:02| aclCheck: checking 'http_access allow company_network'
2008/06/03 15:57:02| aclMatchAclList: checking company_network
2008/06/03 15:57:02| aclMatchAcl: checking 'acl company_network src 192.168.0.0/255.255.0.0'
2008/06/03 15:57:02| aclMatchIp: 'CLIENT.EXTERNAL.IP' NOT found
2008/06/03 15:57:02| aclMatchAclList: no match, returning 0
2008/06/03 15:57:02| cbdataLock: 011074A8
2008/06/03 15:57:02| cbdataUnlock: 01107388
2008/06/03 15:57:02| cbdataValid: 011074A8
2008/06/03 15:57:02| aclCheck: checking 'http_access allow server10'
2008/06/03 15:57:02| aclMatchAclList: checking server10
2008/06/03 15:57:02| aclMatchAcl: checking 'acl server10 src SERVER10.EXTERNAL.IP/255.255.255.255 192.168.10.35/255.255.255.255'
2008/06/03 15:57:02| aclMatchIp: 'CLIENT.EXTERNAL.IP' NOT found
2008/06/03 15:57:02| aclMatchAclList: no match, returning 0
2008/06/03 15:57:02| cbdataLock: 00C2B688
2008/06/03 15:57:02| cbdataUnlock: 011074A8
2008/06/03 15:57:02| cbdataValid: 00C2B688
2008/06/03 15:57:02| aclCheck: checking 'http_access allow allowed_hosts'
2008/06/03 15:57:02| aclMatchAclList: checking allowed_hosts
2008/06/03 15:57:02| aclMatchAcl: checking 'acl allowed_hosts src CLIENT.EXTERNAL.IP/255.255.255.255 192.168.2.79/255.255.255.255

SQUIDSERVER.EXTERNAL.IP/255.255.255.255'
2008/06/03 15:57:02| aclMatchIp: 'CLIENT.EXTERNAL.IP' found
2008/06/03 15:57:02| aclMatchAclList: returning 1
2008/06/03 15:57:02| aclCheck: match found, returning 1
2008/06/03 15:57:02| cbdataUnlock: 00C2B688
2008/06/03 15:57:02| aclCheckCallback: answer=1
2008/06/03 15:57:02| cbdataValid: 01511C80
2008/06/03 15:57:02| The request CONNECT www.google.com:443 is ALLOWED, because it matched 'allowed_hosts'
2008/06/03 15:57:02| clientRedirectStart: 'www.google.com:443'
2008/06/03 15:57:02| clientRedirectDone: 'www.google.com:443' result=NULL
2008/06/03 15:57:02| 014D71C0 lookup for 37
2008/06/03 15:57:02| 014D71C0: joining for id 37
2008/06/03 15:57:02| 014D71C0: joined for id 37: no-cache
2008/06/03 15:57:02| 014D71C0 lookup for 7
2008/06/03 15:57:02| 014D71C0 lookup for 7
2008/06/03 15:57:02| 014D71C0 lookup for 40
2008/06/03 15:57:02| 014D71C0 lookup for 52
2008/06/03 15:57:02| 014D71C0 lookup for 59
2008/06/03 15:57:02| clientInterpretRequestHeaders: REQ_NOCACHE = SET
2008/06/03 15:57:02| clientInterpretRequestHeaders: REQ_CACHABLE = NOT SET
2008/06/03 15:57:02| clientInterpretRequestHeaders: REQ_HIERARCHICAL = NOT SET
2008/06/03 15:57:02| clientProcessRequest: CONNECT 'www.google.com:443'
2008/06/03 15:57:02| aclCheckFast: list: 00000000
2008/06/03 15:57:02| aclCheckFast: no matches, returning: 1
2008/06/03 15:57:02| sslStart: 'CONNECT www.google.com:443'
2008/06/03 15:57:02| comm_open: FD 18 is a new socket
2008/06/03 15:57:02| fd_open FD 18 www.google.com:443
2008/06/03 15:57:02| comm_add_close_handler: FD 18, handler=004758DB, data=016153E8
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| comm_add_close_handler: FD 17, handler=0047596A, data=016153E8
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| commSetTimeout: FD 17 timeout 86400
2008/06/03 15:57:02| commSetSelect: FD 17 type 1
2008/06/03 15:57:02| peerSelect: CONNECT
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| peerSelectFoo: 'CONNECT www.google.com'
2008/06/03 15:57:02| peerCheckNetdbDirect: MY RTT = 0 msec
2008/06/03 15:57:02| peerCheckNetdbDirect: minimum_direct_rtt = 400 msec
2008/06/03 15:57:02| peerCheckNetdbDirect: MY hops = 0
2008/06/03 15:57:02| peerCheckNetdbDirect: minimum_direct_hops = 4
2008/06/03 15:57:02| whichPeer: from 0.0.0.0 port 0
2008/06/03 15:57:02| peerSelectFoo: direct = DIRECT_MAYBE
2008/06/03 15:57:02| peerAddFwdServer: adding DIRECT DIRECT
2008/06/03 15:57:02| cbdataValid: 016153E8
2008/06/03 15:57:02| commSetTimeout: FD 18 timeout 60
2008/06/03 15:57:02| commConnectStart: FD 18, www.google.com:443
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| comm_add_close_handler: FD 18, handler=00429BA1, data=0154A690
2008/06/03 15:57:02| cbdataLock: 0154A690
2008/06/03 15:57:02| ipcache_nbgethostbyname: Name 'www.google.com'.
2008/06/03 15:57:02| ipcache_nbgethostbyname: HIT for 'www.google.com'
2008/06/03 15:57:02| cbdataLock: 0154A690
2008/06/03 15:57:02| cbdataValid: 0154A690
2008/06/03 15:57:02| ipcacheCycleAddr: www.google.com now at 72.14.205.104
2008/06/03 15:57:02| connect FD 18: (10035) WSAEWOULDBLOCK, Resource temporarily unavailable.
2008/06/03 15:57:02| comm_connect_addr: FD 18 connection pending
2008/06/03 15:57:02| commConnectHandle: FD 18: COMM_INPROGRESS
2008/06/03 15:57:02| commSetSelect: FD 18 type 2
2008/06/03 15:57:02| cbdataUnlock: 0154A690
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| cbdataFree: 015134E8
2008/06/03 15:57:02| cbdataFree: Freeing 015134E8
2008/06/03 15:57:02| cbdataUnlock: 01511C80
2008/06/03 15:57:02| cbdataUnlock: 01535D30
2008/06/03 15:57:02| cbdataFree: 01513090
2008/06/03 15:57:02| cbdataFree: Freeing 01513090
2008/06/03 15:57:02| cbdataValid: 01535D30
2008/06/03 15:57:02| cbdataUnlock: 01535D30
2008/06/03 15:57:02| commSetSelect: FD 17 type 1
2008/06/03 15:57:02| comm_select: timeout 219
2008/06/03 15:57:02| comm_call_handlers(): got fd=18 read_event=0 write_event=1 F->read_handler=00000000 F->write_handler=00429C41
2008/06/03 15:57:02| comm_connect_addr: FD 18 connected to 72.14.205.103:443
2008/06/03 15:57:02| comm_remove_close_handler: FD 18, handler=00429BA1, data=0154A690
2008/06/03 15:57:02| cbdataUnlock: 0154A690
2008/06/03 15:57:02| commSetTimeout: FD 18 timeout -1
2008/06/03 15:57:02| commConnectFree: FD 18
2008/06/03 15:57:02| cbdataFree: 0154A690
2008/06/03 15:57:02| cbdataFree: Freeing 0154A690
2008/06/03 15:57:02| cbdataValid: 016153E8
2008/06/03 15:57:02| sslConnected: FD 18 sslState=016153E8
2008/06/03 15:57:02| commSetSelect: FD 17 type 2
2008/06/03 15:57:02| commSetSelect: FD 17 type 1
2008/06/03 15:57:02| commSetSelect: FD 18 type 1
2008/06/03 15:57:02| commSetTimeout: FD 18 timeout 900
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| comm_select: timeout 125
2008/06/03 15:57:02| comm_call_handlers(): got fd=17 read_event=0 write_event=1 F->read_handler=00475F0A F->write_handler=00476429
2008/06/03 15:57:02| sslWriteClient: FD 17, 39 bytes to write
2008/06/03 15:57:02| sslWriteClient: FD 17, 39 bytes written
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| cbdataValid: 016153E8
2008/06/03 15:57:02| commSetSelect: FD 17 type 1
2008/06/03 15:57:02| commSetSelect: FD 18 type 1
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| comm_select: timeout 125
2008/06/03 15:57:02| comm_call_handlers(): got fd=17 read_event=1 write_event=0 F->read_handler=00475F0A F->write_handler=00000000
2008/06/03 15:57:02| comm_call_handlers(): Calling read handler on fd=17
2008/06/03 15:57:02| sslReadClient: FD 17, reading 16384 bytes at offset 0
2008/06/03 15:57:02| sslReadClient: FD 17, read -1 bytes
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| sslReadClient: FD 17: read failure: (10054) WSAECONNRESET, Connection reset by peer.
2008/06/03 15:57:02| sslAbort: FD 17/18
2008/06/03 15:57:02| cbdataLock: 016153E8
2008/06/03 15:57:02| comm_close: FD 17
2008/06/03 15:57:02| commCallCloseHandlers: FD 17
2008/06/03 15:57:02| commCallCloseHandlers: ch->handler=0047596A
2008/06/03 15:57:02| cbdataValid: 016153E8
2008/06/03 15:57:02| sslClientClosed: FD 17
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| commCallCloseHandlers: ch->handler=0041C529
2008/06/03 15:57:02| cbdataValid: 01535D30
2008/06/03 15:57:02| connStateFree: FD 17
2008/06/03 15:57:02| httpRequestFree: [null_entry]
2008/06/03 15:57:02| httpRequestFree: al.url='www.google.com:443'
2008/06/03 15:57:02| cbdataLock: 01107388
2008/06/03 15:57:02| cbdataLock: 01535D30
2008/06/03 15:57:02| cbdataUnlock: 01535D30
2008/06/03 15:57:02| cbdataUnlock: 01107388
2008/06/03 15:57:02| cbdataFree: 01513090
2008/06/03 15:57:02| cbdataFree: Freeing 01513090
2008/06/03 15:57:02| cbdataFree: 01511C80
2008/06/03 15:57:02| cbdataFree: Freeing 01511C80
2008/06/03 15:57:02| cbdataFree: 01535D30
2008/06/03 15:57:02| cbdataFree: 01535D30 has 1 locks, not freeing
2008/06/03 15:57:02| cbdataUnlock: 01535D30
2008/06/03 15:57:02| cbdataUnlock: Freeing 01535D30
2008/06/03 15:57:02| fd_close FD 17 www.google.com:443
2008/06/03 15:57:02| comm_close: FD 18
2008/06/03 15:57:02| commCallCloseHandlers: FD 18
2008/06/03 15:57:02| commCallCloseHandlers: ch->handler=004758DB
2008/06/03 15:57:02| cbdataValid: 016153E8
2008/06/03 15:57:02| sslServerClosed: FD 18
2008/06/03 15:57:02| sslStateFree: sslState=016153E8
2008/06/03 15:57:02| cleaning hdr: 014D71C0 owner: 2
2008/06/03 15:57:02| destroying entry 016E2590: 'User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET

CLR 3.0.04506.30)'
2008/06/03 15:57:02| destroying entry 010F1BD8: 'Proxy-Connection: Keep-Alive'
2008/06/03 15:57:02| destroying entry 016F3250: 'Content-Length: 0'
2008/06/03 15:57:02| destroying entry 016EE018: 'Host: www.google.com'
2008/06/03 15:57:02| destroying entry 016D06F0: 'Pragma: no-cache'
2008/06/03 15:57:02| cbdataFree: 016153E8
2008/06/03 15:57:02| cbdataFree: 016153E8 has 3 locks, not freeing
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| fd_close FD 18 www.google.com:443
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| cbdataValid: 016153E8
2008/06/03 15:57:02| cbdataUnlock: 016153E8
2008/06/03 15:57:02| cbdataUnlock: Freeing 016153E8
2008/06/03 15:57:02| comm_select: timeout 79
2008/06/03 15:57:02| comm_select: time out

##############################################
# TAG: acl
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT

acl server10 src SERVER10.EXTERNAL.IP/255.255.255.255 192.168.10.35/255.255.255.255
acl allowed_hosts src CLIENT.EXTERNAL.IP/255.255.255.255 192.168.2.79/255.255.255.255 SQUIDSERVER.EXTERNAL.IP/255.255.255.255
acl company_network src 192.168.0.0/255.255.0.0
http_access allow company_network

# TAG: http_access
#Default:
# http_access deny all
#
#Recommended minimum configuration:
# Only allow cachemgr access from localhost

http_access allow server10
http_access allow allowed_hosts

http_access allow manager localhost
http_access deny manager
#only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

#Allow ICP queries from everyone
icp_access allow all

# Squid normally listens to port 3128
http_port 3128

# TAG: forwarded_for on|off
forwarded_for off

      
Received on Sun Jun 08 2008 - 17:38:30 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 09 2008 - 12:00:04 MDT