Re: [squid-users] squid ssl-to-ssl reverse proxy issue

From: Angelo Höngens <a.hongens_at_netmatch.nl>
Date: Sun, 15 Nov 2009 12:21:11 +0100

On 13-11-2009 23:00, Angelo Höngens wrote:
> Hey guys and girls, I'm back on the list again to ask for your help with
> a really strange problem.
>
>
> I am having issues with ssl-to-ssl proxying with multiple applications,
> but the one I am describing below is bugging me the most. I hope you can
> help me debug and solve the issue.
>
>
> THE SETUP
>
> I have a setup where I have a web application (Microsoft Team Foundation
> Server Web Access) on an IIS6 machine, running on https port 8091
> running in my internal lan.
>
> I want to publish this to the internet, and our policy is to run
> everything through a Squid in our DMZ. This is a 32-bit ESX VM running
> FreeBSD 6.2 with Squid 3.0.STABLE20 , the latest 3.0 from the ports.
> (Next on my list is to upgrade this machine to FreeBSD 7.2).
>
> I've set up a NAT rule so external visitors go to
> https://externalname:8091, and they end up on the squid in the dmz. The
> squid, in the backend, connects to https://tfsserver:8091 in the
> internal lan.
>
> The reason I use https on the backend, is that the MS web application is
> buggy, and if I use http, the application sends absolute redirects to
> point clients to http on port 8090. I don't have this issue when I use
> https in the backend.
>
> THE PROBLEM
>
> External access does not work, I get strange timeouts. Will explain more
> below.
>
> TROUBLESHOOTING
>
> I've been able to reproduce the problem with a single http request. I
> make a specific request from an external machine:
>
> curl \
> --cookie-jar cookie.txt \
> --cookie cookie.txt \
> --basic --insecure \
> -o out.txt \
> -D - \
> --user username:password \
> "https://externalname:8091/index.aspx?pname=Project" \
>
> If I run the request, I get a status 200 and some nice response headers,
> and then comes the content.. after 18152 bytes of data (should be around
> 20478 bytes), it stalls most of the time for minutes (sometimes it
> completes though). This is the issue. Instead of completing in several
> milliseconds, it just hangs there, and I don't know what's hanging. The
> backend IIS server reports the page was successfully retrieved by squid
> within 0-30ms.
>
> After a while things time out (set read_timeout to 30 secs in the
> following example), and the curl prints the message: "curl: (18)
> transfer closed with 2327 bytes remaining to read", and in my access.log
> I see: "1258129110.004 29433 82.94.123.123 TCP_MISS/200 18534 GET
> https://externalname:8091/index.aspx?pname=Project -
> FIRST_UP_PARENT/tfsweb-https text/html", like nothing strange happened
> except the long time. Nothing in the cache.log.
>
> However, if I make the exact same request without the squid in between
> (so directly from external to the TFS server), the request always
> completes in a few milliseconds. If I make the exact same request from
> the squid machine to the TFS server it also completes in a few
> milliseconds. That leads me to believe network is not the problem.
>
> If I use the http backend (http://tfsserver:8090 instead of
> https://tfsserver:8091) it works fine as well (although the application
> gives other problems because of the absolute redirects). So this leads
> me to believe it's something in squid..
>
> Does anyone have any idea on how to troubleshoot this issue, for example
> what debug section and what level? I've spent a few hours debugging all
> on level 4, but I get thousands of lines in the logging, and can't find
> anything interesting.
>
>
> The interesting lines from my config (there are more sites there, but
> not interesting for now):
>
> https_port 8091 cert=/bla/externalname.pem key=/bla/externalname.pem
> vhost vport
> cache_peer tfsserver parent 8091 0 no-query originserver ssl
> sslcafile=/etc/ssl/tfsroot.pem name=tfsweb-https login=PASS
> cache_peer_access tfsweb-https deny port80
> cache_peer_access tfsweb-https deny port443
> cache_peer_access tfsweb-https allow port8091
> cache_peer_domain tfsweb-https dstdomain external name
>
> Thanks in advance for your time (replies to list please).
>

(Reply to myself) I have upgraded the machine to the latest FreeBSD 7.2
release to be sure its not some strange OS issue, but that hasn't solved
the problem.

Ideas anyone?

-- 
With kind regards,
Angelo Höngens
systems administrator
MCSE on Windows 2003
MCSE on Windows 2000
MS Small Business Specialist
------------------------------------------
NetMatch
tourism internet software solutions
Ringbaan Oost 2b
5013 CA Tilburg
+31 (0)13 5811088
+31 (0)13 5821239
A.Hongens_at_netmatch.nl
www.netmatch.nl
------------------------------------------
Received on Sun Nov 15 2009 - 11:21:27 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 17 2009 - 12:00:04 MST