Edoardo COSTA SANSEVERINO wrote:
> On 05/22/2010 04:41 AM, Amos Jeffries wrote:
>> Edoardo COSTA SANSEVERINO wrote:
>>>
>>> Hi all,
>>>
>>> I had a look in the archives and the only similar problem I found was
>>> never answered
>>> (http://www.squid-cache.org/mail-archive/squid-users/200801/0152.html)
>>> so I hope someone can help me. I posted this request on
>>> linuxquestions.org but got no reply so I thought I'd be better off
>>> asking you guys ;)
>>>
>>> I tried to get reverse proxy working with apache mod_proxy but that
>>> failed so I'm giving squid3 a go but with not much more luck. All
>>> connections to non ssl websites work fine. The following error I
>>> [B]only get the second time[/B] I access the page, the first time the
>>> page is displayed properly! This does not make sense to me but maybe
>>> it will to one of you.
>>>
>>> ERROR
>>> The requested URL could not be retrieved
>>>
>>> While trying to retrieve the URL: https://deb01.example.com/
>>>
>>> The following error was encountered:
>>> Connection to 192.168.122.11 Failed
>>>
>>> The system returned:
>>> (71) Protocol error
>>>
>>> The remote host or network may be down. Please try the request again.
>>>
>>> Your cache administrator is webmaster.
>>> Generated Thu, 20 May 2010 18:58:28 GMT by localhost (squid/3.0.STABLE8)
>>>
>>> My setup
>>> --------
>>> +--> (deb02) vhosts running multile http
>>> |
>>> [WWW] -> KVM/SQUID ->+--> (deb01) vhost running a single https
>>> |
>>> +--> (deb03) vhosts running multile http and one
>>> https
>>>
>>> My squid.conf
>>> -------------
>>>
>>> https_port 443 accel cert=/etc/ssl/deb01.example.com.crt
>>> key=/etc/ssl/deb01.example.com.pem defaultsite=deb01.example.com
>>> vhost protocol=https
>>> http_port 80 accel defaultsite=deb02.example.com vhost
>>>
>>> cache_peer 192.168.122.11 parent 443 0 no-query originserver
>>> login=PASS ssl sslversion=3 sslflags=DONT_VERIFY_PEER
>>> front-end-https=on name=srv01
>>> cache_peer 192.168.122.2 parent 80 0 no-query originserver name=srv02
>>>
>>> acl https proto https
>>> acl sites_srv01 dstdomain deb01.example.com
>>> acl sites_srv02 dstdomain deb02.example.com second.example.com
>>>
>>> http_access allow sites_srv01
>>> http_access allow sites_srv02
>>> cache_peer_access srv01 allow sites_srv01
>>> cache_peer_access srv02 allow sites_srv02
>>>
>>> forwarded_for on
>>> ---
>>>
>>> The first 'successful' connection gives the following entries in the
>>> logs:
>>>
>>> -----BEGIN SSL SESSION PARAMETERS-----
>>> MIGIAgEBAgIDAQQCADUEIDrfJnfrcvWw15QVzrwAlKJYsrinM/X+Ge9aeTyO8Fkx
>>> BDBLAPhbkN6LTcdvHMF9YGm8ib5Qwjm05qP3rr7I+LBjpikfjzV5gJSXLfke83U0
>>> ggOhBgIES/WH8aIEAgIBLKQCBACmFQQTZGViMDEucHJlY29nbmV0LmNvbQ==
>>> -----END SSL SESSION PARAMETERS-----
>>> 2010/05/20 21:05:21| 192.168.122.11 digest requires version 17487;
>>> have: 5
>>> 2010/05/20 21:05:21| temporary disabling (invalid digest cblock)
>>> digest from 192.168.122.11
>>
>> Normal. Simply means the web server does not understand proxy cache
>> digest exchange. This can be silenced by adding no-digest option to
>> the web server cache_peer line.
>>
>>> 2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL
>>> connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
>>> decompression (1/-1/0)
>>> 2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
>>> [...]
>>
>> There is your HTTPS problem. Your SSL system libraries are producing
>> that error when they can't handle the settings.
>>
>> http://google.com/search?q=SSL3_GET_RECORD%3Abad+decompression
>>
>>
>>> 2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL
>>> connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
>>> decompression (1/-1/0)
>>> 2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
>>> 2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL
>>> connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
>>> decompression (1/-1/0)
>>> 2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
>>>
>> <snip storage log>
>>>
>>>
>>> The second 'failed' connection shows the following log events:
>>>
>>>
>>> ==> /var/log/squid3/cache.log <==
>>> 2010/05/20 21:06:11| fwdNegotiateSSL: Error negotiating SSL
>>> connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
>>> decompression (1/-1/0)
>>> [...]
>>> 2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL
>>> connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
>>> decompression (1/-1/0)
>>> 2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed
>>> 2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL
>>> connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad
>>> decompression (1/-1/0)
>>> 2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed
>>>
>> <snip storage log>
>>
>> store.log is irrelevant to most uses. You can safely set it to "none"
>> in your squid.conf file.
>>
>>>
>>> Any help would be greatly apreciated.
>>>
>>>
>>> As a side note. If anyone can tell me how to show the IP of the
>>> squid server rather than the internal IP of the webserver (as in the
>>> error) that would be a bonus ;)
>>
>> The error is correct.
>>
>> The link client->squid is not working perfectly.
>>
>> The link squid->server (via internal IPs) is failing.
>>
>> Thus you get a report telling you which link out of the two has
>> failed. Changing that will only make you look in the wrong place for some
>>
>> Amos
>
> Hi Amos,
>
> Thanks for your answer but I am a bit confused now.
>
> Are you saying it's an SSL problem?
> There is your HTTPS problem. Your SSL system libraries are producing
> that error when they can't handle the settings.
> http://google.com/search?q=SSL3_GET_RECORD%3Abad+decompression
Yes. That is the cause.
>
> Or are you saying that squid is unable to forward SSL to an internal IP?
> The link client->squid is not working perfectly.
> The link squid->server (via internal IPs) is failing.
>
Yes. That is the effective result.
> Is squid the tool for me if I want to implement the above setup? What
> would you recomend, Squid, mod_proxy, ...?
I'm not aware of any tools for debugging SSL myself. You may have to go
searching. A good place would be the reports by other people with the
same problem. Thus the google link I created for you.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3Received on Sat May 22 2010 - 09:29:11 MDT
This archive was generated by hypermail 2.2.0 : Sat May 22 2010 - 12:00:06 MDT