Re: [squid-users] Trouble between Squid and SSL proxied host

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 15 Sep 2010 01:50:37 +0000

On Tue, 14 Sep 2010 17:40:53 -0700 (PDT), mikek <mike_at_verafex.com> wrote:
> Hi There
>
> I've just setup a Squid proxy hosted on EC2 between my users and a
Google
> AppEngine application. (Google AppEngine currently doesn't support
custom
> domain SSL, so this is the only way to do it.)
>
> (I was following the instructions here:
> http://blog.earlystageit.com/2010/07/10/gae-proxy/)
>
> The proxy seems to be working, except every now and then (about every 5
- 6
> page views) I receive an error in the browser:
>
> ERROR
> The requested URL could not be retrieved
> While trying to retrieve the URL:
https://xxxxx.appspot.com/handlerName
> The following error was encountered:
> Connection to 74.125.53.141 Failed
> The system returned:
> (71) Protocol error
> The remote host or network may be down. Please try the request
again.
>
> I also see this error in the cache.log:
>
> fwdNegotiateSSL: Error negotiating SSL connection on FD 16:
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> (1/-1/0)
>
> My squid config looks like thsi:
>
> cache_effective_user squid
> cache_effective_group squid
> retry_on_error on
> acl all src 0.0.0.0/0.0.0.0
> acl Safe_ports port 443
> acl gae dstdomain xxxxx.appspot.com
> visible_hostname secure.xxxxx.com
> https_port 443 cert=/path/to.crt key=/path/to.pem
> defaultsite=xxxxx.appspot.com
> cache_peer xxxxx.appspot.com parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=appspot
> cache_peer_access appspot allow gae
> always_direct allow gae
> http_access allow gae Safe_ports
> http_access deny all
> debug_options ALL,1
>
> My question is:
>
> a) What does the error mean? Is there a problem reaching the Google
> servers?
> Is there a problem with their certificate? Why does the problem happen
some
> times but not others?
> b) Have I set this up correctly?

Close, there are some problems:
 https_port still needs accel and maybe vhost options to be a real
accelerator.

 always_direct prevents the cache_peer config ever being used.

Is the public DNS that clients are connecting to xxxxx.appspot.com or
secure.xxxxx.com?
 You may need to add the forcedomain=xxxxx.appspot.com option to
cache_peer and remove the always_direct.

Some tuning:
 acl all src all

If you have squid-3.1+ add ignore-cc to the https_port line of
accelerators to lete the server Cache-Control override the client ones.

> c) Is there a better way to do it? (I've tried adding a connect_timeout,
> but
> that didn't seem to help...)

It will make the error appear faster maybe, so less time spent trying and
holding up network resources. But it will not resolve the underlying issue.

Amos
Received on Wed Sep 15 2010 - 01:50:41 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 16 2010 - 12:00:03 MDT