Re: [squid-users] Fw: Squid 504 issue when connecting to site with untrusted SSL certificate

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 30 Jun 2011 14:17:24 +1200

 On Thu, 30 Jun 2011 11:22:57 +1000, tony.carter_at_industry.nsw.gov.au
 wrote:
> Greetings,
>
> Squid Cache: Version 2.7.STABLE9
> Access URL: https://remote.phau.com.au:987/grains/default.aspx
>
> With no intervening proxy server, the above site returns an untrusted
> SSL
> certificate warning which, once accepted, takes me through to a login
> dialog.
> With the proxy server in the chain, squid returns a "Connection to
> 165.228.126.196 Failed " - the untrusted cert warning page is not
> returned.
> The squid logs display the following -
> 1309240053.271 60029 148.145.157.200 TCP_MISS/504 0 CONNECT
> remote.phau.com.au:987 - DIRECT/165.228.126.196 -
> There is nothing displayed in the cache log.
>
> The research I've done typically reports as follows (and also that
> there
> is little I can do about it save contacting the target servers
> admin):
> <snip> This server (squid) did not receive a timely response from an
> upstream server it accessed to deal with your HTTP request.
> This usually means that the upstream server is down (no response to
> the
> gateway/proxy), rather than that the upstream server and the
> gateway/proxy
> do not agree on the protocol for exchanging data. </snip>
>
> Could it be the certificate warning which is causing the timeout and
> if so
> are there ways to configure squid to deal with it.

 No. The problem is happening right down at the TCP level. Squid sends a
 TCP SYN packet and nothing comes back.

 Things to look at are firewall rules dropping packets to or from port
 987. Or possibly packet routing differences. On any hardware between
 your squid box and the remote site which is not also between your
 working client machine and that same site.

 Amos
Received on Thu Jun 30 2011 - 02:17:35 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 30 2011 - 12:00:03 MDT