Re: [squid-users] Squid 3.1.19 problem: TCP_MISS/503 0 CONNECT https:443 - NONE/- - from Amos Jeffries on 2014-02-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 05 Feb 2014 22:56:58 +1300

On 5/02/2014 12:49 p.m., b0tm1nd wrote:
> I am trying to set up Squid as a proxy with HTTPS support.
> No matter what I try, I cannot get CONNECT methods to work (via both HTTP
> and HTTPS protocols).

Problem 1) CONNECT is not valid in HTTPS. It is a client->proxy method
and only expected to work in HTTP where proxies are defined to exist.
HTTPS is defined to be an end-to-end client->origin server connection.

>
> The problem seems to be very strange and unique, because the connection URL
> get's converted to something odd.
>
> When I have enabled *never_direct allow all* option, here is what I get:
>
> Requests:
> CONNECT https://google.com
> CONNECT http://google.com
> GET https://google.com

Problem 2) none of the above are valid HTTP requests.

This is what a valid equivalent requests would look like:

CONNECT google.com:443 HTTP/1.1
CONNECT google.com:80 HTTP/1.1
GET https://google.com/ HTTP/1.1

This might help
https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p1-messaging.html#request-target

> Log:
> TCP_MISS/503 0 CONNECT https:443 - NONE/- -
> TCP_MISS/503 0 CONNECT http:443 - NONE/- -
> TCP_HIT/301 647 GET https://google.com/ - NONE/- text/html
>
> Without this option, the logs turns into:
> TCP_MISS/404 0 CONNECT https:443 - DIRECT/- -
> TCP_MISS/404 0 CONNECT http:443 - DIRECT/- -
>
> Note, how "//google.com" turns into ":443".

Strange. Your Squid is assuming that anything using CONNECT is port 443.
I usually see text strings being converted to the value 0.

>
> Here is the part of detailed log, where this mysterious turn occurs:
>
>
>
> My configuraion:
>
>
>
> This is the version output:
>
>
>

Email strangely missing any of your embeded details ... oh wait. Nabble
bites again. :-(

> When I use the one installed from Ubuntu 12.04 with the same configuration,
> I cannot even get to "GET https://google.com" to work.

Squid and OpenSSL licenses clash a little bit. The Debian and Ubuntu OS
distributors have chosen for legal policy reasons not to provide a Squid
binary with HTTPS support so long as that support requires OpenSSL to be
linked to Squid.

You will need to build your own Squid with --enable-ssl or somewhere
locate a Squid .deb package with SSL support enabled. I dont know one
might be found where sorry.

Amos
Received on Wed Feb 05 2014 - 09:57:26 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 05 2014 - 12:00:04 MST