[squid-users] Cannot access google search results and other https sites through squid proxy.

From: Development Team <dev_at_hymes.name>
Date: Mon, 2 Jun 2014 14:10:52 -0700

Hi all, first post. I am a squid noob, but I’ve RTFM, and the FAQ, and
searched the archive and I can’t figure this out.

On my web clients, pages load crazy slowly, then fail with local error pages
such as:
“The connection was reset; The connection to the server was reset while the
page was loading.”

Squid 3.3.12, OS Fedora 20, Linux Kernel 3.14.4-200.fc20.x86_64.
Tested Windows clients Firefox 29.01; Google Chrome 35.0.1916.114 m, IE 11.

Squid cache.log contain no errors.
Squid access.log does not show expected requests, instead shows
TCP_MISS_ABORTED:
“1401736785.584 20020 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
http://www.google.com/url? - HIER_DIRECT/2607:f8b0:400f:801::1013
(I just noticed the unexpected ip6 type address. I do not know if that is
relevant. I will now try to disable ipv6.)

I did not previously need ssl_bump, but I am trying to get it to work now.
Here is my current squid.conf:
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
always_direct allow all
ssl_bump server-first all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/pki/certs/squid.crt
key=/pki/private/squid.key
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Background: I had a Dansguardian+Squid transparent proxy that worked great
for two years on Fedora 17. I used the default Fedora Squid config (no
ssl_bump), and merely configured iptables to redirect port 80 traffic to
dansguardian, and dansguardian used Squid. However, Fedora forces
end-of-life upgrades every two years. After the latest upgrade Squid failed,
and I have not been able to restore functionality. I have tried installing
on a fresh Fedora 20 system but https requests still fail.
The box is an edge router. It has one external NIC, wan0, one internal NIC
lan0, two internal wifi NICs wifi[0,1] and one bridge interface br0. The box
uses the NAT feature of iptables to provide access to the internet. My
eventual goal is for a transparent proxy, but iptables is NOT currently
configured to try that yet. Current rules look like this:
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-A POSTROUTING -o wan0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m state --state NEW -m udp --dport 5353
-j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i lan0 -j ACCEPT
-A FORWARD -o wan0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I have been struggling with this for quite some time. I have read, and tried
to follow the FAQ, including
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy. I started with the
default squid config, and ended up trying the ssl_bump feature. I have
hacked iptables configuration, including dumping all firewall rules (except
nat). I have installed wireshark on client and squidbox. I am not skilled at
interpreting the output, but I see my requests going to the squidbox, and
nothing happening. I have tried downgrading to Squid 3.2.12, and upgrading
to 3.4.5.
Thanks for any help.

Dev
Received on Mon Jun 02 2014 - 21:10:59 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 03 2014 - 12:00:08 MDT