Re: [squid-users] Issues with ssl-bump in 3.HEAD

From: Mike <mcsnv96_at_afo.net>
Date: Thu, 19 Jun 2014 13:06:01 -0500

I got it figured out... it was the acl rules at the top... since the
server IP was within the company network and I was testing and accessing
from outside, it was not working. So at least for testing I needed to
add my own IP as part of the "acl localnet"... after that it worked
perfectly.

Thanks to everyone for their help.

Mike

On 6/18/2014 4:59 PM, Mike wrote:
> I (think) got it figured out... seemed that port 3128 was the
> problem... not sure why this provider blocks that port but as soon as
> I changed the squid.conf http_port to 8080, it worked right away.
>
> Thanks for everyones help!
>
> Mike
>
>
> On 6/18/2014 12:35 PM, Mike wrote:
>> I compiled source 3.4.5 from squid-cache.org with all the needed
>> rules and it is still refusing all connections.
>> OS (on all 3 tested systems) is Scientific Linux 6.5, kernel is
>> 2.6.32.431.17.1.el6. The latest squid version available in their repo
>> is 3.1.10 which does not have the needed SSL related options.
>>
>> No unusual errors with configure, make or make install.
>>
>>
>>
>>
>> So any suggestions or other items to check?
>>
>>
>> Mike
>>
>> On 6/17/2014 12:34 AM, Amos Jeffries wrote:
>>> On 17/06/2014 10:30 a.m., Mike wrote:
>>>> Running into another issue, not sure whats going on here.
>>>>
>>>> ALL HTTPS connections are being denied. Temporarily, selinux is
>>>> disabled
>>>> and firewall is off. We have it working on 2 other servers with
>>>> same OS,
>>>> same kernel, same settings but it is just this one that refuses to
>>>> allow
>>>> connections to HTTPS sites.
>>>>
>>>> We went with this version since none of the other rpms (3.4x and
>>>> newer)
>>>> we could find included the ssl_crtd without manually compiling the
>>>> entire thing, which we wanted to stay away from if possible, due to
>>>> ease
>>>> of updating squid at some point down the road on many servers without
>>>> having to recompile on dozens (or maybe hundreds by then) when it
>>>> comes
>>>> time.
>>>>
>>>> The cache.log shows no errors. "squid -k parse" shows no errors.
>>>>
>>>> [root_at_servername $]# yum info squid
>>>> Loaded plugins: security
>>>> Installed Packages
>>>> Name : squid
>>>> Arch : x86_64
>>>> Epoch : 7
>>>> Version : 3.5.0.001
>>>> Release : 1.el6
>>>> Size : 8.2 M
>>>> Repo : installed
>>>>
>>>> [root_at_servername $]# squid -v
>>>> Squid Cache: Version 3.HEAD-20140127-r13248
>>> Hi Mike,
>>> that package is several months old now and this sounds like one of
>>> the
>>> bugs now fixed. I'm sending Eliezer a request to update the package,
>>> you
>>> may want to do so as well.
>>>
>>> I dont see any http_access lines at all in the below config file. Squid
>>> security policy is "closed by default", so if you omit all access
>>> permissions noting is permitted.
>>>
>>>
>>>> From access.log:
>>>> TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/-
>>>> text/html
>>>> TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html
>>>> TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html
>>>>
>>>> Rules are same as previously mentioned:
>>>>
>>>> # Squid normally listens to port 3128
>>>> http_port 3128
>>>> http_port 3129 intercept
>>>> https_port 3130 intercept ssl-bump connection-auth=off
>>>> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
>>>> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>>>>
>>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db
>>>> -M 16MB
>>>> sslcrtd_children 50 startup=5 idle=1
>>>> ssl_bump server-first all
>>>> ssl_bump none localhost
>>>> always_direct allow all
>>>>
>>>> visible_hostname xxxxx.xx.net
>>>> cache_mgr xxxx_at_xx.net
>>>> dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz
>>>> hosts_file /etc/hosts
>>>>
>>>> #cache_access_log /dev/null
>>>> #cache_store_log none
>>>> #cache_log /dev/null
>>>> # acl blacklist dstdomain -i "/etc/squid/domains"
>>>> # http_access deny blacklist
>>>>
>>>>
>>>> # Below line is for troubleshooting only, comment out when sys
>>>> goes to
>>>> production
>>>> cache_access_log /var/log/squid/access.log
>>> The above line should be:
>>> access_log /var/log/squid/access.log
>>>
>>> Also, the cache_log and debug_options lines shoud remain like this in
>>> production if at all possible. You can start Squid with the -s command
>>> line option to pipe the cache critical messages to syslog but Squid
>>> should always have a cache.log for a backup troubleshooting information
>>> source.
>>>
>>>> cache_store_log /var/log/squid/store.log
>>>> cache_log /var/log/squid/cache.log
>>>> debug_options ALL,0
>>>>
>>>> # Uncomment and adjust the following to add a disk cache directory.
>>>> cache_dir ufs /var/spool/squid 10000 32 512
>>>> cache_effective_user squid
>>>>
>>>> The cache store (store.log) shows a lot of entries like this:
>>>> RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F ? ?
>>>> ? ? ?/? ?/? ? ?
>>> Not to worry, temporary files used as disk-backing store for some
>>> transactions. We have not yet fully removed the need for this type of
>>> file from Squid.
>>>
>>>
>>> HTH
>>> Amos
>>>
>>
>
Received on Thu Jun 19 2014 - 18:06:06 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 20 2014 - 12:00:05 MDT