503 issue after accessing https svn

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

503 issue after accessing https svn

G~D~Lunatic
my squid is a transparent proxy. and the problem is that i can't access the svn server.
the access.log shows that
1512545348.844    380 192.168.51.15 TAG_NONE/200 0 CONNECT 192.168.52.6:443 - ORIGINAL_DST/192.168.52.6 -
1512545348.920      0 192.168.51.15 TAG_NONE/503 4324 OPTIONS https://192.168.52.6/svn/WATMdev/trunk/development/third_period/icapServer - HIER_NONE/- text/html

but when i use splice step . the access is normal.  so i want to know  what's the problem. 

Here is my configure

https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2


acl broken_sites ssl::server_name matchweb.sports.qq.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump splice broken_sites
#ssl_bump splice all
ssl_bump stare ssl_step1
ssl_bump bump ssl_step2
ssl_bump terminate ssl_step3









_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 503 issue after accessing https svn

Amos Jeffries
Administrator
On 06/12/17 21:07, G~D~Lunatic wrote:

> my squid is a transparent proxy. and the problem is that i can't access
> the svn server.
> the access.log shows that
> 1512545348.844    380 192.168.51.15 TAG_NONE/200 0 CONNECT
> 192.168.52.6:443 - ORIGINAL_DST/192.168.52.6 -
> 1512545348.920      0 192.168.51.15 TAG_NONE/503 4324 OPTIONS
> https://192.168.52.6/svn/WATMdev/trunk/development/third_period/icapServer 
> - HIER_NONE/- text/html
>
> but when i use splice step . the access is normal. so i want to know  
> what's the problem.
>

You will have to check the 503 that Squid is delivering there.

There does not appear to be any server name known, which might have
something to do with it. Its not easy to generate a proper server
certificate without a server name.



> Here is my configure
>
> https_port 192.168.51.200:3129 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/myCA.pem
> key=/usr/local/squid/ssl_cert/myCA.pem options=NO_SSLv3,NO_SSLv2
>

It may have something to with these restrictions against SSLv2 and v3.

Do you have anything similar on the sslproxy_* options?

>
> acl broken_sites ssl::server_name matchweb.sports.qq.com
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump splice broken_sites
> #ssl_bump splice all
> ssl_bump stare ssl_step1

<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Limitations>
The splice above is likely not possible to be done with the step1 or
step2 data after this stare happens.
  Note that is a *maybe*. You will have to check the traffic, the error
messages etc to know for sure what is going on.

> ssl_bump bump ssl_step2
> ssl_bump terminate ssl_step3
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users