ERROR The requested URL could not be retrieved

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ERROR The requested URL could not be retrieved

Uchenna Nebedum
Good Day All,
I have setup squid 3.5 with mikrotik, and ssl bumping is enabled. after accepting the certificate on the browser prompt, Squid throws an error on the browser, "unable to forward this request at this time." it throws this error for http sites as well. please what could be causing this error.

Please find attached my squid.conf
#cache_log /var/log/squid/cache.log
cache_effective_user proxy
acl localnet src 10.0.0.0/24
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
never_direct allow all
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname localhost
http_port 3126 intercept
http_port 3128 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
#sslproxy_cert_error allow ssl_error_domains
#sslproxy_cert_error allow ssl_error_ips
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump stare step2 all
ssl_bump bump step3 all
ssl_bump splice localhost
ssl_bump splice all
via off
forwarded_for on
request_header_access From deny all
request_header_access Cache-Control deny all
request_header_access Keep-Alive deny all
request_header_access Other deny all
reply_header_access Set-Cookie deny all
reply_header_access Set-Cookie2 deny all
reply_header_access Other deny all
adaptation_access greasyspoon allow all
dns_timeout 30 seconds
dns_v4_first on
#ecap_enable off
icap_enable on
icap_preview_enable off
icap_preview_size 2048
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response bypass=0
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
shutdown_lifetime 10 seconds



and my access.log
1540823796.041      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443 - HIER_NONE/- -
1540823796.041      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443 - HIER_NONE/- -
1540823840.186      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443 - HIER_NONE/- -
1540823864.291      1 10.0.0.252 TAG_NONE/200 0 CONNECT 191.239.240.49:443 - HIER_NONE/- -
1540823864.297      8 10.0.0.252 TAG_NONE/200 0 CONNECT 191.239.240.49:443 - HIER_NONE/- -
1540823864.342      1 10.0.0.252 TAG_NONE/200 0 CONNECT 191.239.240.49:443 - HIER_NONE/- -
1540823864.628      1 10.0.0.252 TAG_NONE/200 0 CONNECT 152.199.19.161:443 - HIER_NONE/- -
1540823864.628      1 10.0.0.252 TAG_NONE/200 0 CONNECT 152.199.19.161:443 - HIER_NONE/- -
1540823864.644      1 10.0.0.252 TAG_NONE/200 0 CONNECT 152.199.19.161:443 - HIER_NONE/- -
1540824133.725    117 10.0.0.253 TCP_MISS/500 4215 GET http://init-p01md.apple.com/bag - HIER_NONE/- text/html
1540824133.725    114 10.0.0.253 TCP_MISS/500 4215 GET http://init-p01md.apple.com/bag - HIER_NONE/- text/html
1540824133.729    112 10.0.0.253 TCP_MISS/500 4310 GET http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - HIER_NONE/- text/html
1540824133.729    109 10.0.0.253 TCP_MISS/500 4310 GET http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - HIER_NONE/- text/html
1540824133.850     14 10.0.0.253 TAG_NONE/200 0 CONNECT 95.101.216.92:443 - HIER_NONE/- -
1540824133.850     11 10.0.0.253 TAG_NONE/200 0 CONNECT 95.101.216.92:443 - HIER_NONE/- -
1540824133.854     12 10.0.0.253 TAG_NONE/200 0 CONNECT 95.101.216.92:443 - HIER_NONE/- -
1540824133.966    122 10.0.0.253 TCP_MISS/500 4205 GET http://init-p01st.push.apple.com/bag - HIER_NONE/- text/html
1540824133.987    164 10.0.0.253 TAG_NONE/200 0 CONNECT 95.101.188.60:443 - HIER_NONE/- -
1540824133.987    164 10.0.0.253 TAG_NONE/200 0 CONNECT 17.137.166.4:443 - HIER_NONE/- -
1540824134.251      4 10.0.0.253 TAG_NONE/200 0 CONNECT 95.101.188.60:443 - HIER_NONE/- -
1540824134.336      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.167.193.43:443 - HIER_NONE/- -
1540824136.162     17 10.0.0.253 TAG_NONE/200 0 CONNECT 192.12.31.78:443 - HIER_NONE/- -
1540824136.299      4 10.0.0.253 TAG_NONE/200 0 CONNECT 157.119.235.19:443 - HIER_NONE/- -
1540824150.357      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.167.192.128:443 - HIER_NONE/- -
1540824159.403      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.167.192.128:443 - HIER_NONE/- -
1540824769.945    601 10.0.0.253 TCP_MISS/500 4217 GET http://captive.apple.com/hotspot-detect.html - HIER_NONE/- text/html
1540824770.651    135 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824770.654    136 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824771.204    351 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824771.451     10 10.0.0.253 TAG_NONE/200 0 CONNECT 17.120.225.140:443 - HIER_NONE/- -
1540824771.452      7 10.0.0.253 TAG_NONE/200 0 CONNECT 17.120.225.140:443 - HIER_NONE/- -
1540824771.680    827 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443 - HIER_NONE/- -
1540824771.688    833 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824771.688      1 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443 - HIER_NONE/- -
1540824771.693      6 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.64.191:443 - HIER_NONE/- -
1540824771.847    159 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824771.882     30 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443 - HIER_NONE/- -
1540824771.883     30 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824771.887     36 10.0.0.253 TAG_NONE/200 0 CONNECT 17.248.146.179:443 - HIER_NONE/- -
1540824772.034     42 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.206:443 - HIER_NONE/- -
1540824772.036      6 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824772.042      1 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824772.078      5 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824772.146     15 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824772.150      4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824772.172      5 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824772.243     90 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824772.278      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.248.146.179:443 - HIER_NONE/- -
1540824772.296      4 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824772.341      8 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443 - HIER_NONE/- -
1540824772.719     10 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443 - HIER_NONE/- -
1540824772.722      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824772.787      9 10.0.0.253 TAG_NONE/200 0 CONNECT 17.248.146.179:443 - HIER_NONE/- -
1540824772.868      4 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443 - HIER_NONE/- -
1540824773.239      5 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443 - HIER_NONE/- -
1540824773.810      8 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824773.868      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.248.146.179:443 - HIER_NONE/- -
1540824774.898      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824774.964      7 10.0.0.253 TAG_NONE/200 0 CONNECT 17.248.146.179:443 - HIER_NONE/- -
1540824776.218      4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824956.204     56 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824956.374    110 10.0.0.253 TCP_MISS/500 4205 GET http://init-p01st.push.apple.com/bag - HIER_NONE/- text/html
1540824956.966      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824957.034      7 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824957.043      3 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824957.124     23 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824957.190     13 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824957.273      4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824957.355      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824957.495      4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824957.573      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824957.642      5 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824957.723      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824957.783      4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824967.333      5 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824967.398      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824967.454      4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540824970.474      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540824971.300      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.56.48.13:443 - HIER_NONE/- -
1540824971.625      9 10.0.0.253 TAG_NONE/200 0 CONNECT 92.122.44.112:443 - HIER_NONE/- -
1540825078.056      4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443 - HIER_NONE/- -
1540825078.058     14 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540825078.224      8 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443 - HIER_NONE/- -
1540825584.867    258 10.0.0.253 TCP_MISS/500 4217 GET http://captive.apple.com/hotspot-detect.html - HIER_NONE/- text/html


please i'll provide any other information required. please i really need help. I noticed my last two questions weren't answered, i really need help. I've noticed google and facebook are reachable.

--
Nebedum Uchenna

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ERROR The requested URL could not be retrieved

Stephen Borrill
On 29/10/2018 15:20, Uchenna Nebedum wrote:
> Good Day All,
> I have setup squid 3.5 with mikrotik, and ssl bumping is enabled. after
> accepting the certificate on the browser prompt, Squid throws an error
> on the browser, "*unable to forward this request at this time.*" it
> throws this error for http sites as well. please what could be causing
> this error.

never_direct allow all

How is your proxy meant to forward on requests? You have no cache peers,
but have told it never to go direct (i.e. always use a cache peer).

> *Please find attached my squid.conf*
> /#cache_log /var/log/squid/cache.log
> cache_effective_user proxy
> acl localnet src 10.0.0.0/24 <http://10.0.0.0/24>
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>
> acl localnet src fc00::/7
> acl localnet src fe80::/10
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> never_direct allow all
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> visible_hostname localhost
> http_port 3126 intercept
> http_port 3128 ssl-bump  generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
> https_port 3127 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1
> sslproxy_cert_error allow all
> #sslproxy_cert_error allow ssl_error_domains
> #sslproxy_cert_error allow ssl_error_ips
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
> ssl_bump stare step2 all
> ssl_bump bump step3 all
> ssl_bump splice localhost
> ssl_bump splice all
> via off
> forwarded_for on
> request_header_access From deny all
> request_header_access Cache-Control deny all
> request_header_access Keep-Alive deny all
> request_header_access Other deny all
> reply_header_access Set-Cookie deny all
> reply_header_access Set-Cookie2 deny all
> reply_header_access Other deny all
> adaptation_access greasyspoon allow all
> dns_timeout 30 seconds
> dns_v4_first on
> #ecap_enable off
> icap_enable on
> icap_preview_enable off
> icap_preview_size 2048
> icap_persistent_connections on
> adaptation_send_client_ip on
> adaptation_send_username on
> icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response
> <http://127.0.0.1:1344/response> bypass=0
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
> shutdown_lifetime 10 seconds/
>
>
> *and my access.log*
> /1540823796.041      1 10.0.0.252 TAG_NONE/200 0 CONNECT
> 52.114.76.34:443 <http://52.114.76.34:443> - HIER_NONE/- -
> 1540823796.041      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443
> <http://52.114.76.34:443> - HIER_NONE/- -
> 1540823840.186      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443
> <http://52.114.76.34:443> - HIER_NONE/- -
> 1540823864.291      1 10.0.0.252 TAG_NONE/200 0 CONNECT
> 191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/- -
> 1540823864.297      8 10.0.0.252 TAG_NONE/200 0 CONNECT
> 191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/- -
> 1540823864.342      1 10.0.0.252 TAG_NONE/200 0 CONNECT
> 191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/- -
> 1540823864.628      1 10.0.0.252 TAG_NONE/200 0 CONNECT
> 152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/- -
> 1540823864.628      1 10.0.0.252 TAG_NONE/200 0 CONNECT
> 152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/- -
> 1540823864.644      1 10.0.0.252 TAG_NONE/200 0 CONNECT
> 152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/- -
> 1540824133.725    117 10.0.0.253 TCP_MISS/500 4215 GET
> http://init-p01md.apple.com/bag - HIER_NONE/- text/html
> 1540824133.725    114 10.0.0.253 TCP_MISS/500 4215 GET
> http://init-p01md.apple.com/bag - HIER_NONE/- text/html
> 1540824133.729    112 10.0.0.253 TCP_MISS/500 4310 GET
> http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - HIER_NONE/-
> text/html
> 1540824133.729    109 10.0.0.253 TCP_MISS/500 4310 GET
> http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - HIER_NONE/-
> text/html
> 1540824133.850     14 10.0.0.253 TAG_NONE/200 0 CONNECT
> 95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/- -
> 1540824133.850     11 10.0.0.253 TAG_NONE/200 0 CONNECT
> 95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/- -
> 1540824133.854     12 10.0.0.253 TAG_NONE/200 0 CONNECT
> 95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/- -
> 1540824133.966    122 10.0.0.253 TCP_MISS/500 4205 GET
> http://init-p01st.push.apple.com/bag - HIER_NONE/- text/html
> 1540824133.987    164 10.0.0.253 TAG_NONE/200 0 CONNECT
> 95.101.188.60:443 <http://95.101.188.60:443> - HIER_NONE/- -
> 1540824133.987    164 10.0.0.253 TAG_NONE/200 0 CONNECT 17.137.166.4:443
> <http://17.137.166.4:443> - HIER_NONE/- -
> 1540824134.251      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 95.101.188.60:443 <http://95.101.188.60:443> - HIER_NONE/- -
> 1540824134.336      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.167.193.43:443 <http://17.167.193.43:443> - HIER_NONE/- -
> 1540824136.162     17 10.0.0.253 TAG_NONE/200 0 CONNECT 192.12.31.78:443
> <http://192.12.31.78:443> - HIER_NONE/- -
> 1540824136.299      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 157.119.235.19:443 <http://157.119.235.19:443> - HIER_NONE/- -
> 1540824150.357      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.167.192.128:443 <http://17.167.192.128:443> - HIER_NONE/- -
> 1540824159.403      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.167.192.128:443 <http://17.167.192.128:443> - HIER_NONE/- -
> 1540824769.945    601 10.0.0.253 TCP_MISS/500 4217 GET
> http://captive.apple.com/hotspot-detect.html - HIER_NONE/- text/html
> 1540824770.651    135 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824770.654    136 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824771.204    351 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824771.451     10 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.120.225.140:443 <http://17.120.225.140:443> - HIER_NONE/- -
> 1540824771.452      7 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.120.225.140:443 <http://17.120.225.140:443> - HIER_NONE/- -
> 1540824771.680    827 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
> 1540824771.688    833 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824771.688      1 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
> 1540824771.693      6 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.64.191:443 <http://104.83.64.191:443> - HIER_NONE/- -
> 1540824771.847    159 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824771.882     30 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
> 1540824771.883     30 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824771.887     36 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
> 1540824772.034     42 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.206:443 <http://216.58.223.206:443> - HIER_NONE/- -
> 1540824772.036      6 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824772.042      1 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824772.078      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824772.146     15 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824772.150      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824772.172      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824772.243     90 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824772.278      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
> 1540824772.296      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824772.341      8 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
> 1540824772.719     10 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
> 1540824772.722      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824772.787      9 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
> 1540824772.868      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
> 1540824773.239      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
> 1540824773.810      8 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824773.868      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
> 1540824774.898      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824774.964      7 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
> 1540824776.218      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824956.204     56 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824956.374    110 10.0.0.253 TCP_MISS/500 4205 GET
> http://init-p01st.push.apple.com/bag - HIER_NONE/- text/html
> 1540824956.966      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824957.034      7 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824957.043      3 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824957.124     23 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824957.190     13 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824957.273      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824957.355      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824957.495      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824957.573      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824957.642      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824957.723      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824957.783      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824967.333      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824967.398      5 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824967.454      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540824970.474      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540824971.300      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.56.48.13:443
> <http://17.56.48.13:443> - HIER_NONE/- -
> 1540824971.625      9 10.0.0.253 TAG_NONE/200 0 CONNECT
> 92.122.44.112:443 <http://92.122.44.112:443> - HIER_NONE/- -
> 1540825078.056      4 10.0.0.253 TAG_NONE/200 0 CONNECT
> 17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
> 1540825078.058     14 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540825078.224      8 10.0.0.253 TAG_NONE/200 0 CONNECT
> 104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
> 1540825584.867    258 10.0.0.253 TCP_MISS/500 4217 GET
> http://captive.apple.com/hotspot-detect.html - HIER_NONE/- text/html
> /*
> *
>
> please i'll provide any other information required. please i really need
> help. I noticed my last two questions weren't answered, i really need
> help. I've noticed google and facebook are reachable.
>
> --
> Nebedum Uchenna
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ERROR The requested URL could not be retrieved

Amos Jeffries
Administrator
On 30/10/18 4:23 AM, Stephen Borrill wrote:

> On 29/10/2018 15:20, Uchenna Nebedum wrote:
>> Good Day All,
>> I have setup squid 3.5 with mikrotik, and ssl bumping is enabled. after
>> accepting the certificate on the browser prompt, Squid throws an error
>> on the browser, "*unable to forward this request at this time.*" it
>> throws this error for http sites as well. please what could be causing
>> this error.
>
> never_direct allow all
>
> How is your proxy meant to forward on requests? You have no cache peers,
> but have told it never to go direct (i.e. always use a cache peer).
>
>> *Please find attached my squid.conf*

There are some other issues I can already see which will be coming up
when you resolve the above problem:


>> visible_hostname localhost

Any other proxy calling itself "localhost" will cause forwarding loops.
Either let Squid locate the proxy machines hostname automatically, or
configure a FQDN for the above. The name used should resolve to the
proxy IP when clients look it up in DNS.


>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> ssl_bump peek step1 all
>> ssl_bump stare step2 all
>> ssl_bump bump step3 all

The lines above contain other non-splice actions required to always
happen at every step of the SSL-Bumping process.

So these splice lines will never happen:

>> ssl_bump splice localhost
>> ssl_bump splice all


>> via off

Removal of via is only a bandaid to make those forwarding loops created
by visible_hostname not be visible anymore. They can still happen and
annoy other admin elsewhere on the networks your traffic goes to.


>> forwarded_for on
>> request_header_access From deny all
>> request_header_access Cache-Control deny all
>> request_header_access Keep-Alive deny all
>> request_header_access Other deny all

Er, the above *only* affect requests sent to upstream servers.

Removing Cache-Control in particular is definitely going to lead to
major problems for your clients.

"Other" is also tricky. It removes all HTTP headers which Squid has not
explicitly bee coded to understand.

So removing headers with "Other" like this a) breaks any modern HTTP
features your Squid does not explicitly support, and b) lets through
many headers you probably don't want to just because Squid does "know" them.

Keep-Alive is unnecessary since Squid already removes that problematic
header on sight.


>> reply_header_access Set-Cookie deny all
>> reply_header_access Set-Cookie2 deny all
>> reply_header_access Other deny all

>> adaptation_access greasyspoon allow all
>> dns_timeout 30 seconds
>> dns_v4_first on
>> #ecap_enable off
>> icap_enable on
>> icap_preview_enable off
>> icap_preview_size 2048
>> icap_persistent_connections on
>> adaptation_send_client_ip on
>> adaptation_send_username on
>> icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response
>> bypass=0
>> refresh_pattern ^ftp:        1440    20%    10080
>> refresh_pattern ^gopher:    1440    0%    1440
>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>> refresh_pattern .        0    20%    4320
>> shutdown_lifetime 10 seconds/
>>
>>

>>
>> please i'll provide any other information required. please i really need
>> help. I noticed my last two questions weren't answered, i really need
>> help. I've noticed google and facebook are reachable.
>>

Meaning traffic to those does not go through the proxy or any of the
ports you are intercepting. Probably via QUIC or similar non-HTTP(S)
protocol.

If you are trying to do those weird header changes for privacy or
anonymity their traffic working is a very bad sign.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ERROR The requested URL could not be retrieved

Amos Jeffries
Administrator
On 31/10/18 1:45 AM, Uchenna Nebedum wrote:
> Thanks a lot it works now... I've added site bumping exceptions, and it
> still throws invalid certificate exceptions even though it uses the
> 'ssl_bump stare' configuration, is it possible to reduce the errors? 
>
> Uchenna Nebedum
>

Maybe, the above is a bit vague on details.

What exactly do you have configured now after those changes?

And what exact error(s) are you seeing now?


Amos

PS. please reply to the list instead of me personally.

PPS. If you want dedicated support I do provide it commercially, but you
started this on-list so I assume you are not wanting to receive an
invoice for responses.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ERROR The requested URL could not be retrieved

Uchenna Nebedum
Thanks a lot Amos, I really didn't notice I had been sending private emails, Really sorry about that. 

About the config, The proxy works fine now, it bumps the traffic successfully.
I've added the sites i want to be bumped but the browser errors thrown are too much, and it's a scenario where I can't install the certificate on every device. 

So i wanted to know if there was a way to reduce the privacy errors. thanks a lot. 

Uchenna Nebedum

On Wed, Oct 31, 2018, 03:07 Amos Jeffries <[hidden email]> wrote:
On 31/10/18 1:45 AM, Uchenna Nebedum wrote:
> Thanks a lot it works now... I've added site bumping exceptions, and it
> still throws invalid certificate exceptions even though it uses the
> 'ssl_bump stare' configuration, is it possible to reduce the errors? 
>
> Uchenna Nebedum
>

Maybe, the above is a bit vague on details.

What exactly do you have configured now after those changes?

And what exact error(s) are you seeing now?


Amos

PS. please reply to the list instead of me personally.

PPS. If you want dedicated support I do provide it commercially, but you
started this on-list so I assume you are not wanting to receive an
invoice for responses.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ERROR The requested URL could not be retrieved

Amos Jeffries
Administrator
On 1/11/18 4:08 AM, Uchenna Nebedum wrote:
> Thanks a lot Amos, I really didn't notice I had been sending private
> emails, Really sorry about that. 
>
> About the config, The proxy works fine now, it bumps the traffic
> successfully.
> I've added the sites i want to be bumped but the browser errors thrown
> are too much, and it's a scenario where I can't install the certificate
> on every device.

In that case you already have it going as well as it will ever do for
this setup. Having the certificate installed on the device is the only
way to prevent the warning messages. The whole point of TLS is to
generate those warnings when an unknown or untrusted CA is used.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users