SSL Accel Connection Reset

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Accel Connection Reset

Robert Gabriel
Hi,

I've tried to setup SSL accel AKA reverse proxy. The HTTP accel part works but no joy
for the SSL side. Maybe I've misunderstood or misconfigured something?

Thank you for the help.

[root@node03 tmp]# export https_proxy="https://192.168.122.130:443"

[root@node03 tmp]# curl -v --insecure https://data.ephemeric.local/test.tgz
* About to connect() to proxy 192.168.122.130 port 443 (#0)
*   Trying 192.168.122.130...
* Connected to 192.168.122.130 (192.168.122.130) port 443 (#0)
* Establish HTTP proxy tunnel to data.ephemeric.local:443
> CONNECT data.ephemeric.local:443 HTTP/1.1
> Host: data.ephemeric.local:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* Recv failure: Connection reset by peer
* Received HTTP code 0 from proxy after CONNECT
* Connection #0 to host 192.168.122.130 left intact
curl: (56) Recv failure: Connection reset by peer

I have run "squid -NX" and nothing in stdout. I have enabled debug log too.
I have tailed access and cache logs, nothing.
This is so frustrating as the connection is reset and no logs to help.

I followed this example and generated the certs etc:
https://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate

debug_options rotate=1 ALL,9
prefer_direct on
forwarded_for on

acl localnet src 192.168.122.0/24
acl localnet src fc00::/7      
acl localnet src fe80::/10    
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

acl our_sites dstdomain download.fedoraproject.org centos mirror.centos.org artifacts.elastic.co data.ephemeric.local dl.google.com dl-ssl.google.com

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow our_sites
http_access deny all

cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel

cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

http_port 8000
http_port 3128 accel defaultsite=data.ephemeric.local
http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squid.crt key=/etc/squid/squid.key

https_port 443 accel defaultsite=data.ephemeric.local cert=/etc/squid/myCA.pem

maximum_object_size 4096 MB
cache_dir ufs /media/data/var/spool/squid 10000 16 256
coredump_dir /media/data/var/spool/squid
cache_replacement_policy heap LFUDA

[root@data squid]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

[root@data squid]# uname -r
3.10.0-693.5.2.el7.x86_64

[root@data squid]# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Accel Connection Reset

Amos Jeffries
Administrator
On 21/11/17 02:24, Robert Gabriel wrote:

> Hi,
>
> I've tried to setup SSL accel AKA reverse proxy. The HTTP accel part works but no joy
> for the SSL side. Maybe I've misunderstood or misconfigured something?
>
> Thank you for the help.
>
> [root@node03 tmp]# export https_proxy="https://192.168.122.130:443"
>
> [root@node03 tmp]# curl -v --insecure https://data.ephemeric.local/test.tgz

As you can see from the below curl is using a CONNECT tunnel, which are
only valid to a forward-proxy.

The https_port in Squid is expecting the TCP connection to immediately
start with TLS traffic. Not a plain-text CONNECT message.


> * About to connect() to proxy 192.168.122.130 port 443 (#0)
> *   Trying 192.168.122.130...
> * Connected to 192.168.122.130 (192.168.122.130) port 443 (#0)
> * Establish HTTP proxy tunnel to data.ephemeric.local:443
>> CONNECT data.ephemeric.local:443 HTTP/1.1
>> Host: data.ephemeric.local:443
>> User-Agent: curl/7.29.0
>> Proxy-Connection: Keep-Alive
>>


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Accel Connection Reset

Robert Gabriel
Hi Amos,

Oh man, I feel so stupid. Thank you for pointing that out.
I apologise for my ignorance to all on the list.

It's all working now, cheers!

On Tue 21 Nov, 05:31, Amos Jeffries wrote:

> On 21/11/17 02:24, Robert Gabriel wrote:
> >Hi,
> >
> >I've tried to setup SSL accel AKA reverse proxy. The HTTP accel part works but no joy
> >for the SSL side. Maybe I've misunderstood or misconfigured something?
> >
> >Thank you for the help.
> >
> >[root@node03 tmp]# export https_proxy="https://192.168.122.130:443"
> >
> >[root@node03 tmp]# curl -v --insecure https://data.ephemeric.local/test.tgz
>
> As you can see from the below curl is using a CONNECT tunnel, which are only
> valid to a forward-proxy.
>
> The https_port in Squid is expecting the TCP connection to immediately start
> with TLS traffic. Not a plain-text CONNECT message.
>
>
> >* About to connect() to proxy 192.168.122.130 port 443 (#0)
> >*   Trying 192.168.122.130...
> >* Connected to 192.168.122.130 (192.168.122.130) port 443 (#0)
> >* Establish HTTP proxy tunnel to data.ephemeric.local:443
> >>CONNECT data.ephemeric.local:443 HTTP/1.1
> >>Host: data.ephemeric.local:443
> >>User-Agent: curl/7.29.0
> >>Proxy-Connection: Keep-Alive
> >>
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users