SSL TAG_NONE/503 errors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL TAG_NONE/503 errors

Hugo Saavedra
Hi All,

We have the following setup of a transparent squid box:
OS: CentOS release 6.9 (Final)
Squid Cache: Version 3.5.26-20170625-r14174
Compile options:
   '--with-included-ltdl' '--enable-icap-client'
'--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
'--enable-icmp' '--enable-snmp' '--prefix=/usr'
'--includedir=/usr/include' '--datadir=/usr/share'
'--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--sysconfdir=/etc/squid'
--enable-ltdl-convenience

Endpoints are redirected to the Squid box using a policy route for
TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
are using ssl bump for ssl, but there is an strange behavior, some
websites opens well, but some ones breaks and getting TAG_NONE/503
errors in the access log:

1512561423.930      1 192.168.1.108 TAG_NONE/503 31435 POST
https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
text/html
1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
- HIER_NONE/- text/html
1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
HIER_NONE/- text/html
1512566858.355    186 192.168.1.104 TAG_NONE/503 31436 GET
https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
- HIER_NONE/- text/html

In the same time-range, other websites loads well

1512561134.548    306 192.168.1.112 TCP_MISS/302 572 GET
https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
image/gif
1512561139.701    216 192.168.1.148 TCP_MISS/200 386 POST
https://cloud-ecs.gravityzone.bitdefender.com/hydra-
ORIGINAL_DST/107.20.215.8 application/json
1512561142.180     13 192.168.1.112 TCP_MISS/200 419 GET
https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
1512561142.410    243 192.168.1.112 TCP_MISS/200 286 GET
https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
text/javascript


IPTABLES CONFIGURATION
=======================
# PREROUTING INTERCEPT PBR

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#WEB
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 80 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 443 -j ACCEPT

-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3128 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3129 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3130 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3131 -j ACCEPT

#default
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


SQUID CONFIGURATION
====================

#WHITE LIST
acl exclWL url_regex "/etc/squid/white_url.squid"
acl neoWL url_regex "/etc/squid/neowl.squid"
http_access allow exclWL
http_access allow neoWL
cache deny exclWL
cache deny neoWL
always_direct allow exclWL
always_direct allow neoWL

#Malicious URLs
acl dom url_regex "/etc/squid/dom.squid"
acl cc url_regex "/etc/squid/cc.squid"
http_access deny dom
http_access deny cc

#BLACK LIST
acl exclBL url_regex "/etc/squid/black_url.squid"
acl neoBL url_regex "/etc/squid/neobl.squid"
http_access deny exclBL
http_access deny neoBL

#ACLS BASE
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl SSL_ports port 3129
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl HTTPS proto HTTPS

include /etc/squid/acls_whitelist.conf
acl useragent browser "/etc/squid/useragent.squid"
range_offset_limit 0 !useragent
minimum_object_size 0 bytes
maximum_object_size 3 GB
quick_abort_min -1
delay_pools 1
delay_class 1 1
delay_parameters 1 128000/128000
delay_access 1 deny SSL_ports
delay_access 1 allow !useragent
delay_access 1 deny all

#cache conf
max_filedescriptors 24576
memory_cache_mode disk
cache_mem 0 MB
cache allow all
minimum_object_size 0 bytes
maximum_object_size 20 MB
sslproxy_flags DONT_VERIFY_PEER
connect_timeout 8 seconds

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
reply_header_access Alternate-Protocol deny all

http_port 3130
http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem

cache_dir ufs /var/cache/squid 9000 16 256
cache_store_log /var/log/squid/store.log
cache_effective_user squid
visible_hostname Proxy

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 2     20%     10
refresh_pattern .               2       20%     10      ignore-reload
override-expire ignore-no-cache ignore-no-store store-stale
ignore-private ignore-must-revalidate ignore-auth
refresh_pattern -i
\.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
reload-into-ims


#SSL BUMP
include /etc/squid/ssl.conf

#LOGGING
access_log /var/log/squid/access.log
access_log /var/log/squid/access_c2.log cc
access_log /var/log/squid/access_c2.log dom
access_log /var/log/squid/splc.log excludeSSL
cache_log /dev/null
coredump_dir /var/cache/squid

#ICAP
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow useragent
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow useragent

#X FORWARDED FOR
forwarded_for on

SSL.conf
=======

sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
sslproxy_cafile /etc/squid/intermediate_ca.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1
ssl_bump splice GlobalWhitelistDSTNet
ssl_bump splice GlobalWhitelistDomainsRx
ssl_bump splice GlobalWhitelistDomains
ssl_bump splice FakeCert
ssl_bump bump ssl_step2 all
ssl_bump splice all
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
sslproxy_cert_error deny all

acls_whitelist.conf
=============

acl WindowsUpdates dstdomain officecdn.microsoft.com
acl WindowsUpdates dstdomain windowsupdate.microsoft.com
acl WindowsUpdates dstdomain ntservicepack.microsoft.com
acl WindowsUpdates dstdomain download.microsoft.com
acl WindowsUpdates dstdomain .windowsupdate.com
acl WindowsUpdates dstdomain .windowsupdate.net
acl WindowsUpdates dstdomain .update.microsoft.com
acl WindowsUpdates dstdomain .mp.microsoft.com
acl WindowsUpdates dstdomain .ws.microsoft.com
acl GlobalWhitelistDomains dstdomain "/etc/squid/acls_whitelist.dstdomain.conf"
acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
acl GlobalWhitelistDomainsRx dstdom_regex -i
"/etc/squid/acls_whitelist.dstdom_regex.conf"
acl GlobalWhitelistBrowsers browser -i "/etc/squid/acls_whitelist.browser.conf"
http_access allow GlobalWhitelistDomains
url_rewrite_access deny GlobalWhitelistDomains
http_access allow GlobalWhitelistDSTNet
url_rewrite_access deny GlobalWhitelistDSTNet
http_access allow GlobalWhitelistDomainsRx
url_rewrite_access deny GlobalWhitelistDomainsRx
http_access allow GlobalWhitelistBrowsers


Any one with the same TAG_NONE/503 error, please help!?

Regards,
Hugo
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Enrico Heine
Hi,

Can you confirm that squid is able to resolve these hostnames? If not try browsing to them without https and check if squid gives you an error message.

Did you check the cache.log as well?

Br Enrico

Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra <[hidden email]>:
Hi All,

We have the following setup of a transparent squid box:
OS: CentOS release 6.9 (Final)
Squid Cache: Version 3.5.26-20170625-r14174
Compile options:
'--with-included-ltdl' '--enable-icap-client'
'--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
'--enable-icmp' '--enable-snmp' '--prefix=/usr'
'--includedir=/usr/include' '--datadir=/usr/share'
'--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--sysconfdir=/etc/squid'
--enable-ltdl-convenience

Endpoints are redirected to the Squid box using a policy route for
TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
are using ssl bump for ssl, but there is an strange behavior, some
websites opens well, but some ones breaks and getting TAG_NONE/503
errors in the access log:

1512561423.930 1 192.168.1.108 TAG_NONE/503 31435 POST
https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
text/html
1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
- HIER_NONE/- text/html
1512562220.870 1 192.168.1.158 TAG_NONE/503 12386 GET
https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
HIER_NONE/- text/html
1512566858.355 186 192.168.1.104 TAG_NONE/503 31436 GET
https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
- HIER_NONE/- text/html

In the same time-range, other websites loads well

1512561134.548 306 192.168.1.112 TCP_MISS/302 572 GET
https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
image/gif
1512561139.701 216 192.168.1.148 TCP_MISS/200 386 POST
https://cloud-ecs.gravityzone.bitdefender.com/hydra-
ORIGINAL_DST/107.20.215.8 application/json
1512561142.180 13 192.168.1.112 TCP_MISS/200 419 GET
https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
1512561142.410 243 192.168.1.112 TCP_MISS/200 286 GET
https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
text/javascript


IPTABLES CONFIGURATION
=======================
# PREROUTING INTERCEPT PBR

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#WEB
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 80 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 443 -j ACCEPT

-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3128 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3129 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3130 -j ACCEPT
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
--dport 3131 -j ACCEPT

#default
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


SQUID CONFIGURATION
====================

#WHITE LIST
acl exclWL url_regex "/etc/squid/white_url.squid"
acl neoWL url_regex "/etc/squid/neowl.squid"
http_access allow exclWL
http_access allow neoWL
cache deny exclWL
cache deny neoWL
always_direct allow exclWL
always_direct allow neoWL

#Malicious URLs
acl dom url_regex "/etc/squid/dom.squid"
acl cc url_regex "/etc/squid/cc.squid"
http_access deny dom
http_access deny cc

#BLACK LIST
acl exclBL url_regex "/etc/squid/black_url.squid"
acl neoBL url_regex "/etc/squid/neobl.squid"
http_access deny exclBL
http_access deny neoBL

#ACLS BASE
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl SSL_ports port 3129
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl HTTPS proto HTTPS

include /etc/squid/acls_whitelist.conf
acl useragent browser "/etc/squid/useragent.squid"
range_offset_limit 0 !useragent
minimum_object_size 0 bytes
maximum_object_size 3 GB
quick_abort_min -1
delay_pools 1
delay_class 1 1
delay_parameters 1 128000/128000
delay_access 1 deny SSL_ports
delay_access 1 allow !useragent
delay_access 1 deny all

#cache conf
max_filedescriptors 24576
memory_cache_mode disk
cache_mem 0 MB
cache allow all
minimum_object_size 0 bytes
maximum_object_size 20 MB
sslproxy_flags DONT_VERIFY_PEER
connect_timeout 8 seconds

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
reply_header_access Alternate-Protocol deny all

http_port 3130
http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem

cache_dir ufs /var/cache/squid 9000 16 256
cache_store_log /var/log/squid/store.log
cache_effective_user squid
visible_hostname Proxy

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 2 20% 10
refresh_pattern . 2 20% 10 ignore-reload
override-expire ignore-no-cache ignore-no-store store-stale
ignore-private ignore-must-revalidate ignore-auth
refresh_pattern -i
\.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
reload-into-ims


#SSL BUMP
include /etc/squid/ssl.conf

#LOGGING
access_log /var/log/squid/access.log
access_log /var/log/squid/access_c2.log cc
access_log /var/log/squid/access_c2.log dom
access_log /var/log/squid/splc.log excludeSSL
cache_log /dev/null
coredump_dir /var/cache/squid

#ICAP
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow useragent
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow useragent

#X FORWARDED FOR
forwarded_for on

SSL.conf
=======

sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
sslproxy_cafile /etc/squid/intermediate_ca.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
sslcrtd_children 16 startup=5 idle=1

acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3

ssl_bump peek ssl_step1
ssl_bump splice GlobalWhitelistDSTNet
ssl_bump splice GlobalWhitelistDomainsRx
ssl_bump splice GlobalWhitelistDomains
ssl_bump splice FakeCert
ssl_bump bump ssl_step2 all
ssl_bump splice all
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
sslproxy_cert_error deny all

acls_whitelist.conf
=============

acl WindowsUpdates dstdomain officecdn.microsoft.com
acl WindowsUpdates dstdomain windowsupdate.microsoft.com
acl WindowsUpdates dstdomain ntservicepack.microsoft.com
acl WindowsUpdates dstdomain download.microsoft.com
acl WindowsUpdates dstdomain .windowsupdate.com
acl WindowsUpdates dstdomain .windowsupdate.net
acl WindowsUpdates dstdomain .update.microsoft.com
acl WindowsUpdates dstdomain .mp.microsoft.com
acl WindowsUpdates dstdomain .ws.microsoft.com
acl GlobalWhitelistDomains dstdomain "/etc/squid/acls_whitelist.dstdomain.conf"
acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
acl GlobalWhitelistDomainsRx dstdom_regex -i
"/etc/squid/acls_whitelist.dstdom_regex.conf"
acl GlobalWhitelistBrowsers browser -i "/etc/squid/acls_whitelist.browser.conf"
http_access allow GlobalWhitelistDomains
url_rewrite_access deny GlobalWhitelistDomains
http_access allow GlobalWhitelistDSTNet
url_rewrite_access deny GlobalWhitelistDSTNet
http_access allow GlobalWhitelistDomainsRx
url_rewrite_access deny GlobalWhitelistDomainsRx
http_access allow GlobalWhitelistBrowsers


Any one with the same TAG_NONE/503 error, please help!?

Regards,
Hugo


squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Hugo Saavedra
Hi,
yes, squid is able to resolve those domains. Currently we have
cache.log disabled for performance. any clues?

Regards,
Hugo

2017-12-06 14:51 GMT-03:00 Enrico Heine <[hidden email]>:

> Hi,
>
> Can you confirm that squid is able to resolve these hostnames? If not try
> browsing to them without https and check if squid gives you an error
> message.
>
> Did you check the cache.log as well?
>
> Br Enrico
>
> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra
> <[hidden email]>:
>>
>> Hi All,
>>
>> We have the following setup of a transparent squid box:
>> OS: CentOS release 6.9 (Final)
>> Squid Cache: Version 3.5.26-20170625-r14174
>> Compile options:
>>    '--with-included-ltdl' '--enable-icap-client'
>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>> '--enable-icmp' '--enable-snmp' '--prefix=/usr'
>> '--includedir=/usr/include' '--datadir=/usr/share'
>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>> '--localstatedir=/var' '--sysconfdir=/etc/squid'
>> --enable-ltdl-convenience
>>
>> Endpoints are redirected to the Squid box using a policy route for
>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>> are using ssl bump for ssl, but there is an strange behavior, some
>> websites opens well, but some ones breaks and getting TAG_NONE/503
>> errors in the access log:
>>
>> 1512561423.930      1 192.168.1.108 TAG_NONE/503 31435 POST
>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>> text/html
>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>
>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>> - HIER_NONE/- text/html
>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>> HIER_NONE/- text/html
>> 1512566858.355    186 192.168.1.104 TAG_NONE/503 31436 GET
>>
>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>> - HIER_NONE/- text/html
>>
>> In the same time-range, other websites loads well
>>
>> 1512561134.548    306 192.168.1.112 TCP_MISS/302 572 GET
>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>> image/gif
>> 1512561139.701    216 192.168.1.148 TCP_MISS/200 386 POST
>> https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>> ORIGINAL_DST/107.20.215.8 application/json
>> 1512561142.180     13 192.168.1.112 TCP_MISS/200 419 GET
>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>> 1512561142.410    243 192.168.1.112 TCP_MISS/200 286 GET
>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>> text/javascript
>>
>>
>> IPTABLES CONFIGURATION
>> =======================
>> # PREROUTING INTERCEPT PBR
>>
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>> 3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>> 3129
>> COMMIT
>>
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>>
>> #WEB
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 80 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 443 -j ACCEPT
>>
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3128 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3129 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3130 -j ACCEPT
>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>> --dport 3131 -j ACCEPT
>>
>> #default
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>> SQUID CONFIGURATION
>> ====================
>>
>> #WHITE LIST
>> acl exclWL url_regex "/etc/squid/white_url.squid"
>> acl neoWL url_regex "/etc/squid/neowl.squid"
>> http_access allow exclWL
>> http_access allow neoWL
>> cache deny exclWL
>> cache deny neoWL
>> always_direct allow exclWL
>> always_direct allow neoWL
>>
>> #Malicious URLs
>> acl dom url_regex "/etc/squid/dom.squid"
>> acl cc url_regex "/etc/squid/cc.squid"
>> http_access deny dom
>> http_access deny cc
>>
>> #BLACK LIST
>> acl exclBL url_regex "/etc/squid/black_url.squid"
>> acl neoBL url_regex "/etc/squid/neobl.squid"
>> http_access deny exclBL
>> http_access deny neoBL
>>
>> #ACLS BASE
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl localnet src fc00::/7       # RFC 4193 local private network range
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>> plugged) machines
>> acl SSL_ports port 443
>> acl SSL_ports port 3129
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>> acl CONNECT method CONNECT
>> acl HTTPS proto HTTPS
>>
>> include /etc/squid/acls_whitelist.conf
>> acl useragent browser "/etc/squid/useragent.squid"
>> range_offset_limit 0 !useragent
>> minimum_object_size 0 bytes
>> maximum_object_size 3 GB
>> quick_abort_min -1
>> delay_pools 1
>> delay_class 1 1
>> delay_parameters 1 128000/128000
>> delay_access 1 deny SSL_ports
>> delay_access 1 allow !useragent
>> delay_access 1 deny all
>>
>> #cache conf
>> max_filedescriptors 24576
>> memory_cache_mode disk
>> cache_mem 0 MB
>> cache allow all
>> minimum_object_size 0 bytes
>> maximum_object_size 20 MB
>> sslproxy_flags DONT_VERIFY_PEER
>> connect_timeout 8 seconds
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> reply_header_access Alternate-Protocol deny all
>>
>> http_port 3130
>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> http_port 3128 intercept
>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>>
>> cache_dir ufs /var/cache/squid 9000 16 256
>> cache_store_log /var/log/squid/store.log
>> cache_effective_user squid
>> visible_hostname Proxy
>>
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 2     20%     10
>> refresh_pattern .               2       20%     10      ignore-reload
>> override-expire ignore-no-cache ignore-no-store store-stale
>> ignore-private ignore-must-revalidate ignore-auth
>> refresh_pattern -i
>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>> reload-into-ims
>>
>>
>> #SSL BUMP
>> include /etc/squid/ssl.conf
>>
>> #LOGGING
>> access_log /var/log/squid/access.log
>> access_log /var/log/squid/access_c2.log cc
>> access_log /var/log/squid/access_c2.log dom
>> access_log /var/log/squid/splc.log excludeSSL
>> cache_log /dev/null
>> coredump_dir /var/cache/squid
>>
>> #ICAP
>> icap_enable on
>> icap_send_client_ip on
>> icap_send_client_username on
>> icap_client_username_header X-Authenticated-User
>> icap_service service_req reqmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_req allow useragent
>> icap_service service_resp respmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_resp allow useragent
>>
>> #X FORWARDED FOR
>> forwarded_for on
>>
>> SSL.conf
>> =======
>>
>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>> sslproxy_cafile /etc/squid/intermediate_ca.pem
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>> sslcrtd_children 16 startup=5 idle=1
>>
>> acl FakeCert ssl::server_name .apple.com
>> acl FakeCert ssl::server_name .icloud.com
>> acl FakeCert ssl::server_name .mzstatic.com
>> acl FakeCert ssl::server_name .dropbox.com
>> acl ssl_step1 at_step SslBump1
>> acl ssl_step2 at_step SslBump2
>> acl ssl_step3 at_step SslBump3
>>
>> ssl_bump peek ssl_step1
>> ssl_bump splice GlobalWhitelistDSTNet
>> ssl_bump splice GlobalWhitelistDomainsRx
>> ssl_bump splice GlobalWhitelistDomains
>> ssl_bump splice FakeCert
>> ssl_bump bump ssl_step2 all
>> ssl_bump splice all
>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>> sslproxy_cipher
>>
>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>> sslproxy_flags DONT_VERIFY_PEER
>> sslproxy_cert_error allow all
>> sslproxy_cert_error deny all
>>
>> acls_whitelist.conf
>> =============
>>
>> acl WindowsUpdates dstdomain officecdn.microsoft.com
>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>> acl WindowsUpdates dstdomain download.microsoft.com
>> acl WindowsUpdates dstdomain .windowsupdate.com
>> acl WindowsUpdates dstdomain .windowsupdate.net
>> acl WindowsUpdates dstdomain .update.microsoft.com
>> acl WindowsUpdates dstdomain .mp.microsoft.com
>> acl WindowsUpdates dstdomain .ws.microsoft.com
>> acl GlobalWhitelistDomains dstdomain
>> "/etc/squid/acls_whitelist.dstdomain.conf"
>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>> acl GlobalWhitelistDomainsRx dstdom_regex -i
>> "/etc/squid/acls_whitelist.dstdom_regex.conf"
>> acl GlobalWhitelistBrowsers browser -i
>> "/etc/squid/acls_whitelist.browser.conf"
>> http_access allow GlobalWhitelistDomains
>> url_rewrite_access deny GlobalWhitelistDomains
>> http_access allow GlobalWhitelistDSTNet
>> url_rewrite_access deny GlobalWhitelistDSTNet
>> http_access allow GlobalWhitelistDomainsRx
>> url_rewrite_access deny GlobalWhitelistDomainsRx
>> http_access allow GlobalWhitelistBrowsers
>>
>>
>> Any one with the same TAG_NONE/503 error, please help!?
>>
>> Regards,
>> Hugo
>> ________________________________
>>
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.



--
Saludos,
Hugo Saavedra
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Alex Rousskov
On 12/06/2017 11:45 AM, Hugo Saavedra wrote:

> Currently we have cache.log disabled for performance.

With default debug_options, cache.log should not affect performance. If
it does in your setup, then there is probably a problem that you should
solve (without disabling cache.log).


> any clues?

You are probably not supplying enough information for others to guess
what the problem is. Enabling cache.log may be the best next step. You
can also try logging %err_code/%err_detail to access.log but not all
errors populate those two logformat %codes so YMMV.

Alex.


> 2017-12-06 14:51 GMT-03:00 Enrico Heine <[hidden email]>:
>> Hi,
>>
>> Can you confirm that squid is able to resolve these hostnames? If not try
>> browsing to them without https and check if squid gives you an error
>> message.
>>
>> Did you check the cache.log as well?
>>
>> Br Enrico
>>
>> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra
>> <[hidden email]>:
>>>
>>> Hi All,
>>>
>>> We have the following setup of a transparent squid box:
>>> OS: CentOS release 6.9 (Final)
>>> Squid Cache: Version 3.5.26-20170625-r14174
>>> Compile options:
>>>    '--with-included-ltdl' '--enable-icap-client'
>>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>>> '--enable-icmp' '--enable-snmp' '--prefix=/usr'
>>> '--includedir=/usr/include' '--datadir=/usr/share'
>>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>>> '--localstatedir=/var' '--sysconfdir=/etc/squid'
>>> --enable-ltdl-convenience
>>>
>>> Endpoints are redirected to the Squid box using a policy route for
>>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>>> are using ssl bump for ssl, but there is an strange behavior, some
>>> websites opens well, but some ones breaks and getting TAG_NONE/503
>>> errors in the access log:
>>>
>>> 1512561423.930      1 192.168.1.108 TAG_NONE/503 31435 POST
>>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>>> text/html
>>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>>
>>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>>> - HIER_NONE/- text/html
>>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>>> HIER_NONE/- text/html
>>> 1512566858.355    186 192.168.1.104 TAG_NONE/503 31436 GET
>>>
>>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>>> - HIER_NONE/- text/html
>>>
>>> In the same time-range, other websites loads well
>>>
>>> 1512561134.548    306 192.168.1.112 TCP_MISS/302 572 GET
>>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>>> image/gif
>>> 1512561139.701    216 192.168.1.148 TCP_MISS/200 386 POST
>>> https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>>> ORIGINAL_DST/107.20.215.8 application/json
>>> 1512561142.180     13 192.168.1.112 TCP_MISS/200 419 GET
>>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>>> 1512561142.410    243 192.168.1.112 TCP_MISS/200 286 GET
>>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>>> text/javascript
>>>
>>>
>>> IPTABLES CONFIGURATION
>>> =======================
>>> # PREROUTING INTERCEPT PBR
>>>
>>> *nat
>>> :PREROUTING ACCEPT [0:0]
>>> :POSTROUTING ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>>> 3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>>> 3129
>>> COMMIT
>>>
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>>
>>> #WEB
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 80 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 443 -j ACCEPT
>>>
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3128 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3129 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3130 -j ACCEPT
>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>> --dport 3131 -j ACCEPT
>>>
>>> #default
>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> -A INPUT -p icmp -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>> COMMIT
>>>
>>>
>>> SQUID CONFIGURATION
>>> ====================
>>>
>>> #WHITE LIST
>>> acl exclWL url_regex "/etc/squid/white_url.squid"
>>> acl neoWL url_regex "/etc/squid/neowl.squid"
>>> http_access allow exclWL
>>> http_access allow neoWL
>>> cache deny exclWL
>>> cache deny neoWL
>>> always_direct allow exclWL
>>> always_direct allow neoWL
>>>
>>> #Malicious URLs
>>> acl dom url_regex "/etc/squid/dom.squid"
>>> acl cc url_regex "/etc/squid/cc.squid"
>>> http_access deny dom
>>> http_access deny cc
>>>
>>> #BLACK LIST
>>> acl exclBL url_regex "/etc/squid/black_url.squid"
>>> acl neoBL url_regex "/etc/squid/neobl.squid"
>>> http_access deny exclBL
>>> http_access deny neoBL
>>>
>>> #ACLS BASE
>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>>> plugged) machines
>>> acl SSL_ports port 443
>>> acl SSL_ports port 3129
>>> acl Safe_ports port 80          # http
>>> acl Safe_ports port 21          # ftp
>>> acl Safe_ports port 443         # https
>>> acl Safe_ports port 70          # gopher
>>> acl Safe_ports port 210         # wais
>>> acl Safe_ports port 1025-65535  # unregistered ports
>>> acl Safe_ports port 280         # http-mgmt
>>> acl Safe_ports port 488         # gss-http
>>> acl Safe_ports port 591         # filemaker
>>> acl Safe_ports port 777         # multiling http
>>> acl CONNECT method CONNECT
>>> acl HTTPS proto HTTPS
>>>
>>> include /etc/squid/acls_whitelist.conf
>>> acl useragent browser "/etc/squid/useragent.squid"
>>> range_offset_limit 0 !useragent
>>> minimum_object_size 0 bytes
>>> maximum_object_size 3 GB
>>> quick_abort_min -1
>>> delay_pools 1
>>> delay_class 1 1
>>> delay_parameters 1 128000/128000
>>> delay_access 1 deny SSL_ports
>>> delay_access 1 allow !useragent
>>> delay_access 1 deny all
>>>
>>> #cache conf
>>> max_filedescriptors 24576
>>> memory_cache_mode disk
>>> cache_mem 0 MB
>>> cache allow all
>>> minimum_object_size 0 bytes
>>> maximum_object_size 20 MB
>>> sslproxy_flags DONT_VERIFY_PEER
>>> connect_timeout 8 seconds
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access allow localnet
>>> http_access allow localhost
>>> http_access deny all
>>> reply_header_access Alternate-Protocol deny all
>>>
>>> http_port 3130
>>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> http_port 3128 intercept
>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>>>
>>> cache_dir ufs /var/cache/squid 9000 16 256
>>> cache_store_log /var/log/squid/store.log
>>> cache_effective_user squid
>>> visible_hostname Proxy
>>>
>>> refresh_pattern ^ftp:           1440    20%     10080
>>> refresh_pattern ^gopher:        1440    0%      1440
>>> refresh_pattern -i (/cgi-bin/|\?) 2     20%     10
>>> refresh_pattern .               2       20%     10      ignore-reload
>>> override-expire ignore-no-cache ignore-no-store store-stale
>>> ignore-private ignore-must-revalidate ignore-auth
>>> refresh_pattern -i
>>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>>> reload-into-ims
>>>
>>>
>>> #SSL BUMP
>>> include /etc/squid/ssl.conf
>>>
>>> #LOGGING
>>> access_log /var/log/squid/access.log
>>> access_log /var/log/squid/access_c2.log cc
>>> access_log /var/log/squid/access_c2.log dom
>>> access_log /var/log/squid/splc.log excludeSSL
>>> cache_log /dev/null
>>> coredump_dir /var/cache/squid
>>>
>>> #ICAP
>>> icap_enable on
>>> icap_send_client_ip on
>>> icap_send_client_username on
>>> icap_client_username_header X-Authenticated-User
>>> icap_service service_req reqmod_precache bypass=1
>>> icap://127.0.0.1:1344/squidclamav
>>> adaptation_access service_req allow useragent
>>> icap_service service_resp respmod_precache bypass=1
>>> icap://127.0.0.1:1344/squidclamav
>>> adaptation_access service_resp allow useragent
>>>
>>> #X FORWARDED FOR
>>> forwarded_for on
>>>
>>> SSL.conf
>>> =======
>>>
>>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>>> sslproxy_cafile /etc/squid/intermediate_ca.pem
>>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>>> sslcrtd_children 16 startup=5 idle=1
>>>
>>> acl FakeCert ssl::server_name .apple.com
>>> acl FakeCert ssl::server_name .icloud.com
>>> acl FakeCert ssl::server_name .mzstatic.com
>>> acl FakeCert ssl::server_name .dropbox.com
>>> acl ssl_step1 at_step SslBump1
>>> acl ssl_step2 at_step SslBump2
>>> acl ssl_step3 at_step SslBump3
>>>
>>> ssl_bump peek ssl_step1
>>> ssl_bump splice GlobalWhitelistDSTNet
>>> ssl_bump splice GlobalWhitelistDomainsRx
>>> ssl_bump splice GlobalWhitelistDomains
>>> ssl_bump splice FakeCert
>>> ssl_bump bump ssl_step2 all
>>> ssl_bump splice all
>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>>> sslproxy_cipher
>>>
>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>>> sslproxy_flags DONT_VERIFY_PEER
>>> sslproxy_cert_error allow all
>>> sslproxy_cert_error deny all
>>>
>>> acls_whitelist.conf
>>> =============
>>>
>>> acl WindowsUpdates dstdomain officecdn.microsoft.com
>>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>>> acl WindowsUpdates dstdomain download.microsoft.com
>>> acl WindowsUpdates dstdomain .windowsupdate.com
>>> acl WindowsUpdates dstdomain .windowsupdate.net
>>> acl WindowsUpdates dstdomain .update.microsoft.com
>>> acl WindowsUpdates dstdomain .mp.microsoft.com
>>> acl WindowsUpdates dstdomain .ws.microsoft.com
>>> acl GlobalWhitelistDomains dstdomain
>>> "/etc/squid/acls_whitelist.dstdomain.conf"
>>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>>> acl GlobalWhitelistDomainsRx dstdom_regex -i
>>> "/etc/squid/acls_whitelist.dstdom_regex.conf"
>>> acl GlobalWhitelistBrowsers browser -i
>>> "/etc/squid/acls_whitelist.browser.conf"
>>> http_access allow GlobalWhitelistDomains
>>> url_rewrite_access deny GlobalWhitelistDomains
>>> http_access allow GlobalWhitelistDSTNet
>>> url_rewrite_access deny GlobalWhitelistDSTNet
>>> http_access allow GlobalWhitelistDomainsRx
>>> url_rewrite_access deny GlobalWhitelistDomainsRx
>>> http_access allow GlobalWhitelistBrowsers
>>>
>>>
>>> Any one with the same TAG_NONE/503 error, please help!?
>>>
>>> Regards,
>>> Hugo
>>> ________________________________
>>>
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> --
>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Hugo Saavedra
ok,
Alex, this are the errors on cache.log (for 2 different tests)

2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 18:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure (1/-1/0)
2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 25:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure (1/-1/0)
2017/12/06 16:01:52 kid1| Error negotiating SSL on FD 26:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure (1/-1/0)
2017/12/06 16:02:10 kid1| send: (111) Connection refused
2017/12/06 16:02:10 kid1| Closing Pinger socket on FD 36
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 67:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 68:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 70:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 69:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 75:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Error negotiating SSL on FD 74:
error:00000000:lib(0): func(0):reason(0) (5/0/0)
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:23 kid1| Starting new ssl_crtd helpers...
2017/12/06 16:02:23 kid1| helperOpenServers: Starting 1/16 'ssl_crtd' processes
2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(1/0)

Best,
Hugo

2017-12-06 15:54 GMT-03:00 Alex Rousskov <[hidden email]>:

> On 12/06/2017 11:45 AM, Hugo Saavedra wrote:
>
>> Currently we have cache.log disabled for performance.
>
> With default debug_options, cache.log should not affect performance. If
> it does in your setup, then there is probably a problem that you should
> solve (without disabling cache.log).
>
>
>> any clues?
>
> You are probably not supplying enough information for others to guess
> what the problem is. Enabling cache.log may be the best next step. You
> can also try logging %err_code/%err_detail to access.log but not all
> errors populate those two logformat %codes so YMMV.
>
> Alex.
>
>
>> 2017-12-06 14:51 GMT-03:00 Enrico Heine <[hidden email]>:
>>> Hi,
>>>
>>> Can you confirm that squid is able to resolve these hostnames? If not try
>>> browsing to them without https and check if squid gives you an error
>>> message.
>>>
>>> Did you check the cache.log as well?
>>>
>>> Br Enrico
>>>
>>> Am 6. Dezember 2017 17:38:24 MEZ schrieb Hugo Saavedra
>>> <[hidden email]>:
>>>>
>>>> Hi All,
>>>>
>>>> We have the following setup of a transparent squid box:
>>>> OS: CentOS release 6.9 (Final)
>>>> Squid Cache: Version 3.5.26-20170625-r14174
>>>> Compile options:
>>>>    '--with-included-ltdl' '--enable-icap-client'
>>>> '--enable-delay-pools' '--with-openssl' '--enable-ssl-crtd'
>>>> '--enable-icmp' '--enable-snmp' '--prefix=/usr'
>>>> '--includedir=/usr/include' '--datadir=/usr/share'
>>>> '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>>>> '--localstatedir=/var' '--sysconfdir=/etc/squid'
>>>> --enable-ltdl-convenience
>>>>
>>>> Endpoints are redirected to the Squid box using a policy route for
>>>> TCP80/443 on a Fortigate firewall. All http/80 traffic works well. We
>>>> are using ssl bump for ssl, but there is an strange behavior, some
>>>> websites opens well, but some ones breaks and getting TAG_NONE/503
>>>> errors in the access log:
>>>>
>>>> 1512561423.930      1 192.168.1.108 TAG_NONE/503 31435 POST
>>>> https://api.chatlio.com/v1/p/visitor/session/new - HIER_NONE/-
>>>> text/html
>>>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>>>
>>>> https://tile-service.weather.microsoft.com/es-CL/livetile/front/-33.44,-70.65?
>>>> - HIER_NONE/- text/html
>>>> 1512562220.870      1 192.168.1.158 TAG_NONE/503 12386 GET
>>>> https://service.weather.microsoft.com/appex/DesktopTile/Badge? -
>>>> HIER_NONE/- text/html
>>>> 1512566858.355    186 192.168.1.104 TAG_NONE/503 31436 GET
>>>>
>>>> https://www.mercantil.com/empresa/reac-importadora-spa/estaci%C3%B3n-central/300469639/esp
>>>> - HIER_NONE/- text/html
>>>>
>>>> In the same time-range, other websites loads well
>>>>
>>>> 1512561134.548    306 192.168.1.112 TCP_MISS/302 572 GET
>>>> https://loadm.exelator.com/load/? - ORIGINAL_DST/63.251.252.12
>>>> image/gif
>>>> 1512561139.701    216 192.168.1.148 TCP_MISS/200 386 POST
>>>> https://cloud-ecs.gravityzone.bitdefender.com/hydra-
>>>> ORIGINAL_DST/107.20.215.8 application/json
>>>> 1512561142.180     13 192.168.1.112 TCP_MISS/200 419 GET
>>>> https://www.facebook.com/tr/? - ORIGINAL_DST/179.60.193.35 image/gif
>>>> 1512561142.410    243 192.168.1.112 TCP_MISS/200 286 GET
>>>> https://bam.nr-data.net/1/ef1706da28? - ORIGINAL_DST/162.247.242.21
>>>> text/javascript
>>>>
>>>>
>>>> IPTABLES CONFIGURATION
>>>> =======================
>>>> # PREROUTING INTERCEPT PBR
>>>>
>>>> *nat
>>>> :PREROUTING ACCEPT [0:0]
>>>> :POSTROUTING ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports
>>>> 3128
>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
>>>> 3129
>>>> COMMIT
>>>>
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>>
>>>> #WEB
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 80 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 443 -j ACCEPT
>>>>
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3128 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3129 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3130 -j ACCEPT
>>>> -A INPUT -m state --state NEW,RELATED,ESTABLISHED -m tcp -p tcp
>>>> --dport 3131 -j ACCEPT
>>>>
>>>> #default
>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>> -A INPUT -p icmp -j ACCEPT
>>>> -A INPUT -i lo -j ACCEPT
>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>>> COMMIT
>>>>
>>>>
>>>> SQUID CONFIGURATION
>>>> ====================
>>>>
>>>> #WHITE LIST
>>>> acl exclWL url_regex "/etc/squid/white_url.squid"
>>>> acl neoWL url_regex "/etc/squid/neowl.squid"
>>>> http_access allow exclWL
>>>> http_access allow neoWL
>>>> cache deny exclWL
>>>> cache deny neoWL
>>>> always_direct allow exclWL
>>>> always_direct allow neoWL
>>>>
>>>> #Malicious URLs
>>>> acl dom url_regex "/etc/squid/dom.squid"
>>>> acl cc url_regex "/etc/squid/cc.squid"
>>>> http_access deny dom
>>>> http_access deny cc
>>>>
>>>> #BLACK LIST
>>>> acl exclBL url_regex "/etc/squid/black_url.squid"
>>>> acl neoBL url_regex "/etc/squid/neobl.squid"
>>>> http_access deny exclBL
>>>> http_access deny neoBL
>>>>
>>>> #ACLS BASE
>>>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>> acl localnet src fc00::/7       # RFC 4193 local private network range
>>>> acl localnet src fe80::/10      # RFC 4291 link-local (directly
>>>> plugged) machines
>>>> acl SSL_ports port 443
>>>> acl SSL_ports port 3129
>>>> acl Safe_ports port 80          # http
>>>> acl Safe_ports port 21          # ftp
>>>> acl Safe_ports port 443         # https
>>>> acl Safe_ports port 70          # gopher
>>>> acl Safe_ports port 210         # wais
>>>> acl Safe_ports port 1025-65535  # unregistered ports
>>>> acl Safe_ports port 280         # http-mgmt
>>>> acl Safe_ports port 488         # gss-http
>>>> acl Safe_ports port 591         # filemaker
>>>> acl Safe_ports port 777         # multiling http
>>>> acl CONNECT method CONNECT
>>>> acl HTTPS proto HTTPS
>>>>
>>>> include /etc/squid/acls_whitelist.conf
>>>> acl useragent browser "/etc/squid/useragent.squid"
>>>> range_offset_limit 0 !useragent
>>>> minimum_object_size 0 bytes
>>>> maximum_object_size 3 GB
>>>> quick_abort_min -1
>>>> delay_pools 1
>>>> delay_class 1 1
>>>> delay_parameters 1 128000/128000
>>>> delay_access 1 deny SSL_ports
>>>> delay_access 1 allow !useragent
>>>> delay_access 1 deny all
>>>>
>>>> #cache conf
>>>> max_filedescriptors 24576
>>>> memory_cache_mode disk
>>>> cache_mem 0 MB
>>>> cache allow all
>>>> minimum_object_size 0 bytes
>>>> maximum_object_size 20 MB
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>> connect_timeout 8 seconds
>>>>
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost manager
>>>> http_access deny manager
>>>> http_access allow localnet
>>>> http_access allow localhost
>>>> http_access deny all
>>>> reply_header_access Alternate-Protocol deny all
>>>>
>>>> http_port 3130
>>>> http_port 3131 ssl-bump cert=/etc/squid/ssl_cert/SIC.pem
>>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>>> http_port 3128 intercept
>>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>>> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/SIC.pem
>>>>
>>>> cache_dir ufs /var/cache/squid 9000 16 256
>>>> cache_store_log /var/log/squid/store.log
>>>> cache_effective_user squid
>>>> visible_hostname Proxy
>>>>
>>>> refresh_pattern ^ftp:           1440    20%     10080
>>>> refresh_pattern ^gopher:        1440    0%      1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 2     20%     10
>>>> refresh_pattern .               2       20%     10      ignore-reload
>>>> override-expire ignore-no-cache ignore-no-store store-stale
>>>> ignore-private ignore-must-revalidate ignore-auth
>>>> refresh_pattern -i
>>>> \.(dmg|msi|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 1
>>>> 20% 4 override-expire ignore-no-cache ignore-no-store ignore-private
>>>> reload-into-ims
>>>>
>>>>
>>>> #SSL BUMP
>>>> include /etc/squid/ssl.conf
>>>>
>>>> #LOGGING
>>>> access_log /var/log/squid/access.log
>>>> access_log /var/log/squid/access_c2.log cc
>>>> access_log /var/log/squid/access_c2.log dom
>>>> access_log /var/log/squid/splc.log excludeSSL
>>>> cache_log /dev/null
>>>> coredump_dir /var/cache/squid
>>>>
>>>> #ICAP
>>>> icap_enable on
>>>> icap_send_client_ip on
>>>> icap_send_client_username on
>>>> icap_client_username_header X-Authenticated-User
>>>> icap_service service_req reqmod_precache bypass=1
>>>> icap://127.0.0.1:1344/squidclamav
>>>> adaptation_access service_req allow useragent
>>>> icap_service service_resp respmod_precache bypass=1
>>>> icap://127.0.0.1:1344/squidclamav
>>>> adaptation_access service_resp allow useragent
>>>>
>>>> #X FORWARDED FOR
>>>> forwarded_for on
>>>>
>>>> SSL.conf
>>>> =======
>>>>
>>>> sslproxy_foreign_intermediate_certs /etc/squid/intermediate_ca.pem
>>>> sslproxy_cafile /etc/squid/intermediate_ca.pem
>>>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
>>>> sslcrtd_children 16 startup=5 idle=1
>>>>
>>>> acl FakeCert ssl::server_name .apple.com
>>>> acl FakeCert ssl::server_name .icloud.com
>>>> acl FakeCert ssl::server_name .mzstatic.com
>>>> acl FakeCert ssl::server_name .dropbox.com
>>>> acl ssl_step1 at_step SslBump1
>>>> acl ssl_step2 at_step SslBump2
>>>> acl ssl_step3 at_step SslBump3
>>>>
>>>> ssl_bump peek ssl_step1
>>>> ssl_bump splice GlobalWhitelistDSTNet
>>>> ssl_bump splice GlobalWhitelistDomainsRx
>>>> ssl_bump splice GlobalWhitelistDomains
>>>> ssl_bump splice FakeCert
>>>> ssl_bump bump ssl_step2 all
>>>> ssl_bump splice all
>>>> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>>>> sslproxy_cipher
>>>>
>>>> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>> sslproxy_cert_error allow all
>>>> sslproxy_cert_error deny all
>>>>
>>>> acls_whitelist.conf
>>>> =============
>>>>
>>>> acl WindowsUpdates dstdomain officecdn.microsoft.com
>>>> acl WindowsUpdates dstdomain windowsupdate.microsoft.com
>>>> acl WindowsUpdates dstdomain ntservicepack.microsoft.com
>>>> acl WindowsUpdates dstdomain download.microsoft.com
>>>> acl WindowsUpdates dstdomain .windowsupdate.com
>>>> acl WindowsUpdates dstdomain .windowsupdate.net
>>>> acl WindowsUpdates dstdomain .update.microsoft.com
>>>> acl WindowsUpdates dstdomain .mp.microsoft.com
>>>> acl WindowsUpdates dstdomain .ws.microsoft.com
>>>> acl GlobalWhitelistDomains dstdomain
>>>> "/etc/squid/acls_whitelist.dstdomain.conf"
>>>> acl GlobalWhitelistDSTNet dst "/etc/squid/acls_whitelist.dst.conf"
>>>> acl GlobalWhitelistDomainsRx dstdom_regex -i
>>>> "/etc/squid/acls_whitelist.dstdom_regex.conf"
>>>> acl GlobalWhitelistBrowsers browser -i
>>>> "/etc/squid/acls_whitelist.browser.conf"
>>>> http_access allow GlobalWhitelistDomains
>>>> url_rewrite_access deny GlobalWhitelistDomains
>>>> http_access allow GlobalWhitelistDSTNet
>>>> url_rewrite_access deny GlobalWhitelistDSTNet
>>>> http_access allow GlobalWhitelistDomainsRx
>>>> url_rewrite_access deny GlobalWhitelistDomainsRx
>>>> http_access allow GlobalWhitelistBrowsers
>>>>
>>>>
>>>> Any one with the same TAG_NONE/503 error, please help!?
>>>>
>>>> Regards,
>>>> Hugo
>>>> ________________________________
>>>>
>>>> squid-users mailing list
>>>> [hidden email]
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>
>>
>>
>



--
Saludos,
Hugo Saavedra
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Alex Rousskov
On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> (1/0)

You may be able to fix this problem by updating your collection of
public CA certificates. Squid uses CA certificates to validate
certificates presented by origin servers. You may be able to confirm
that your collection is stale and know more (e.g., which CA certificate
is unknown) if you can map the above error to an access.log entry that
would give you the origin server name to interrogate.

Similar reasoning applies to other SSL-related cache.log errors as well,
but troubleshooting them may require more efforts (e.g., starting with a
higher debugging levels and/or packet captures).

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Yuri Voinov
Not necessarily certificates. Exactly the same code gives the SSL pinning.


07.12.2017 1:21, Alex Rousskov пишет:

> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>> (1/0)
> You may be able to fix this problem by updating your collection of
> public CA certificates. Squid uses CA certificates to validate
> certificates presented by origin servers. You may be able to confirm
> that your collection is stale and know more (e.g., which CA certificate
> is unknown) if you can map the above error to an access.log entry that
> would give you the origin server name to interrogate.
>
> Similar reasoning applies to other SSL-related cache.log errors as well,
> but troubleshooting them may require more efforts (e.g., starting with a
> higher debugging levels and/or packet captures).
>
> Alex.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (523 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Hugo Saavedra
In reply to this post by Alex Rousskov
solution finded: we commented the sslproxy_cipher line and it works!
is there any security issues if we left the default options for this variable?

thanks
Hugo

2017-12-06 16:21 GMT-03:00 Alex Rousskov <[hidden email]>:

> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>> (1/0)
>
> You may be able to fix this problem by updating your collection of
> public CA certificates. Squid uses CA certificates to validate
> certificates presented by origin servers. You may be able to confirm
> that your collection is stale and know more (e.g., which CA certificate
> is unknown) if you can map the above error to an access.log entry that
> would give you the origin server name to interrogate.
>
> Similar reasoning applies to other SSL-related cache.log errors as well,
> but troubleshooting them may require more efforts (e.g., starting with a
> higher debugging levels and/or packet captures).
>
> Alex.



--
Saludos,
Hugo Saavedra
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Yuri Voinov
RC4, may be.

In practice, too restrictive security usually leads various issues, ever
for big vendor site, like MS (some of this sites AFAIK still using RC4).

To be related to your questions - yes, in theory it is possible to get
security issue in this case. But it is require deep investigation. If
you are concerned - just take a look onto default openssl cipher's list.
And compare it with recommended forefront security.

07.12.2017 1:56, Hugo Saavedra пишет:

> solution finded: we commented the sslproxy_cipher line and it works!
> is there any security issues if we left the default options for this variable?
>
> thanks
> Hugo
>
> 2017-12-06 16:21 GMT-03:00 Alex Rousskov <[hidden email]>:
>> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>> (1/0)
>> You may be able to fix this problem by updating your collection of
>> public CA certificates. Squid uses CA certificates to validate
>> certificates presented by origin servers. You may be able to confirm
>> that your collection is stale and know more (e.g., which CA certificate
>> is unknown) if you can map the above error to an access.log entry that
>> would give you the origin server name to interrogate.
>>
>> Similar reasoning applies to other SSL-related cache.log errors as well,
>> but troubleshooting them may require more efforts (e.g., starting with a
>> higher debugging levels and/or packet captures).
>>
>> Alex.
>
>
--
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (523 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Hugo Saavedra
In reply to this post by Hugo Saavedra
ooops!, we have another problem here, anyone knows what is this?

2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
2017/12/06 19:30:23 kid1| SECURITY ALERT: Host header forgery detected
on local=131.253.61.100:443 remote=192.168.10.2:59041 FD 126 flags=33
(local IP does not match any domain IP)
2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
on local=131.253.61.100:443 remote=192.168.10.2:59042 FD 106 flags=33
(local IP does not match any domain IP)
2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443
2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
on local=131.253.61.100:443 remote=192.168.10.2:59043 FD 107 flags=33
(local IP does not match any domain IP)
2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443

Thanks

2017-12-06 16:56 GMT-03:00 Hugo Saavedra <[hidden email]>:

> solution finded: we commented the sslproxy_cipher line and it works!
> is there any security issues if we left the default options for this variable?
>
> thanks
> Hugo
>
> 2017-12-06 16:21 GMT-03:00 Alex Rousskov <[hidden email]>:
>> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>> (1/0)
>>
>> You may be able to fix this problem by updating your collection of
>> public CA certificates. Squid uses CA certificates to validate
>> certificates presented by origin servers. You may be able to confirm
>> that your collection is stale and know more (e.g., which CA certificate
>> is unknown) if you can map the above error to an access.log entry that
>> would give you the origin server name to interrogate.
>>
>> Similar reasoning applies to other SSL-related cache.log errors as well,
>> but troubleshooting them may require more efforts (e.g., starting with a
>> higher debugging levels and/or packet captures).
>>
>> Alex.
>
>
>
> --
> Saludos,
> Hugo Saavedra



--
Saludos,
Hugo Saavedra
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL TAG_NONE/503 errors

Yuri Voinov
https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery


07.12.2017 5:40, Hugo Saavedra пишет:

> ooops!, we have another problem here, anyone knows what is this?
>
> 2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
> 2017/12/06 19:30:23 kid1| SECURITY ALERT: Host header forgery detected
> on local=131.253.61.100:443 remote=192.168.10.2:59041 FD 126 flags=33
> (local IP does not match any domain IP)
> 2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
> on local=131.253.61.100:443 remote=192.168.10.2:59042 FD 106 flags=33
> (local IP does not match any domain IP)
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected
> on local=131.253.61.100:443 remote=192.168.10.2:59043 FD 107 flags=33
> (local IP does not match any domain IP)
> 2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443
>
> Thanks
>
> 2017-12-06 16:56 GMT-03:00 Hugo Saavedra <[hidden email]>:
>> solution finded: we commented the sslproxy_cipher line and it works!
>> is there any security issues if we left the default options for this variable?
>>
>> thanks
>> Hugo
>>
>> 2017-12-06 16:21 GMT-03:00 Alex Rousskov <[hidden email]>:
>>> On 12/06/2017 12:06 PM, Hugo Saavedra wrote:
>>>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61:
>>>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>>> (1/0)
>>> You may be able to fix this problem by updating your collection of
>>> public CA certificates. Squid uses CA certificates to validate
>>> certificates presented by origin servers. You may be able to confirm
>>> that your collection is stale and know more (e.g., which CA certificate
>>> is unknown) if you can map the above error to an access.log entry that
>>> would give you the origin server name to interrogate.
>>>
>>> Similar reasoning applies to other SSL-related cache.log errors as well,
>>> but troubleshooting them may require more efforts (e.g., starting with a
>>> higher debugging levels and/or packet captures).
>>>
>>> Alex.
>>
>>
>> --
>> Saludos,
>> Hugo Saavedra
>
>
--
"Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems."
--Jamie Zawinsk

**************************
* C++: Bug to the future *
**************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (523 bytes) Download Attachment