Squid 3.1.19 problem: TCP_MISS/503 0 CONNECT https:443 - NONE/- -

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 3.1.19 problem: TCP_MISS/503 0 CONNECT https:443 - NONE/- -

b0tm1nd
I am trying to set up Squid as a proxy with HTTPS support.
No matter what I try, I cannot get CONNECT methods to work (via both HTTP and HTTPS protocols).

The problem seems to be very strange and unique, because the connection URL get's converted to something odd.

When I have enabled never_direct allow all option, here is what I get:

Requests:
CONNECT https://google.com
CONNECT http://google.com
GET https://google.com
Log:
TCP_MISS/503 0 CONNECT https:443 - NONE/- -
TCP_MISS/503 0 CONNECT http:443 - NONE/- -
TCP_HIT/301 647 GET https://google.com/ - NONE/- text/html

Without this option, the logs turns into:
TCP_MISS/404 0 CONNECT https:443 - DIRECT/- -
TCP_MISS/404 0 CONNECT http:443 - DIRECT/- -

Note, how "//google.com" turns into ":443".

Here is the part of detailed log, where this mysterious turn occurs:

2014/02/04 22:29:38.958| The request CONNECT https://google.com is ALLOWED, because it matched 'all'
2014/02/04 22:29:38.958| cbdataReferenceValid: 0x9e468a8
2014/02/04 22:29:38.958| cbdataReferenceValid: 0x9e468a8
2014/02/04 22:29:38.958| AccessCheck.cc(31) Start: adaptation off, skipping
2014/02/04 22:29:38.958| client_side_request.cc(1351) doCallouts: Doing calloutContext->clientAccessCheck2()
2014/02/04 22:29:38.958| client_side_request.cc(556) clientAccessCheck2: No adapted_http_access configuration.
2014/02/04 22:29:38.958| The request CONNECT https:443 is ALLOWED, because it matched 'all'

My configuraion:

acl all src
acl localnet src 10.0.0.0/8
acl localnet src 192.168.1.0/24 # Your network here
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535
acl sslports port 443 563 81 2087 10000
acl manager proto cache_object
acl purge method PURGE
http_access allow manager localhost
http_access allow purge localhost
http_access allow localhost
http_access allow localnet
http_access allow sslports

acl SSL method CONNECT
acl POST method POST

http_access allow all
never_direct allow all

http_port 3128

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /home/precise/cache 1024 16 256
maximum_object_size 128000 KB
cache_swap_low 95
cache_swap_high 99

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
debug_options ALL,9
cache_store_log none
logfile_rotate 5
log_icp_queries off

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 13 KB

vary_ignore_expire on
#
# ANONIMITY OPTIONS
# ===============
#
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
#
# TIMEOUTS
# =======
#
forward_timeout 240 second
connect_timeout 30 second
peer_connect_timeout 5 second
read_timeout 600 second
request_timeout 60 second
shutdown_lifetime 10 second

cache_mgr vps
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname vps

ftp_list_width 32
ftp_passive on
ftp_sanitycheck on

dns_timeout 10 seconds
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server

memory_pools off

client_db off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
error_default_language en-us

This is the version output:

# /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.1.19
configure options:  '--enable-ecap' '--enable-removal-policies=lru heap' '--with-default-user=proxy' '--enable-ssl' '--enable-storeio=ufs aufs' '--with-large-files' '--enable-icap-client' --with-squid=/root/squid-3.1.19 --enable-ltdl-convenience

When I use the one installed from Ubuntu 12.04 with the same configuration, I cannot even get to "GET https://google.com" to work.
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.1.19 problem: TCP_MISS/503 0 CONNECT https:443 - NONE/- -

Amos Jeffries
Administrator
On 5/02/2014 12:49 p.m., b0tm1nd wrote:
> I am trying to set up Squid as a proxy with HTTPS support.
> No matter what I try, I cannot get CONNECT methods to work (via both HTTP
> and HTTPS protocols).

Problem 1) CONNECT is not valid in HTTPS. It is a client->proxy method
and only expected to work in HTTP where proxies are defined to exist.
HTTPS is defined to be an end-to-end client->origin server connection.

>
> The problem seems to be very strange and unique, because the connection URL
> get's converted to something odd.
>
> When I have enabled *never_direct allow all* option, here is what I get:
>
> Requests:
> CONNECT https://google.com
> CONNECT http://google.com
> GET https://google.com

Problem 2) none of the above are valid HTTP requests.

This is what a valid equivalent requests would look like:

 CONNECT google.com:443 HTTP/1.1
 CONNECT google.com:80 HTTP/1.1
 GET https://google.com/ HTTP/1.1

This might help
https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p1-messaging.html#request-target

> Log:
> TCP_MISS/503 0 CONNECT https:443 - NONE/- -
> TCP_MISS/503 0 CONNECT http:443 - NONE/- -
> TCP_HIT/301 647 GET https://google.com/ - NONE/- text/html
>
> Without this option, the logs turns into:
> TCP_MISS/404 0 CONNECT https:443 - DIRECT/- -
> TCP_MISS/404 0 CONNECT http:443 - DIRECT/- -
>
> Note, how "//google.com" turns into ":443".

Strange. Your Squid is assuming that anything using CONNECT is port 443.
I usually see text strings being converted to the value 0.

>
> Here is the part of detailed log, where this mysterious turn occurs:
>
>
>
> My configuraion:
>
>
>
> This is the version output:
>
>
>

Email strangely missing any of your embeded details ... oh wait. Nabble
bites again. :-(


> When I use the one installed from Ubuntu 12.04 with the same configuration,
> I cannot even get to "GET https://google.com" to work.


Squid and OpenSSL licenses clash a little bit. The Debian and Ubuntu OS
distributors have chosen for legal policy reasons not to provide a Squid
binary with HTTPS support so long as that support requires OpenSSL to be
linked to Squid.

You will need to build your own Squid with --enable-ssl or somewhere
locate a Squid .deb package with SSL support enabled. I dont know one
might be found where sorry.

Amos


Reply | Threaded
Open this post in threaded view
|

RE: Squid 3.1.19 problem: TCP_MISS/503 0 CONNECT https:443 - NONE/- -

Rafael Akchurin
Hi all,

> Squid and OpenSSL licenses clash a little bit. The Debian and Ubuntu OS
> distributors have chosen for legal policy reasons not to provide a Squid
> binary with HTTPS support so long as that support requires OpenSSL to be
> linked to Squid.

> You will need to build your own Squid with --enable-ssl or somewhere
> locate a Squid .deb package with SSL support enabled. I dont know one
> might be found where sorry.

The following HOWTO shows how to rebuild stock Squid in Ubuntu 13.10 *with* all flags required for HTTPS filtering.
http://www.howtoforge.com/filtering-https-traffic-with-squid

Raf
Reply | Threaded
Open this post in threaded view
|

RE: Squid 3.1.19 problem: TCP_MISS/503 0 CONNECT https:443 - NONE/- -

b0tm1nd
Thanks for the replies everyone!

In fact, I have figured out by myself that the stock Ubuntu 12.04 (at least) Squid does not provide the SSL/HTTPS support, so I have compiled it by myself. After this "GET https://.." requests became working, but not any of the CONNECT.

It was also correct, that when I was testing the proxy via telnet, I used the wrong syntax for the CONNECT method.
Here is the result from access.log produced by the Firefox:
TCP_MISS/503 0 CONNECT www.google.com:443 - NONE/- -

The host is now shown correct, but still throws 503 error.

I thought the best I could get now is the guide on how to compile Squid with SSL (probably, --enable-ssl was not enough).
And thanks to Rafael Akchurin seems like I've just received it!
Will try now to compile again using the guide and see if anything changed.