never_direct allow all causing 'ERROR 500: Internal Server Error'

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

never_direct allow all causing 'ERROR 500: Internal Server Error'

Lei Wen
Hi,

I am setting up the transparent HTTP/HTTPS proxy cluster with whiltelist only, and stuck at having issue 'ERROR 500: Internal Server Error'. After couple days tuning and digging, I narrow down the problem to directive 'never_direct'.

After removing this line, the error message is gone. But seems sibling cache will only work for HTTP, HTTPS will not go to sibling.

Here is my squid.conf snapshot.


http_port 3130

http_port 3128 intercept
acl allowed_http_sites dstdomain "/etc/squid3/whitelist.txt"
http_access allow allowed_http_sites

https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"

http_access deny all

sslcrtd_program /lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump stare step2 allowed_https_sites
ssl_bump bump step3
ssl_bump terminate step2 all

acl container_net src 172.18.0.0/24
tcp_outgoing_address 10.0.8.41 container_net
udp_outgoing_address 10.0.8.41 container_net
http_access allow container_net
cache_peer 10.0.8.48 sibling 3130 3131 ssl sslcafile=/etc/ca.pem sslflags=NO_DEFAULT_CA ssloptions=NO_SSLv3
icp_port 3131
icp_access allow all
never_direct allow all

# Uncomment and adjust the following to add a disk cache directory.
hosts_file /etc/hosts
cache_replacement_policy heap LFUDA

cache_dir aufs /var/spool/squid3 40000 16 256
maximum_object_size 32 MB
log_icp_queries off

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3



Thanks,
Lei

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: never_direct allow all causing 'ERROR 500: Internal Server Error'

Amos Jeffries
Administrator
On 03/08/17 07:49, Lei Wen wrote:

> Hi,
>
> I am setting up the transparent HTTP/HTTPS proxy cluster with whiltelist
> only, and stuck at having issue 'ERROR 500: Internal Server Error'.
> After couple days tuning and digging, I narrow down the problem to
> directive 'never_direct'.
>
> After removing this line, the error message is gone. But seems sibling
> cache will only work for HTTP, HTTPS will not go to sibling.
>

Since the cache_peer config I gave you earlier did not help I'm afraid
there is nothing else just involving config that will work either for
that Squid version.

Your options are now to try a more recent Squid. Up to and including the
Squid-5 latest development code.

If none of the newer code either works right away, or with the config I
gave then your options are further decreased to hacking around on the
code to figure out what is going on. Christos Tsantilas
(<https://wiki.squid-cache.org/ChristosTsantilas>) is the main developer
working on SSL-Bump, for assistance with code-level stuff a mail to
squid-dev mailing list would be best.


Sorry that I cannot be of more help on this. I'm very interested in
finding out what is going wrong for your use-case though - it should be
working for sibling proxies.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users