[squid-users] ssl negotiation error
hi all, managed to get squid to work at last and i can browse all website when my browser is going through the proxy but when i run squid i see a bunch of errors and i havnt got a clue what its about - Error negotiating SSL connection on FD 46: error:0001:lib(0):func(0):reason(1) (1/0) its weird as its still allowing me to browse the websites while its showing this error any help please would be much appreciated thanks, rob -- Regards, Robert K Wild. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] reverse proxy and HTTP redirects
Hi, I configured a reverse proxy with something like this: https_port 10.215.145.81:50443 accel cert=/etc/ssl/whatever.cer key=/etc/ssl/whatever_key_nopassphrase.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE,No_Compression cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA25 6:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 tls-dh=/etc/ssl/whatever/dh2048.pem defaultsite=whatever.org cache_peer 10.215.248.40 parent 8080 0 no-query originserver login=PASS front-end-https=on name=httpsServer [etc] I can load the web portal just fine from a web client connecting to 10.215.145.81:50443. However, the web server then sends an HTTP redirection to an HTTP URL which is something like http://10.215.248.40:8080/whatever (in other words, the page is hosted on the same server). That breaks the browsing experience (connection reset). If I can't modify the server code at 10.215.248.40, is there a workaround for this? Thanks, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] debug headers between squid --> website
Hello Tem , How can i debug Headers that is between squid——> website request made say we have this simple topology pc ——squid —— website —> As an example if i run curl some website from my device connecting to squid proxy . $ curl -x x.x.8.187:xx433 -U abc:abc ifconfig.io/ip -vv * Trying 108.61.8.187... * TCP_NODELAY set * Connected to x.x.8.187 (x.x.8.187) port xx433 (#0) * Proxy auth using Basic with user 'ben' > GET http://ifconfig.io/ip HTTP/1.1 > Host: ifconfig.io > Proxy-Authorization: Basic YmVuOmJlbg== > User-Agent: curl/7.54.0 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Date: Mon, 02 Dec 2019 17:30:42 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 40 < Set-Cookie: __cfduid=d639c4bd01a9f8c32f0de7cb09f40671575307842; expires=Wed, 01-Jan-20 17:30:42 GMT; path=/; domain=.ifconfig.io; HttpOnly < CF-Cache-Status: DYNAMIC < Alt-Svc: h3-23=":443"; ma=86400 < Server: cloudflare < CF-RAY: 53ef07bd8d28efed-EWR < X-Cache: MISS from squid < Via: 1.1 xyz (squid) < Connection: keep-alive < 11.22.33.44 * Connection #0 to host x.x.8.187 left intact i believe this is negotiation above is from pc <—> squid . How can i see this kind of debug or header in case of squid— website level ? i need to see what squid send headers to website and what website reply o squid . Thanks ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote: > Hello Tem , > > How can i debug Headers that is between squid——> website request made Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, looking at the external interface (ie: the one pointing to the website/s). > i need to see what squid send headers to website > and what website reply o squid . So long as you're doing HTTP (as per your example) and not HTTPS, any packet sniffer and protocol analyser (wireshark is *very* good at this) will show you this quite easily. Antony. -- Atheism is a non-prophet-making organisation. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
Thank you for that . Is it possible to run it from squid ? Thanks Sent from my iPhone > On Dec 2, 2019, at 8:58 PM, Antony Stone > wrote: > > On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote: > >> Hello Tem , >> >> How can i debug Headers that is between squid——> website request made > > Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, > looking at the external interface (ie: the one pointing to the website/s). > >> i need to see what squid send headers to website >> and what website reply o squid . > > So long as you're doing HTTP (as per your example) and not HTTPS, any packet > sniffer and protocol analyser (wireshark is *very* good at this) will show > you > this quite easily. > > > Antony. > > -- > Atheism is a non-prophet-making organisation. > > Please reply to the list; > please *don't* CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
On Monday 02 December 2019 at 19:31:43, Ahmad Alzaeem wrote: > Thank you for that . > > Is it possible to run it from squid ? I don't understand that question. You start Squid; it listens for incoming connections and sends them on to the external servers (and gets the responses etc, etc...) At the same time, you run the packet sniffer on the machine where Squid is running, and it collects all the traffic passing between Squid and the rest of the Internet. Then you make your request/s with a browser (or wget, curl, as you wish), and let Squid do its thing, and let the packet sniffer capture what happened. After it's all over, you then have a packet capture which you can analyse (eg: using wireshark) to find out what Squid sent to the server/s, and what came back again. Antony. > > On Dec 2, 2019, at 8:58 PM, Antony Stone > > wrote: > > > > On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote: > >> Hello Tem , > >> > >> How can i debug Headers that is between squid——> website request made > > > > Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, > > looking at the external interface (ie: the one pointing to the > > website/s). > > > >> i need to see what squid send headers to website > >> and what website reply o squid . > > > > So long as you're doing HTTP (as per your example) and not HTTPS, any > > packet sniffer and protocol analyser (wireshark is *very* good at this) > > will show you this quite easily. > > > > > > Antony. -- "It wouldn't be a good idea to talk about him behind his back in front of him." - murble Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
On 12/2/19 1:31 PM, Ahmad Alzaeem wrote: > Is it possible to run it from squid ? Packet catpure is usually better, especially for plain HTTP traffic, but you can also get raw HTTP headers in cache.log if you set debug_options in squid.conf to ALL,2 Alex. >> On Dec 2, 2019, at 8:58 PM, Antony Stone >> wrote: >> >> On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote: >> >>> Hello Tem , >>> >>> How can i debug Headers that is between squid——> website request made >> >> Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, >> looking at the external interface (ie: the one pointing to the website/s). >> >>> i need to see what squid send headers to website >>> and what website reply o squid . >> >> So long as you're doing HTTP (as per your example) and not HTTPS, any packet >> sniffer and protocol analyser (wireshark is *very* good at this) will show >> you >> this quite easily. >> >> >> Antony. >> >> -- >> Atheism is a non-prophet-making organisation. >> >> Please reply to the list; >> please *don't* CC me. >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
Can I do same thing for https ? Thanks Sent from my iPhone > On Dec 2, 2019, at 10:03 PM, Alex Rousskov > wrote: > > On 12/2/19 1:31 PM, Ahmad Alzaeem wrote: > >> Is it possible to run it from squid ? > > Packet catpure is usually better, especially for plain HTTP traffic, but > you can also get raw HTTP headers in cache.log if you set debug_options > in squid.conf to ALL,2 > > Alex. > > On Dec 2, 2019, at 8:58 PM, Antony Stone wrote: >>> >>> On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote: >>> Hello Tem , How can i debug Headers that is between squid——> website request made >>> >>> Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, >>> looking at the external interface (ie: the one pointing to the website/s). >>> i need to see what squid send headers to website and what website reply o squid . >>> >>> So long as you're doing HTTP (as per your example) and not HTTPS, any >>> packet >>> sniffer and protocol analyser (wireshark is *very* good at this) will show >>> you >>> this quite easily. >>> >>> >>> Antony. >>> >>> -- >>> Atheism is a non-prophet-making organisation. >>> >>> Please reply to the list; >>>please *don't* CC me. >>> ___ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
On 12/2/19 2:19 PM, Ahmad Alzaeem wrote: > Can I do same thing for https ? Yes, you can. Squid logs CONNECT headers and also HTTP headers of incoming and outgoing decrypted HTTPS requests. Squid does not see (and cannot log) HTTP headers of encrypted traffic inside CONNECT tunnels that are not bumped using the SslBump feature, of course. Wireshark is often a better tool for header analysis because it makes it easier to associate headers with connections and HTTP request-reply exchanges. Wireshark can even handle encrypted-by-Squid traffic, but that requires connection master keys that are not trivial to obtain. Alex. >> On Dec 2, 2019, at 10:03 PM, Alex Rousskov wrote: >> >> On 12/2/19 1:31 PM, Ahmad Alzaeem wrote: >> >>> Is it possible to run it from squid ? >> >> Packet catpure is usually better, especially for plain HTTP traffic, but >> you can also get raw HTTP headers in cache.log if you set debug_options >> in squid.conf to ALL,2 >> >> Alex. >> >> On Dec 2, 2019, at 8:58 PM, Antony Stone wrote: On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote: > Hello Tem , > > How can i debug Headers that is between squid——> website request made Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, looking at the external interface (ie: the one pointing to the website/s). > i need to see what squid send headers to website > and what website reply o squid . So long as you're doing HTTP (as per your example) and not HTTPS, any packet sniffer and protocol analyser (wireshark is *very* good at this) will show you this quite easily. Antony. -- Atheism is a non-prophet-making organisation. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users >>> ___ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] debug headers between squid --> website
Hi Alex , Thank you for your precious info . You Said “” Yes, you can. Squid logs CONNECT headers and also HTTP headers of incoming and outgoing decrypted HTTPS requests. Squid does not see (and cannot log) HTTP headers of encrypted traffic inside CONNECT tunnels that are not bumped using the SslBump feature, of course. “” Can you tell me example of headers of “Connect headers” and headers inside “ connect Tunnel “ ? > On Dec 2, 2019, at 10:31 PM, Alex Rousskov > wrote: > > Yes, you can. Squid logs CONNECT headers and also HTTP headers of > incoming and outgoing decrypted HTTPS requests. Squid does not see (and > cannot log) HTTP headers of encrypted traffic inside CONNECT tunnels > that are not bumped using the SslBump feature, of course. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] icap result caching in squid
Thanks Alex. That has given me the perspective I need. I can modulate the response header Expires value via icap to get the job done when squid goes to cache it. Darren B. *Darren Breeze* Director *KSN Systems NZ Limited* **E: *dar...@ksn-systems.com* **M:* +64 274 666 017* **S:* dbinhk* On Sun, Dec 1, 2019, at 6:22 AM, Alex Rousskov wrote: > On 11/29/19 12:20 PM, Darren Breeze wrote: > > > Some quick question about icap result caching in squid. > > > > Does the returned Expires header control how long squid will cache the > > result (for both a req and resp mod)? > > > > Are the values that are cached keyed to the queried URL or is it cached > > per user / url? > > Squid only supports pre-cache vectoring points. Thus, bugs > notwithstanding, post-ICAP headers should be treated (for caching > purposes) as if Squid received the same adjusted HTTP message directly > from an HTTP agent, and there were no ICAP modifications at all. > > The above statement does not answer your question, but it changes that > question from "How ICAP-set X affects caching?" to "How X affects > caching?" -- a question that you may already know the answer to or, if > you do not, a question that others on the list may be able to answer > better or faster than I currently can. > > > HTH, > > Alex. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] icap result caching in squid
On 3/12/19 12:17 pm, Darren Breeze wrote: > Thanks Alex. > > That has given me the perspective I need. > > I can modulate the response header Expires value via icap to get the job done > when squid goes to cache it. > Why are you needing to do this at all? NP: please be aware that the changes you make to the HTTP headers affect *all* downstream caches, no just your Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] reverse proxy and HTTP redirects
On 3/12/19 3:46 am, Vieri Di Paola wrote: > Hi, > > I configured a reverse proxy with something like this: > > https_port 10.215.145.81:50443 accel cert=/etc/ssl/whatever.cer > key=/etc/ssl/whatever_key_nopassphrase.pem > options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE,No_Compression > cipher=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA25 > 6:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 > tls-dh=/etc/ssl/whatever/dh2048.pem defaultsite=whatever.org NP: you have not configured any Elliptic Curve to be used, so all those EC ciphers will not be usable. Also you configured some DES based ciphers and then disable DES. > > cache_peer 10.215.248.40 parent 8080 0 no-query originserver > login=PASS front-end-https=on name=httpsServer > > [etc] > > I can load the web portal just fine from a web client connecting to > 10.215.145.81:50443. However, the web server then sends an HTTP > redirection to an HTTP URL which is something like > http://10.215.248.40:8080/whatever (in other words, the page is hosted > on the same server). That breaks the browsing experience (connection > reset). > > If I can't modify the server code at 10.215.248.40, is there a > workaround for this? You do not need to modify code anywhere. The problem is that the client is talking to port 50443 and the service is expecting port 8080 in URLs. The best solution is to have the server and Squid using the same port number. Preferably 443 for HTTPS services. Alternatively you might be able to use the vport= option on https_port to set the URL port to 8080. However, this affects *all* inbound traffic at that port and any embedded URLs the service sends the client will remain broken (contain port 8080). Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl negotiation error
On 3/12/19 12:19 am, robert k Wild wrote: > hi all, > > managed to get squid to work at last and i can browse all website when > my browser is going through the proxy but when i run squid i see a bunch > of errors and i havnt got a clue what its about - > You will need a packet trace on the Squid to server connections to see what is going on there. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
