subject:"Re\: \[squid\-users\] Getting SSL Connection Errors \(Eliezer Croitoru\)"

Re: [squid-users] Getting SSL Connection Errors (Eliezer Croitoru)

2022-02-26 Thread Eliezer Croitoru

Hey Usama,

 

I took the time to make sure that the script will work on amzn linux 2:

https://github.com/elico/squid-suppsave

 

it’s a Makefile and a tiny hardware data collection tool.

You can clone the git and then in the directory of the git repo you can enter 
the next command:

make amzn2-install-suppsave-deps support-save

 

And also, how did you installed squid on the amazon linux machine? Using:

amazon-linux-extras install squid4

 

??

And also just do you would know that I am compiling squid for amzn linux 2 and 
the files/repo is at:

https://www.ngtech.co.il/repo/amzn/2/x86_64/

 

It is not compiled with ecap support and it works for most use cases I have 
seen until now.

 

The support script will create a file at /etc/support….tar.gz

Please make sure that if you are using ssl bump you will need to remove the ssl 
bump root CA details.

If you still wish to send the full file to me as is, just make sure you will 
send it to me and only not and not to the public list.

(Unless it’s a testing machine..)

 

All The Bests,

Eliezer

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> 

 

From: squid-users  On Behalf Of 
Usama Mehboob
Sent: Saturday, February 26, 2022 07:58
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Getting SSL Connection Errors (Eliezer Croitoru)

 

I think on previous mailing list I pasted the whole content. So I am again 
sending my reply in sort of confined way. :) 

Eliezer, I am running on amazon linux 2 ami which I suppose is based on
centos.
I ran the uname -a command and this is what I get;;
Linux ip-172-24-9-143.us-east-2.compute.internal
4.14.256-197.484.amzn2.x86_64 #1 SMP Tue Nov 30 00:17:50 UTC 2021 x86_64
x86_64 x86_64 GNU/Linux

[ec2-user@ip-172-24-9-143 ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

thanks so much and let me know the script and I can run on this machine.
Usama


Message: 1
Date: Fri, 25 Feb 2022 07:01:12 +0200
From: "Eliezer Croitoru" mailto:ngtech1...@gmail.com> >
To: "'Usama Mehboob'" mailto:musamamehb...@gmail.com> 
>,
mailto:squid-users@lists.squid-cache.org> >
Subject: Re: [squid-users] Getting SSL Connection Errors
Message-ID: <006f01d82a04$b678b770$236a2650$@gmail.com <http://gmail.com> >
Content-Type: text/plain; charset="utf-8"

Hey Usama,



There are more missing details on the system.

If you provide the OS and squid details I might be able to provide a script 
that will pull most of the relevant details on the system.

I don?t know about this specific issue yet and it seems like there is a SSL 
related issue and it might not be even related to Squid.

(@Alex Or @Chrisots might know better then me)



All The Bests,





Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>  
<mailto:ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> > 



From: squid-users mailto:squid-users-boun...@lists.squid-cache.org> > On Behalf Of Usama Mehboob
Sent: Thursday, February 24, 2022 23:45
To: squid-users@lists.squid-cache.org 
<mailto:squid-users@lists.squid-cache.org> 
Subject: [squid-users] Getting SSL Connection Errors



Hi I have a squid running on a linux box ( about 16GB ram and 4 cpu ) -- it 
runs fine for the most part but when I am launching multiple jobs that are 
connecting with salesforce BulkAPI, sometimes connections are dropped. its not 
predictable and happens only when there is so much load on squid. Can anyone 
shed some light on this? what can I do? is it a file descriptor issue?

I see only these error messages from the cache logs
```
PeerConnector.cc(639) handleNegotiateError: Error (error:04091068:rsa 
routines:INT_RSA_VERIFY:bad signature) but, hold write on SSL connection on FD 
109
```

Config file 
visible_hostname squid 

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>  <http://10.0.0.0/8>  # RFC1918 
possible internal network
acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>  <http://172.16.0.0/12>  
# RFC1918 possible internal network
acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>  
<http://192.168.0.0/16>  # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
###acl Safe_ports port 21 # ftp testing after blocking itp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_

Re: [squid-users] Getting SSL Connection Errors (Eliezer Croitoru)

2022-02-25 Thread Usama Mehboob

I think on previous mailing list I pasted the whole content. So I am again
sending my reply in sort of confined way. :)

Eliezer, I am running on amazon linux 2 ami which I suppose is based on
centos.
I ran the uname -a command and this is what I get;;
Linux ip-172-24-9-143.us-east-2.compute.internal
4.14.256-197.484.amzn2.x86_64 #1 SMP Tue Nov 30 00:17:50 UTC 2021 x86_64
x86_64 x86_64 GNU/Linux

[ec2-user@ip-172-24-9-143 ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

thanks so much and let me know the script and I can run on this machine.
Usama

>
> Message: 1
> Date: Fri, 25 Feb 2022 07:01:12 +0200
> From: "Eliezer Croitoru" 
> To: "'Usama Mehboob'" ,
> 
> Subject: Re: [squid-users] Getting SSL Connection Errors
> Message-ID: <006f01d82a04$b678b770$236a2650$@gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey Usama,
>
>
>
> There are more missing details on the system.
>
> If you provide the OS and squid details I might be able to provide a
> script that will pull most of the relevant details on the system.
>
> I don?t know about this specific issue yet and it seems like there is a
> SSL related issue and it might not be even related to Squid.
>
> (@Alex Or @Chrisots might know better then me)
>
>
>
> All The Bests,
>
>
>
> 
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1...@gmail.com 
>
>
>
> From: squid-users  On Behalf
> Of Usama Mehboob
> Sent: Thursday, February 24, 2022 23:45
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Getting SSL Connection Errors
>
>
>
> Hi I have a squid running on a linux box ( about 16GB ram and 4 cpu ) --
> it runs fine for the most part but when I am launching multiple jobs that
> are connecting with salesforce BulkAPI, sometimes connections are dropped.
> its not predictable and happens only when there is so much load on squid.
> Can anyone shed some light on this? what can I do? is it a file descriptor
> issue?
>
> I see only these error messages from the cache logs
> ```
> PeerConnector.cc(639) handleNegotiateError: Error (error:04091068:rsa
> routines:INT_RSA_VERIFY:bad signature) but, hold write on SSL connection on
> FD 109
> ```
>
> Config file 
> visible_hostname squid
>
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8   # RFC1918 possible
> internal network
> acl localnet src 172.16.0.0/12   # RFC1918 possible
> internal network
> acl localnet src 192.168.0.0/16   # RFC1918
> possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> ###acl Safe_ports port 21 # ftp testing after blocking itp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> #http_access allow CONNECT SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
>
> # And finally deny all other access to this proxy
>
> # Squid normally listens to port 3128
> #http_port 3128
> http_port 3129 intercept
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> http_access allow SSL_ports #-- this allows every https website
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> ssl_bump peek step1 all
>
> # Deny requests to proxy instance metadata
> acl instance_metadata dst 169.254.169.254
> http_access deny instance_metadata
>
> # Filter HTTP Only requests based on the whitelist
> #acl allowed_http_only dstdomain .veevasourcedev.com <
> http://veevasourcedev.com>  .google.com   .pypi.org <
> http://pypi.org>  .

Re: [squid-users] Getting SSL Connection Errors (Eliezer Croitoru)

Re: [squid-users] Getting SSL Connection Errors (Eliezer Croitoru)

2 matches

Site Navigation

Mail list logo

Footer information