[squid-users] SSL Bump and "protocol not available"
Hello to everybody, we use Squid for http transparent proxyging and everything is all right. I followed some howtos and we add SSL Bump transparent interception. In squid.conf i have: https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem acl broken_sites dstdomain .example.com ssl_bump none localhost ssl_bump none broken_sites ssl_bump server-first all sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 4MB sslcrtd_children 30 and in iptables i added this directive: -A PREROUTING -p tcp -s 192.168.10.8 --dport 443 -j DNAT --to-destination 192.168.10.254:3127 HTTP surfing is still right, but when i connect, as example, to https://www.google.com browser returns page error and i have these log: 2014/04/16 16:08:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.254:3127 remote=192.168.10.8:58831 FD 15 flags=33: (92) Protocol not available 2014/04/16 16:08:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.254:3127 remote=192.168.10.8:58832 FD 15 flags=33: (92) Protocol not available 2014/04/16 16:08:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.254:3127 remote=192.168.10.8:58833 FD 15 flags=33: (92) Protocol not available I read some similar post but i did not apply, and find, the solution. Thank you a log and best regards! Francesco
Re: [squid-users] Squid 3.4.4 and SSL Bump not working (error (92) Protocol not available)
Hello, i have the problem with both Explorer and firefox; i do not think i have configured spdy... Thank you! Francesco 2014-04-17 19:59 GMT+02:00 Eliezer Croitoru : > I wll try to test the issue later. > notice that in the case of chrome browser and spdy the issue might be really > "protocol not avaliable and you will maybe need to disable the usage of > spdy. > > try to disable anything related to prefetch. > What browser what OS? > > Eliezer > > > On 04/17/2014 12:01 PM, Ict Security wrote: >> >> Hello, after changing http to https it still give "protocol not >> available"... >> >> 2014-04-17 11:00 GMT+02:00 Ict Security : >>> >>> Oh.. excuse me! I was wrong! >>> >>> >>> 2014-04-17 10:26 GMT+02:00 Amm : >>>> >>>> Please ask in mailing list not personally. Everybody there will help >>>> you. >>>> >>>> I did whatever I knew. >>>> >>>> Thanks >>>> >>>> Amm. >>>> >>>> >>>> From: Ict Security >>>> To: Amm >>>> Sent: Thursday, 17 April 2014 1:51 PM >>>> Subject: Re: [squid-users] Squid 3.4.4 and SSL Bump not working (error >>>> (92) >>>> Protocol not available) >>>> >>>> It still says "protocol not available..". Thank you >>>> Francesco >>>> >
Re: [squid-users] Squid 3.4.4 and SSL Bump not working (error (92) Protocol not available)
Hello, after changing http to https it still give "protocol not available"... 2014-04-17 11:00 GMT+02:00 Ict Security : > Oh.. excuse me! I was wrong! > > > 2014-04-17 10:26 GMT+02:00 Amm : >> Please ask in mailing list not personally. Everybody there will help you. >> >> I did whatever I knew. >> >> Thanks >> >> Amm. >> >> >> From: Ict Security >> To: Amm >> Sent: Thursday, 17 April 2014 1:51 PM >> Subject: Re: [squid-users] Squid 3.4.4 and SSL Bump not working (error (92) >> Protocol not available) >> >> It still says "protocol not available..". Thank you >> Francesco >>
[squid-users] Squid 3.4.4 and SSL Bump not working (error (92) Protocol not available)
Hello to everybody, we use Squid for http transparent proxyging and everything is all right. I followed some howtos and we add SSL Bump transparent interception. In squid.conf i have: http_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem acl broken_sites dstdomain .example.com ssl_bump none localhost ssl_bump none broken_sites ssl_bump server-first all sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 4MB sslcrtd_children 30 and in iptables i added this directive: -A PREROUTING -p tcp -s 192.168.10.8 --dport 443 -j DNAT --to-destination 192.168.10.254:3127 HTTP surfing is still right, but when i connect, as example, to https://www.google.com browser returns page error and i have these log: 2014/04/16 16:08:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.254:3127 remote=192.168.10.8:58831 FD 15 flags=33: (92) Protocol not available 2014/04/16 16:08:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.254:3127 remote=192.168.10.8:58832 FD 15 flags=33: (92) Protocol not available 2014/04/16 16:08:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.254:3127 remote=192.168.10.8:58833 FD 15 flags=33: (92) Protocol not available I read some similar post but i did not apply, and find, the solution. Thank you a log and best regards! Francesco
Re: [squid-users] Fwd: failure notice
Hello Nuno! I think you are great; by removing forwarding_for off it works, and i think others site with problems can be resolved! I experienced, with some users, some of these problems that, to be solved, had to be natted without proxy. Now i can workaround other cases, and then i will let you know! Thank you again, for the moment, very very much! Francesco 2013/6/7 Nuno Fernandes : > > Em Sexta, Junho de 7 de 2013 10:26 WEST, Ict Security > escreveu: > >> Hello, >> >> i notice, in Squid 3.1.1 and previous version, some problem when >> accessing some websites. >> >> It happens both on transparent and explicited proxy mode. >> >> As example, this site cannot be opened behing Squid 3.1.1: >> http://www.prefettura.it >> >> It is a government italian site. >> As this, there are some others site, that manifest problems in squid... >> >> Thank you, >> Francesco Collini > > > > > Do you have "forwarded_for off" in your configuration? If so remove it. That > site requires valid forward_for: > > wget --header='X-Forwarded-For: 192.168.1.1' -S -O /dev/null > www.prefettura.it # WORKS > wget -S -O /dev/null www.prefettura.it > # WORKS > wget --header='X-Forwarded-For: unknown' -S -O /dev/null www.prefettura.it > # NOT WORKING > > Maybe they are checking that value Better yet is to use header acl to > remove that header to that specific site... > > Best regards, > Nuno Fernandes
[squid-users] Fwd: failure notice
Hello, i notice, in Squid 3.1.1 and previous version, some problem when accessing some websites. It happens both on transparent and explicited proxy mode. As example, this site cannot be opened behing Squid 3.1.1: http://www.prefettura.it It is a government italian site. As this, there are some others site, that manifest problems in squid... Thank you, Francesco Collini
