[squid-users] HTTPS problem
Hi Everybody, i'm new in SQUID and i recently install the 3.1.10 as Transparent in my office. all works fine i just have this problem i need to block facebook and i really make it, but when the user use https://www.facebook.com the website works... i read this is a problem of squid alread fixed but i dunno how. i just try this: - Block facebook.com using iptables (not work for me) - Create a fake certificate (works for me but when i go to bank https website the browser is showing me a wrong certificate) any ideas? Best Regards, Gustavo
Re: [squid-users] HTTPS Problem
> There is no problem with firewall because our client can access all HTTPS > sites directly. > Please don´t reply in a new thread. Keep the discussion in the thread which you created. >... >... What´s in access.log for the failing https sites on the problem squid box ? Any further error info in cache.log ? M.
RE: [squid-users] HTTPS Problem
There is no problem with firewall because our client can access all HTTPS sites directly. Lazuardi Nasution Laboratorium Sistem Kendali & Komputer LABTEK 8 Lantai 2 Institut Teknologi Bandung Ganesha 10 Bandung +622291230584 +628122142597 -Original Message- From: Mark Elsen [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 07, 2005 4:40 AM To: [EMAIL PROTECTED] Cc: squid-users@squid-cache.org Subject: Re: [squid-users] HTTPS Problem > Dear all, > > I have problem with HTTPS connection. When our clients access HTTPS > server of all sites directly without proxy no problem happen. When I > set our Squid for using parent proxy for all types of connection and > our clients access HTTPS server of all sites via our Squid no problem > happen too. But when I set our Squid to connect directly without > parent proxy for HTTPS CONNECT (Port 443) connection, our clients have > problem to access HTTPS server of some sites, not all sites. What happen here ? > - Check the squid FAQ on using sq behind a Firewall. M.
Re: [squid-users] HTTPS Problem
> Dear all, > > I have problem with HTTPS connection. When our clients access HTTPS server > of all sites directly without proxy no problem happen. When I set our Squid > for using parent proxy for all types of connection and our clients access > HTTPS server of all sites via our Squid no problem happen too. But when I > set our Squid to connect directly without parent proxy for HTTPS CONNECT > (Port 443) connection, our clients have problem to access HTTPS server of > some sites, not all sites. What happen here ? > - Check the squid FAQ on using sq behind a Firewall. M.
[squid-users] HTTPS Problem
Dear all, I have problem with HTTPS connection. When our clients access HTTPS server of all sites directly without proxy no problem happen. When I set our Squid for using parent proxy for all types of connection and our clients access HTTPS server of all sites via our Squid no problem happen too. But when I set our Squid to connect directly without parent proxy for HTTPS CONNECT (Port 443) connection, our clients have problem to access HTTPS server of some sites, not all sites. What happen here ? Thank you. Lazuardi Nasution Laboratorium Sistem Kendali & Komputer LABTEK 8 Lantai 2 Institut Teknologi Bandung Ganesha 10 Bandung +622291230584 +628122142597
RE: [squid-users] https problem with squid 2.5.STABLE6
On Wed, 10 Nov 2004, Brad Larden wrote: Is there a way I can manually craft an https request to the proxy to see if I can find where it's failing ? The best test is to attempt using another browser such as Mozilla, Firefox or Opera. If one one of the browsers show the symptoms it is most likely a browser issue, possibla caused by a recent OS or browser patch, if all of them shows the problem then it is a proxy issue. https request are just CONNECT requests CONNECT https://marasystems.com:443/ HTTP/1.0 [blank line] and the proxy should respond with HTTP/1.0 200 Connected Regards Henrik Regards Henrik
RE: [squid-users] https problem with squid 2.5.STABLE6
-Original Message- From: Tim Neto [mailto:[EMAIL PROTECTED] Sent: Wednesday, 10 November 2004 3:02 AM To: Henrik Nordstrom Cc: Brad Larden; Elsen Marc; [EMAIL PROTECTED] Subject: Re: [squid-users] https problem with squid 2.5.STABLE6 This issue has been discussed many times in the Squid mailing list. The problem is not with Squid, but with IE's use of a broken WININET.DLL library. The library first sends a HTTPS request, then switches to HTTP. Many secure web sites require a continued stream of HTTPS. The WININET.DLL of Windows 2003 Enterprise Edition is not broken, but Windows 2000, and Windows XP (non-SP2) is not. I have yet to confirm whether Windows XP SP2 is broken or not. Note, any other Microsoft based application (Visual Studio type of application) that uses the broken WININET.DLL will have the same problem. If the HTTPS site being access is required for by your organization, allow the site direct access through your Squid with appropriate ACL and Access rules. This diminishes the problem. Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- G'Day Tim, I understand what you're saying but my problem only occurred some time yesterday on 2 proxy servers in the same location. Using alternate proxy servers with the same client machines works correctly. So, as far as I can tell, this does not point to an issue with the broken Microsoft browser, rather, it points to something broken on these two proxy servers. Even after grabbing the latest 2.5.STABLE release and compiling fresh it still does not work, so it appears to me that the problem is perhaps not squid per-se but an associated library or some hack has been applied to my servers which only affects https requests. Regards, Brad. Henrik Nordstrom wrote: > On Tue, 9 Nov 2004, Brad Larden wrote: > >> I understand what you're saying but I can 'see' the request hit the >> proxy server from the client. > > > In your trace I can only see a new TCP connection, but no request sent > by the browser on this connection. > > Regards > Henrik >
RE: [squid-users] https problem with squid 2.5.STABLE6
-Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Wednesday, 10 November 2004 2:25 AM To: Brad Larden Cc: Elsen Marc; [EMAIL PROTECTED] Subject: RE: [squid-users] https problem with squid 2.5.STABLE6 On Tue, 9 Nov 2004, Brad Larden wrote: > I understand what you're saying but I can 'see' the request hit the proxy > server from the client. In your trace I can only see a new TCP connection, but no request sent by the browser on this connection. Regards Henrik G'Day Henrik, Thanks for deciphering that for me. What I now can't figure out is where the actual request is going then. So the browser client pc sends a tcp connection request, the proxy answers it but there is no data within that connection. That doesn't make sense to me Is there a way I can manually craft an https request to the proxy to see if I can find where it's failing ? Regards, Brad.
RE: [squid-users] https problem with squid 2.5.STABLE6
On Tue, 9 Nov 2004, Brad Larden wrote: > When a client requests ANY https:// URL the proxy server fails to respond. > There is nothing in cache.log and nothing in access.log and the browser (IE) > returns a 404 type error. > - cannot find server or DNS error. Is the browser configured to use the proxy for https requests? Regards Henrik G'Day Henrik, yes, the browser is configured to use the proxy for https requests. The setup was working for over a year without problems, then some time yesterday the 2 proxy servers stopped processing https requests. On my pc here, if I switch to my local test squid proxy https works fine. Regards, Brad.
Re: [squid-users] https problem with squid 2.5.STABLE6
This issue has been discussed many times in the Squid mailing list. The problem is not with Squid, but with IE's use of a broken WININET.DLL library. The library first sends a HTTPS request, then switches to HTTP. Many secure web sites require a continued stream of HTTPS. The WININET.DLL of Windows 2003 Enterprise Edition is not broken, but Windows 2000, and Windows XP (non-SP2) is not. I have yet to confirm whether Windows XP SP2 is broken or not. Note, any other Microsoft based application (Visual Studio type of application) that uses the broken WININET.DLL will have the same problem. If the HTTPS site being access is required for by your organization, allow the site direct access through your Squid with appropriate ACL and Access rules. This diminishes the problem. Tim --- Timothy E. Neto Computer Systems Engineer Komatsu Canada Limited Ph#: 905-625-6292 x2651725B Sismet Road Fax: 905-625-6348 Mississauga, Canada E-Mail: [EMAIL PROTECTED] L4W 1P9 --- Henrik Nordstrom wrote: On Tue, 9 Nov 2004, Brad Larden wrote: I understand what you're saying but I can 'see' the request hit the proxy server from the client. In your trace I can only see a new TCP connection, but no request sent by the browser on this connection. Regards Henrik
RE: [squid-users] https problem with squid 2.5.STABLE6
On Tue, 9 Nov 2004, Brad Larden wrote: I understand what you're saying but I can 'see' the request hit the proxy server from the client. In your trace I can only see a new TCP connection, but no request sent by the browser on this connection. Regards Henrik
Re: [squid-users] https problem with squid 2.5.STABLE6
On Tue, 9 Nov 2004, Brad Larden wrote: When a client requests ANY https:// URL the proxy server fails to respond. There is nothing in cache.log and nothing in access.log and the browser (IE) returns a 404 type error. - cannot find server or DNS error. Is the browser configured to use the proxy for https requests? Regards Henrik
RE: [squid-users] https problem with squid 2.5.STABLE6
> > G'day, > > no, nothing in access.log. > I can see the traffic (using snoop) come in to the proxy and > a return packet but nothing is logged at all. > > As in the subject - Squid-2.5.STABLE6 > OS is Solaris9 on Ultra-60 > > It is like the request packet comes in, is presented to the > squid process and the squid process just quenches the request. > > The thing is that if the browser returns it's own error (can not find server or DNS error) , then it as if the request did not reach squid. If squid can not access the site then a squid error message should appear in the browser. In the absence of that, it seems that your browser tries to go direct. M. I understand what you're saying but I can 'see' the request hit the proxy server from the client. Sorry, I neglected to answer your other question - the client is manually configured to use the same proxy for all protocols. For those with a techo bent, here's a truss of the 'session'. The first section is an http:// connection to an internal host which internally redirects the http:// request to an https:// request. The point at which the connection changes is (I think) where I have put the word "BREAK" in the following. 4299: accept(8, 0xFFBBE510, 0xFFBBE4F8, 1)= 13 4299: getsockname(13, 0xFFBBE500, 0xFFBBE4F8, 1) = 0 4299: fcntl(13, F_GETFL, 0x) = 130 4299: fstat64(13, 0xFFBBE320) = 0 4299: getsockopt(13, SOL_SOCKET, 0x2000, 0xFFBBE420, 0xFFBBE418, 0) = 0 4299: fcntl(13, F_SETFD, 0x0083) = 0 4299: fcntl(13, F_GETFL, 0x) = 130 4299: fstat64(13, 0xFFBBE320) = 0 4299: getsockopt(13, SOL_SOCKET, 0x2000, 0xFFBBE420, 0xFFBBE418, 0) = 0 4299: fstat64(13, 0xFFBBE320) = 0 4299: getsockopt(13, SOL_SOCKET, 0x2000, 0xFFBBE420, 0xFFBBE41C, 0) = 0 4299: setsockopt(13, SOL_SOCKET, 0x2000, 0xFFBBE420, 4, 0) = 0 4299: fcntl(13, F_SETFL, 0x0082) = 0 4299: accept(8, 0xFFBBE510, 0xFFBBE4F8, 1)Err#11 EAGAIN 4299: poll(0xFFBBFD38, 4, 1000) = 1 4299: read(13, " G E T h t t p : / / x".., 4095)= 391 4299: so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "", 1) = 14 4299: fcntl(14, F_GETFL, 0x) = 2 4299: fstat64(14, 0xFFBBE3A8) = 0 4299: getsockopt(14, SOL_SOCKET, 0x2000, 0xFFBBE4A8, 0xFFBBE4A0, 0) = 0 4299: fcntl(14, F_SETFD, 0x0003) = 0 4299: bind(14, 0xFFBBE500, 16, 3) = 0 4299: fcntl(14, F_GETFL, 0x) = 2 4299: fstat64(14, 0xFFBBE3A8) = 0 4299: getsockopt(14, SOL_SOCKET, 0x2000, 0xFFBBE4A8, 0xFFBBE4A0, 0) = 0 4299: fstat64(14, 0xFFBBE3A8) = 0 4299: getsockopt(14, SOL_SOCKET, 0x2000, 0xFFBBE4A8, 0xFFBBE4A4, 0) = 0 4299: setsockopt(14, SOL_SOCKET, 0x2000, 0xFFBBE4A8, 4, 0) = 0 4299: fcntl(14, F_SETFL, 0x0082) = 0 4299: setsockopt(14, tcp, TCP_NODELAY, 0xFFBBE50C, 4, 1) = 0 4299: connect(14, 0x00A394F0, 16, 1) Err#150 EINPROGRESS 4299: poll(0xFFBBFD38, 5, 978)= 1 4299: getsockopt(14, SOL_SOCKET, SO_ERROR, 0xFFBBEC28, 0xFFBBEC24, 1) = 0 4299: poll(0xFFBBFD38, 5, 902)= 1 4299: write(14, " G E T / H T T P / 1".., 480)= 480 4299: poll(0xFFBBFD38, 5, 902)= 1 4299: read(14, " H T T P / 1 . 1 3 0 2".., 49152) = 453 4299: poll(0xFFBBFD38, 5, 806)= 1 4299: write(13, " H T T P / 1 . 0 3 0 2".., 488)= 488 4299: write(5, " 1 0 9 9 9 8 9 4 7 8 . 5".., 117) = 117 BREAK 4299: read(13, 0x00A06CE8, 4095) Err#11 EAGAIN 4299: poll(0xFFBBFD38, 5, 805)= 1 4299: poll(0xFFBBE628, 1, 0) = 1 4299: accept(8, 0xFFBBE510, 0xFFBBE4F8, 1)= 15 4299: getsockname(15, 0xFFBBE500, 0xFFBBE4F8, 1) = 0 4299: fcntl(15, F_GETFL, 0x) = 130 4299: fstat64(15, 0xFFBBE320) = 0 4299: getsockopt(15, SOL_SOCKET, 0x2000, 0xFFBBE420, 0xFFBBE418, 0) = 0 4299: fcntl(15, F_SETFD, 0x0083) = 0 4299: fcntl(15, F_GETFL, 0x) = 130 4299: fstat64(15, 0xFFBBE320) = 0 4299: getsockopt(15, SOL_SOCKET, 0x2000, 0xFFBBE420, 0xFFBBE418, 0) = 0 4299: fstat64(15, 0xFFBBE320) = 0 4299: getsockopt(15, SOL_SOCKET, 0x2000, 0xFFBBE420, 0xFFBBE41C, 0) = 0 4299: setsockopt(15, SOL_SOCKET, 0x2000, 0xFFBBE420, 4, 0) = 0 4299: fcntl(15, F_SETFL, 0x0082) = 0 4299: accept(8, 0xFFBBE510, 0xFFBBE4F8, 1)Err#11 EAGAIN 4299: poll(0xFFBBFD38, 6, 627)= 1 4299: poll(0xFFBBE628, 1, 0) = 1 4299: accept
RE: [squid-users] https problem with squid 2.5.STABLE6
> > G'day, > > no, nothing in access.log. > I can see the traffic (using snoop) come in to the proxy and > a return packet but nothing is logged at all. > > As in the subject - Squid-2.5.STABLE6 > OS is Solaris9 on Ultra-60 > > It is like the request packet comes in, is presented to the > squid process and the squid process just quenches the request. > > The thing is that if the browser returns it's own error (can not find server or DNS error) , then it as if the request did not reach squid. If squid can not access the site then a squid error message should appear in the browser. In the absence of that, it seems that your browser tries to go direct. M.
RE: [squid-users] https problem with squid 2.5.STABLE6
G'day, no, nothing in access.log. I can see the traffic (using snoop) come in to the proxy and a return packet but nothing is logged at all. As in the subject - Squid-2.5.STABLE6 OS is Solaris9 on Ultra-60 It is like the request packet comes in, is presented to the squid process and the squid process just quenches the request. Regards, Brad. Network Administrator Alphawest Services Pty Ltd Tel: (61 2) 9682 4992 Fax: (61 2) 9682 5449 <http://www.alphawest.com.au> -Original Message- From: Elsen Marc [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 November 2004 6:36 PM To: Brad Larden; [EMAIL PROTECTED] Subject: RE: [squid-users] https problem with squid 2.5.STABLE6 > > Afternoon all, > > I have a problem with two squid proxy server that occurred today. > They have previously been operating without fault for over a year. > > When a client requests ANY https:// URL the proxy server > fails to respond. > There is nothing in cache.log and nothing in access.log and > the browser (IE) returns a 404 type error. > - cannot find server or DNS error. There must at least be something in access.log if the request reached SQUID. Is the browser's proxy config correct in the sense that https requests are reaching squid ? And or are you using transp. proxying and for instance https is tried direct ? It always usefull, to include : - squid version - os/platform/version M. > > I am not (as far as I know) doing anything fancy on the proxy > servers and they both failed at the same time whilst my test > proxy is still fine as are other proxy's around our company. > > Can anyone shed any light on this issue please ? > The proxy servers are running on Sun Ultra-60's under Solaris9. > No changes have been made to the OS or squid config for some > time, unless the machines have both been hacked.I can't > find any evidence of this though. > > I've also recompiled and installed squid, same issue and > tried a fresh cache directory, same issue. > > Anyone got any ideas please ? > > Regards, > Brad. > > > Network Administrator > Alphawest Services Pty Ltd > Tel: (61 2) 9682 4992 > Fax: (61 2) 9682 5449 >
RE: [squid-users] https problem with squid 2.5.STABLE6
> > Afternoon all, > > I have a problem with two squid proxy server that occurred today. > They have previously been operating without fault for over a year. > > When a client requests ANY https:// URL the proxy server > fails to respond. > There is nothing in cache.log and nothing in access.log and > the browser (IE) returns a 404 type error. > - cannot find server or DNS error. There must at least be something in access.log if the request reached SQUID. Is the browser's proxy config correct in the sense that https requests are reaching squid ? And or are you using transp. proxying and for instance https is tried direct ? It always usefull, to include : - squid version - os/platform/version M. > > I am not (as far as I know) doing anything fancy on the proxy > servers and they both failed at the same time whilst my test > proxy is still fine as are other proxy's around our company. > > Can anyone shed any light on this issue please ? > The proxy servers are running on Sun Ultra-60's under Solaris9. > No changes have been made to the OS or squid config for some > time, unless the machines have both been hacked.I can't > find any evidence of this though. > > I've also recompiled and installed squid, same issue and > tried a fresh cache directory, same issue. > > Anyone got any ideas please ? > > Regards, > Brad. > > > Network Administrator > Alphawest Services Pty Ltd > Tel: (61 2) 9682 4992 > Fax: (61 2) 9682 5449 >
[squid-users] https problem with squid 2.5.STABLE6
Afternoon all, I have a problem with two squid proxy server that occurred today. They have previously been operating without fault for over a year. When a client requests ANY https:// URL the proxy server fails to respond. There is nothing in cache.log and nothing in access.log and the browser (IE) returns a 404 type error. - cannot find server or DNS error. I am not (as far as I know) doing anything fancy on the proxy servers and they both failed at the same time whilst my test proxy is still fine as are other proxy's around our company. Can anyone shed any light on this issue please ? The proxy servers are running on Sun Ultra-60's under Solaris9. No changes have been made to the OS or squid config for some time, unless the machines have both been hacked.I can't find any evidence of this though. I've also recompiled and installed squid, same issue and tried a fresh cache directory, same issue. Anyone got any ideas please ? Regards, Brad. Network Administrator Alphawest Services Pty Ltd Tel: (61 2) 9682 4992 Fax: (61 2) 9682 5449