[squid-users] HTTPS site access problem
Hello, I am using SQUID 2.7.STABLE2 on an Arch Linux server. Everything seems OK so far, except I am unable to connect a SSL site, https://evas.tcmb.gov.tr/ Normally when i connect this site it should ask me my user certificate to select, but no. Here are my tails from acces.log 1219155728.992 10845 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - 1219155747.294 18302 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - 1219156647.386 900091 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - and with mime_hdrs on 1219157421.509 10505 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - [User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)\r\nProxy-Connection: Keep-Alive\r\nContent-Length: 0\r\nHost: evas.tcmb.gov.tr\r\nPragma: no-cache\r\n] [] no answer is coming from the server. Also I can successfully connect directly or using SQUID 2.0 maintained in Centos 4.X. Using my archlinux setup mentioned above, I can successfully connected bank websites, Gmail ,etc.through SSL without a problem. I am using a basic squid.conf with http_port 8080 and some acl entires. Are there any more options /tweaks you may offer? Best Regards, Evren
Re: [squid-users] HTTPS site access problem
Evren Demirkan wrote: Hello, I am using SQUID 2.7.STABLE2 on an Arch Linux server. Everything seems OK so far, except I am unable to connect a SSL site, https://evas.tcmb.gov.tr/ Normally when i connect this site it should ask me my user certificate to select, but no. Here are my tails from acces.log 1219155728.992 10845 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - 1219155747.294 18302 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - 1219156647.386 900091 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - and with mime_hdrs on 1219157421.509 10505 10.0.0.95 TCP_MISS/200 117 CONNECT evas.tcmb.gov.tr:443 - DIRECT/212.174.145.17 - [User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)\r\nProxy-Connection: Keep-Alive\r\nContent-Length: 0\r\nHost: evas.tcmb.gov.tr\r\nPragma: no-cache\r\n] [] no answer is coming from the server. Also I can successfully connect directly or using SQUID 2.0 maintained in Centos 4.X. Heh... Squid 2.0? That would be something to see, as it's almost ten years old (http://www.squid-cache.org/Versions/v2/2.0/). Using my archlinux setup mentioned above, I can successfully connected bank websites, Gmail ,etc.through SSL without a problem. I am using a basic squid.conf with http_port 8080 and some acl entires. Are there any more options /tweaks you may offer? See the FAQ entry at http://wiki.squid-cache.org/SquidFaq/SystemWeirdnesses#head-699d810035c099c8b4bff21e12bb365438a21027 for one possibility. Best Regards, Evren Chris
Re: [squid-users] https site access problem!!!
Thanks for the Reply. The Problem has been resolved. It was exactly the problem outside squid. The problem was with the redirector_program in validating the SSL site. Regards Shiva Raman On 7/4/08, Henrik Nordstrom [EMAIL PROTECTED] wrote: On fre, 2008-07-04 at 17:33 +0530, Shiva Raman wrote: Thanks for the reply. Following are the logs generated while trying to access secure.icicidirect.com [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - Which matches your openssl results. Squid succeeded in connecting, but the connection was closed after only a couple of bytes had been exchanged. I think the evicence is pretty hard that the problem is somewhere outside Squid. - Firewall - Server maybe have blacklisted your server IP - Other networking issue - Some device trying to intercept port 443. Regards Henrik
Re: [squid-users] https site access problem!!!
On fre, 2008-07-04 at 09:56 +0530, Shiva Raman wrote: i am not able to open all ssl websites through this squid ,but able to access few ssl sites through it using lynx command line browser . What's said in access.log? When i try to access the above webserver through the squid proxy, it is unable to open the website. When i try the links its showing as only SSL ERROR Works for me.. I tried to check the openssl connectivity through command prompt get following error. [EMAIL PROTECTED] openssl s_client -connect secure.icicidirect.com:443 -showcerts That too works for me.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] https site access problem!!!
Thanks for the reply. Following are the logs generated while trying to access secure.icicidirect.com [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - Regds Shiva Raman On 7/4/08, Henrik Nordstrom [EMAIL PROTECTED] wrote: On fre, 2008-07-04 at 09:56 +0530, Shiva Raman wrote: i am not able to open all ssl websites through this squid ,but able to access few ssl sites through it using lynx command line browser . What's said in access.log? When i try to access the above webserver through the squid proxy, it is unable to open the website. When i try the links its showing as only SSL ERROR Works for me.. I tried to check the openssl connectivity through command prompt get following error. [EMAIL PROTECTED] openssl s_client -connect secure.icicidirect.com:443 -showcerts That too works for me.. Regards Henrik
Re: [squid-users] https site access problem!!!
Shiva Raman wrote: Thanks for the reply. Following are the logs generated while trying to access secure.icicidirect.com [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - That looks like a successful (200) tunneling of some data (39 bytes). Whatever the problem is its something inside the tunnel between the client and server directly. Amos Regds Shiva Raman On 7/4/08, Henrik Nordstrom [EMAIL PROTECTED] wrote: On fre, 2008-07-04 at 09:56 +0530, Shiva Raman wrote: i am not able to open all ssl websites through this squid ,but able to access few ssl sites through it using lynx command line browser . What's said in access.log? When i try to access the above webserver through the squid proxy, it is unable to open the website. When i try the links its showing as only SSL ERROR Works for me.. I tried to check the openssl connectivity through command prompt get following error. [EMAIL PROTECTED] openssl s_client -connect secure.icicidirect.com:443 -showcerts That too works for me.. Regards Henrik -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Re: [squid-users] https site access problem!!!
On fre, 2008-07-04 at 17:33 +0530, Shiva Raman wrote: Thanks for the reply. Following are the logs generated while trying to access secure.icicidirect.com [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - Which matches your openssl results. Squid succeeded in connecting, but the connection was closed after only a couple of bytes had been exchanged. I think the evicence is pretty hard that the problem is somewhere outside Squid. - Firewall - Server maybe have blacklisted your server IP - Other networking issue - Some device trying to intercept port 443. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] https site access problem!!!
Dear All I got a squidIcap Installation running with following squid.conf - http_port 80 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 8 MB cache_dir ufs /usr/local/squidICAP/var/cache 500 16 256 cache_access_log /usr/local/squidICAP/var/logs/access.log cache_log /usr/local/squidICAP/var/logs/cache.log cache_store_log /usr/local/squidICAP/var/logs/store.log redirect_program /opt/Websense/bin/WsRedtor redirect_children 30 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl squidICAP dstdomain /usr/local/squidICAP/bad_domains header_access Accept-Encoding deny squidICAP acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_Ports port 81 # non stadard part acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl GET method GET http_access allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname squidproxy coredump_dir /usr/local/squidICAP/var/cache redirector_bypass off i am not able to open all ssl websites through this squid ,but able to access few ssl sites through it using lynx command line browser . Following is one of the site tested https://secure.icicidirect.com I am not sure whether its squid or linux ssl issue When i try to access the above webserver through the squid proxy, it is unable to open the website. When i try the links its showing as only SSL ERROR I tried to check the openssl connectivity through command prompt get following error. [EMAIL PROTECTED] openssl s_client -connect secure.icicidirect.com:443 -showcerts CONNECTED(0003) write:errno=104 Any suggestions / workarounds for this problems, please let me know. Regards Shiva Raman