----- Original Message -----
From: Amos Jeffries <squ...@treenet.co.nz>
>
> You could try with a newer Squid version since the bio.cc code might be
> making something else happen in 3.5.23. If that still fails the 4.0 beta
> has different logic and far better debug info in this area.
Hi again,
I'm still struggling with my reverse proxy setup. As stated in my previous
post, after upgrading to squid 3.5.23, I successfully connected with a web
browser FROM an external location (internet) to the Squid proxy which in turn
connected via https on port 443 to an internal MS Exchange OWA server.
Apparently, all I was missing was sslcafile in cache_peer.
However, I'm now trying (but failing) to do the same thing locally. I'm
connecting from a web browser in the local network to the Squid reverse proxy
and that, in turn, is trying to connect to the OWA server on the same LAN.
I set up the client's hosts file to point webmail2.mydomain.org to Squid's IP
address.
Here's squid.conf:
https_port 0.0.0.0:443 accel cert=/etc/ssl/squid/accel_cert.cer
key=/etc/ssl/squid/accel_key.pem defaultsite=webmail2.mydomain.org
cache_peer 10.215.144.21 parent 443 0 no-query originserver login=PASS ssl
sslcert=/etc/ssl/squid/client_cert.cer sslkey=/etc/ssl/squid/client_key.pem
sslcafile=/etc/ssl/CA/cacert.pem front-end-https=on name=owaServer
acl OWA dstdomain webmail2.mydomain.org
cache_peer_access owaServer allow OWA
never_direct allow OWA
http_access allow OWA
http_access deny all
Since it didn't work with Squid 3, I updated to the latest Squid 4 version.
I get this in the log when trying to connect:
2017/01/24 07:58:57.075 kid1| 83,5| bio.cc(116) write: FD 18 wrote 312 <= 312
2017/01/24 07:58:57.075 kid1| 83,5| bio.cc(139) read: FD 18 read -1 <= 65535
2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(144) read: error: 11 ignored: 1
2017/01/24 07:58:57.076 kid1| 5,3| comm.cc(559) commSetConnTimeout:
local=10.215.144.92:56236 remote=10.215.144.21:443 FD 18 flags=1 timeout 30
2017/01/24 07:58:57.076 kid1| 5,5| ModEpoll.cc(117) SetSelect: FD 18, type=1,
handler=1, client_data=0xb7cf8be8, timeout=0
2017/01/24 07:58:57.076 kid1| 93,5| AsyncJob.cc(154) callEnd:
Security::BlindPeerConnector status out: [ FD 18 job60]
2017/01/24 07:58:57.076 kid1| 93,5| AsyncCallQueue.cc(57) fireNext: leaving
AsyncJob::start()
2017/01/24 07:58:57.076 kid1| 83,5| bio.cc(139) read: FD 18 read 0 <= 65535
2017/01/24 07:58:57.076 kid1| 83,5| NegotiationHistory.cc(83)
retrieveNegotiatedInfo: SSL connection info on FD 18 SSL version NONE/0.0
negotiated cipher
2017/01/24 07:58:57.076 kid1| Error negotiating SSL on FD 18:
error:00000000:lib(0):func(0):reason(0) (5/0/0)
2017/01/24 07:58:57.076 kid1| TCP connection to 10.215.144.21/443 failed
2017/01/24 07:58:57.077 kid1| 15,2| neighbors.cc(1246) peerConnectFailedSilent:
TCP connection to 10.215.144.21/443 dead
# squid -v
Squid Cache: Version 4.0.17-20170122-r14968
Service Name: squid
configure options: '--prefix=/usr' '--build=i686-pc-linux-gnu'
'--host=i686-pc-linux-gnu' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc'
'--localstatedir=/var/lib' '--disable-dependency-tracking'
'--disable-silent-rules'
'--docdir=/usr/share/doc/squid-4.0.17_beta_p2017012214968'
'--htmldir=/usr/share/doc/squid-4.0.17_beta_p2017012214968/html'
'--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid'
'--localstatedir=/var' '--with-pidfile=/run/squid.pid'
'--datadir=/usr/share/squid' '--with-logdir=/var/log/squid'
'--with-default-user=squid' '--enable-removal-policies=lru,heap'
'--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io'
'--enable-auth-basic=NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS'
'--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=SMB_LM'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group'
'--enable-log-daemon-helpers' '--enable-url-rewrite-helpers'
'--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--disable-strict-error-checking' '--disable-arch-native'
'--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib'
'--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl'
'--with-nettle' '--with-gnutls' '--disable-ssl-crtd' '--disable-ecap'
'--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2'
'--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5'
'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu'
'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1
-Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe'
'PKG_CONFIG_PATH=/usr/lib/pkgconfig'
# openssl version
OpenSSL 1.0.2j 26 Sep 2016
Unfortunately, Squid's or OpenSSL's log message isn't too informative, even in
Squid 4.
Also, I'm not sure why the SSL version isn't picked up (NONE/0.0) but I don't
think it changes anything.
What else can I try?
Thanks,
Vieri
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
