Hi Eliezer, I am running on amazon linux 2 ami which I suppose is based on centos. I ran the uname -a command and this is what I get;; Linux ip-172-24-9-143.us-east-2.compute.internal 4.14.256-197.484.amzn2.x86_64 #1 SMP Tue Nov 30 00:17:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ec2-user@ip-172-24-9-143 ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 thanks so much and let me know the script and I can run on this machine. Usama On Fri, Feb 25, 2022 at 5:34 AM <squid-users-requ...@lists.squid-cache.org> wrote: > Send squid-users mailing list submissions to > squid-users@lists.squid-cache.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > squid-users-requ...@lists.squid-cache.org > > You can reach the person managing the list at > squid-users-ow...@lists.squid-cache.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. Re: Getting SSL Connection Errors (Eliezer Croitoru) > 2. Random trouble with image downloads (Dave Blanchard) > 3. slow down response to broken clients ? (Dieter Bloms) > 4. Re: getsockopt failures, although direct access to intercept > ports is blocked (Amos Jeffries) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 25 Feb 2022 07:01:12 +0200 > From: "Eliezer Croitoru" <ngtech1...@gmail.com> > To: "'Usama Mehboob'" <musamamehb...@gmail.com>, > <squid-users@lists.squid-cache.org> > Subject: Re: [squid-users] Getting SSL Connection Errors > Message-ID: <006f01d82a04$b678b770$236a2650$@gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hey Usama, > > > > There are more missing details on the system. > > If you provide the OS and squid details I might be able to provide a > script that will pull most of the relevant details on the system. > > I don?t know about this specific issue yet and it seems like there is a > SSL related issue and it might not be even related to Squid. > > (@Alex Or @Chrisots might know better then me) > > > > All The Bests, > > > > ---- > > Eliezer Croitoru > > NgTech, Tech Support > > Mobile: +972-5-28704261 > > Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> > > > > From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf > Of Usama Mehboob > Sent: Thursday, February 24, 2022 23:45 > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Getting SSL Connection Errors > > > > Hi I have a squid running on a linux box ( about 16GB ram and 4 cpu ) -- > it runs fine for the most part but when I am launching multiple jobs that > are connecting with salesforce BulkAPI, sometimes connections are dropped. > its not predictable and happens only when there is so much load on squid. > Can anyone shed some light on this? what can I do? is it a file descriptor > issue? > > I see only these error messages from the cache logs > ``` > PeerConnector.cc(639) handleNegotiateError: Error (error:04091068:rsa > routines:INT_RSA_VERIFY:bad signature) but, hold write on SSL connection on > FD 109 > ``` > > ----------------Config file ---------------- > visible_hostname squid > > # > # Recommended minimum configuration: > # > > # Example rule allowing access from your local networks. > # Adapt to list your (internal) IP networks from where browsing > # should be allowed > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> # RFC1918 possible > internal network > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> # RFC1918 possible > internal network > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918 > possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > ###acl Safe_ports port 21 # ftp testing after blocking itp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # > # Recommended minimum Access Permission configuration: > # > # Deny requests to certain unsafe ports > http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > http_access deny CONNECT !SSL_ports > #http_access allow CONNECT SSL_ports > > # Only allow cachemgr access from localhost > http_access allow localhost manager > http_access deny manager > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > > # And finally deny all other access to this proxy > > # Squid normally listens to port 3128 > #http_port 3128 > http_port 3129 intercept > https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept > http_access allow SSL_ports #-- this allows every https website > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > ssl_bump peek step1 all > > # Deny requests to proxy instance metadata > acl instance_metadata dst 169.254.169.254 > http_access deny instance_metadata > > # Filter HTTP Only requests based on the whitelist > #acl allowed_http_only dstdomain .veevasourcedev.com < > http://veevasourcedev.com> .google.com <http://google.com> .pypi.org < > http://pypi.org> .youtube.com <http://youtube.com> > #acl allowed_http_only dstdomain .amazonaws.com <http://amazonaws.com> > #acl allowed_http_only dstdomain .veevanetwork.com < > http://veevanetwork.com> .veevacrm.com <http://veevacrm.com> . > veevacrmdi.com <http://veevacrmdi.com> .veeva.com <http://veeva.com> . > veevavault.com <http://veevavault.com> .vaultdev.com <http://vaultdev.com> > .veevacrmqa.com <http://veevacrmqa.com> > #acl allowed_http_only dstdomain .documentforce.com < > http://documentforce.com> .sforce.com <http://sforce.com> .force.com < > http://force.com> .forceusercontent.com <http://forceusercontent.com> . > force-user-content.com <http://force-user-content.com> .lightning.com < > http://lightning.com> .salesforce.com <http://salesforce.com> . > salesforceliveagent.com <http://salesforceliveagent.com> . > salesforce-communities.com <http://salesforce-communities.com> . > salesforce-experience.com <http://salesforce-experience.com> . > salesforce-hub.com <http://salesforce-hub.com> .salesforce-scrt.com < > http://salesforce-scrt.com> .salesforce-sites.com < > http://salesforce-sites.com> .site.com <http://site.com> .sfdcopens.com > <http://sfdcopens.com> .sfdc.sh .trailblazer.me <http://trailblazer.me> > .trailhead.com <http://trailhead.com> .visualforce.com < > http://visualforce.com> > > > # Filter HTTPS requests based on the whitelist > acl allowed_https_sites ssl::server_name .pypi.org <http://pypi.org> . > pythonhosted.org <http://pythonhosted.org> .tfhub.dev <http://tfhub.dev> > .gstatic.com <http://gstatic.com> .googleapis.com <http://googleapis.com> > > acl allowed_https_sites ssl::server_name .amazonaws.com < > http://amazonaws.com> > acl allowed_https_sites ssl::server_name .documentforce.com < > http://documentforce.com> .sforce.com <http://sforce.com> .force.com < > http://force.com> .forceusercontent.com <http://forceusercontent.com> . > force-user-content.com <http://force-user-content.com> .lightning.com < > http://lightning.com> .salesforce.com <http://salesforce.com> . > salesforceliveagent.com <http://salesforceliveagent.com> . > salesforce-communities.com <http://salesforce-communities.com> . > salesforce-experience.com <http://salesforce-experience.com> . > salesforce-hub.com <http://salesforce-hub.com> .salesforce-scrt.com < > http://salesforce-scrt.com> .salesforce-sites.com < > http://salesforce-sites.com> .site.com <http://site.com> .sfdcopens.com > <http://sfdcopens.com> .sfdc.sh .trailblazer.me <http://trailblazer.me> > .trailhead.com <http://trailhead.com> .visualforce.com < > http://visualforce.com> > ssl_bump peek step2 allowed_https_sites > ssl_bump splice step3 allowed_https_sites > ssl_bump terminate step2 all > > > connect_timeout 60 minute > read_timeout 60 minute > write_timeout 60 minute > request_timeout 60 minute > > ## http filtering ### > #http_access allow localnet allowed_http_only > #http_access allow localhost allowed_http_only > http_access allow localnet allowed_https_sites > http_access allow localhost allowed_https_sites > # And finally deny all other access to this proxy > http_access deny all > > # Uncomment and adjust the following to add a disk cache directory. > #cache_dir ufs /var/spool/squid 100 16 256 > > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid > > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > > > thanks > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.squid-cache.org/pipermail/squid-users/attachments/20220225/9f94f144/attachment-0001.htm > > > > ------------------------------ > > Message: 2 > Date: Thu, 24 Feb 2022 23:14:30 -0600 > From: Dave Blanchard <d...@killthe.net> > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Random trouble with image downloads > Message-ID: <20220224231430.f046b84f7c376ed796c5f...@killthe.net> > Content-Type: text/plain; charset=US-ASCII > > OK, I've got Squid mostly working fine, but have noticed a problem with > certain image downloads, which in at least one case are coming from > storage.googleapis.com. (Profile images for a forum.) It's as if Squid > sometimes randomly fails to download and correctly cache a given image, and > instead caches a broken or zero'd file. If I try to open that image in a > new browser tab, sometimes it will just be blank, and other times the > browser reports ERR_EMPTY_RESPONSE "The server didn't send any data." In > the former case the image access shows up in the Squid access log as > TCP_REFRESH_UNMODIFIED, and in the latter case it doesn't show up at all. > If I download it manually using wget with no proxy, it downloads fine. What > could possibly be happening here? > > -- > Dave Blanchard <d...@killthe.net> > > > ------------------------------ > > Message: 3 > Date: Fri, 25 Feb 2022 08:47:40 +0100 > From: Dieter Bloms <squid....@bloms.de> > To: squid-users@lists.squid-cache.org > Subject: [squid-users] slow down response to broken clients ? > Message-ID: <20220225074740.pclldvx4rtrpi...@bloms.de> > Content-Type: text/plain; charset=us-ascii > > Hello, > > Sometimes a client tries to reach a destination that is blocked at the > proxy. The proxy responds with a 403 and the client then immediately > tries again and again, making hundreds of requests per second. Is it > possible to add an artificial delay here so that the proxy answers > the client later? > Best combined with a rate limit, so that the delays only become active > when a certain limit of 403 answers is exceeded? > > > -- > Regards > > Dieter > > -- > I do not get viruses because I do not use MS software. > If you use Outlook then please do not put my email address in your > address-book so that WHEN you get a virus it won't use my address in the > >From field. > > > ------------------------------ > > Message: 4 > Date: Fri, 25 Feb 2022 23:30:47 +1300 > From: Amos Jeffries <squ...@treenet.co.nz> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] getsockopt failures, although direct access > to intercept ports is blocked > Message-ID: <b75703c5-3be1-a645-7e05-3b557b5b1...@treenet.co.nz> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 24/02/22 12:05, Andreas Weigel wrote: > > Hi everyone, > > > > I had the following issue with Squid in Transparent Mode (and SSL > > Interception in mode splice). It is working as expected, however after > > multiple long-running (talking about several seconds) anti-virus > > ecap-Processes have finished, I *sometimes* get the following in the log: > > > > 2022/02/23 14:56:40.668 kid1| 5,2| src/comm/TcpAcceptor.cc(224) > > doAccept: New connection on FD 21 > > 2022/02/23 14:56:40.668 kid1| 5,2| src/comm/TcpAcceptor.cc(312) > > acceptNext: connection on local=[::]:2412 remote=[::] FD 21 flags=41 > > 2022/02/23 14:56:40.668 kid1| 89,5| src/ip/Intercept.cc(405) Lookup: > > address BEGIN: me/client= 192.168.180.1:2412, destination/me= > > 192.168.180.10:48582 > > 2022/02/23 14:56:40.668 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed > > on local=192.168.180.1:2412 remote=192.168.180.10:48582 FD 37 flags=33: > > (2) No such file or directory > > 2022/02/23 14:56:40.669 kid1| 89,9| src/ip/Intercept.cc(151) > > NetfilterInterception: address: local=192.168.180.1:2412 > > remote=192.168.180.10:48582 FD 37 flags=33 > > 2022/02/23 14:56:40.669 kid1| ERROR: NAT/TPROXY lookup failed to locate > > original IPs on local=192.168.180.1:2412 remote=192.168.180.10:48582 FD > > 37 flags=33 > > > These can happen if the NAT table entries expire or otherwise get > dropped by conntrack between the client initiating TCP SYN and Squid > accept(2) receiving the connection. > > Your config looks good to me and the lack of regularity indicates the > issue is likely this type of transient state situation. > Is this happening at times of unusually high client connections > through the NAT? > Is eCAP processing blocking the Squid worker for all those seconds? > > > > 2022/02/23 14:56:40.669 kid1| 5,5| src/comm/TcpAcceptor.cc(287) > > acceptOne: non-recoverable error: FD 21, [::] [ job2] handler > > Subscription: 0x55edac3d08d0*1 > > > > Sometimes, this only appears on on of the two interception ports, > > sometimes on both. After that, the squid worker does not poll the > > intercept listen port any longer, i.e. stops working. > > That part is likely to be the issue recently worked around by > < > http://www.squid-cache.org/Versions/v6/changesets/squid-6-9fd3e68c3d0dfd6035db98ce142cf425be6c5fc1.patch > > > > > Amos > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > > End of squid-users Digest, Vol 90, Issue 38 > ******************************************* >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users