On Jun 12, 2014, at 1:01 PM, Mike <mcsn...@afo.net> wrote: > I have been racking my brain trying to get this working and each time, it > refuses to connect to secure sites. In the end we need a working squid proxy > for SSL connections within the company network which will serve over 1000 > users (thus the larger 8MB cert cache size). We already have the insecure > HTTP proxy working fine (thus the use of port 3129 below). > Since it will be SSL based, I know it needs https_port (not http_port), > ssl-bump, and intercept (required by ssl-bump). The https_port and ssl-bump > documentation also mentioned the preference for sslflags (which may or may > not be working in 3.HEAD) and cipher. > > OS is Scientific Linux 6.5 (based on CentOS) fully up to date with yum. > Server is quad core 3.4GHz, 8GB DDR3 with no other uses (like web server, > etc). > SELinux has been set to permissive mode so it only reports, doesn't block the > needed connections (although I also tested with it disabled and made no > difference). > [root@localhost ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: targeted > > Essential squid.conf lines (I have tested it with and without the "sslflags", > does not impact it working or not working): > > https_port 3129 intercept ssl-bump connection-auth=off > generate-host-certificates=on dynamic_cert_mem_cache_size=8MB > cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key > sslflags=DELAYED_AUTH > cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH > sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB > sslcrtd_children 50 startup=5 idle=1 > ssl_bump server-first all > ssl_bump none localhost > > Local certs have been created and self signed, and the .der cert has been > imported into the test browser (Firefox 30.0). > > Squid info (includes the needed '--enable-ssl' '--enable-ssl-crtd' > '--with-openssl'): > > [root@localhost ~]# squid -v > Squid Cache: Version 3.HEAD-20140127-r13248 > Service Name: squid > configure options: '--build=x86_64-redhat-linux-gnu' > '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' > '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' > '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' > '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' > '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--exec_prefix=/usr' > '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' > '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' > '--with-logdir=$(localstatedir)/log/squid' > '--with-pidfile=$(localstatedir)/run/squid.pid' > '--disable-dependency-tracking' '--enable-eui' > '--enable-follow-x-forwarded-for' '--enable-auth' > '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' > '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' > '--enable-auth-negotiate=kerberos,wrapper' > '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' > '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' > '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' > '--enable-ident-lookups' '--enable-linux-netfilter' > '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' > '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' > '--enable-esi' '--with-aio' '--with-default-user=squid' > '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' > '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' > 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' > 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' > 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' > > > In the end testing with only the SSL proxy set to this server via port 3129, > it tries loading the secure website for 2-3 minutes and then times out. > Checking "top", it shows squid running at 12.1g VIRT, 2.0g RES, 54.5% of MEM > (server has 8GB) and using 100% of CPU2. The ../squid/access.log and > cache_access.log shows no new entries at all. We had to disable the cache.log > (cache_log /dev/null) as it continuously recorded everything and quickly took > up all the space on the 80GB hard drive. > > So the question is what is going wrong that it is refusing to let ANY secure > site load and how can we get this resolved? > We greatly appreciate any help on this. > > Mike
If I understand correctly, you are attempting to use port 3129 as a forward proxy. If so, you shouldn’t need the “intercept” option on 3129, and you should change it to http_port since squid will be directly receiving HTTP “CONNECT” requests, not SSL connections. Regards, Guy
signature.asc
Description: Message signed with OpenPGP using GPGMail