Actually, now that I am using 3.15 it seems I get the error for port 80 -> 3128 intercepts again
TCP_MISS/503 4274 GET http://www.whereIwantToVisit.net/ - ORIGINAL_DST/ 162.220.244.7 text/html On Fri, Mar 4, 2016 at 10:35 AM, Ali Jawad <alijaw...@gmail.com> wrote: > Hi Amos > > Thanks for your input, I did recompile > > See : > > Squid Cache: Version 3.5.15-20160302-r14000 > > Service Name: squid > > configure options: '--prefix=/squid' '--includedir=/squid/usr/include' > '--enable-ssl-crtd' '--datadir=/squid/usr/share' '--bindir=/squid/usr/sbin' > '--libexecdir=/squid/usr/lib/squid' '--localstatedir=/squid/var' > '--sysconfdir=/squid/etc/squid' '--enable-arp-acl' > '--enable-follow-x-forwarded-for' '--enable-auth' > '--enable-auth-basic=DB,LDAP,NCSA,PAM,RADIUS,SASL,SMB,getpwnam' > '--enable-auth-ntlm=smb_lm,fake' > '--enable-auth-digest=file,LDAP,eDirectory' > '--enable-auth-negotiate=kerberos' > '--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group' > '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' > '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' > '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-referer-log' > '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' > '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' > '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' > '--with-filedescriptors=64000' '--with-dl' '--with-openssl' > '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' > 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' > 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' > 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' > '--enable-ltdl-convenience' '--disable-ipv6' > > > Yes the IP in question is my squid IP, I am still getting the same error, > it is as if squid sends traffic to itself > > Only difference is that I see this in access log now > > 1457080684.426 0 84.208.223.203 TAG_NONE/200 0 CONNECT > 162.220.xx.xx:443 - ORIGINAL_DST/162.220.xx.xx - > > Not sure if this means anything . > > > Regards > > On Fri, Mar 4, 2016 at 6:39 AM, Amos Jeffries <squ...@treenet.co.nz> > wrote: > >> On 4/03/2016 11:57 a.m., Ali Jawad wrote: >> > Hi >> > I am using Squid >> > >> > [root@kgoDcyTx9 squid]# /squid/sbin/squid -v >> > >> > Squid Cache: Version 3.4.9 >> >> >> When using SSL-Bump functionality first port of call is to ensure you >> are using the latest release. >> >> Today that is 3.5.15 (though I recommend the snapshot tarball instead of >> the main one). Or 4.0.7 beta. >> >> >> > >> > Config Options >> > >> > >> > https_port 3129 intercept ssl-bump generate-host-certificates=on >> > dynamic_cert_mem_cache_size=4MB cert=/squid/etc/squid/ssl_cert/myca.pem >> > key=/squid/etc/squid/ssl_cert/myca.pem >> > >> > >> <snip outdated settings> >> >> > >> > Iptables Rule >> > >> > iptables -t nat -A PREROUTING -p tcp --dport 443 --destination >> > 162.220.xx.xx -j REDIRECT --to-ports 3129 >> > >> >> So what happens to the Squid traffic going to port 443 ? >> >> > >> > The problem : >> > >> > There are no certificate errors in the cache log and access log appears >> to >> > log the requested URL, the problem is that Squid shows the error below, >> > from the looks of it Squid is trying to send the request to itself on >> its >> > own IP, my assumption is that Squid is not able to detect the proper >> > destination during bump "through a config fault of my own" or a missing >> >> The machine NAT system tells Squid what the destination is supposed to be. >> >> > step. Please advice : >> > >> > The following error was encountered while trying to retrieve the URL: >> > ://162.220.xx.xx:443 >> > <https://ipv6_1.lagg0.c052.lhr004.ix.nflxvideo.net/://162.220.244.7:443 >> > >> > >> > *Connection to 162.220.244.7 failed.* >> > >> >> Is "162.220.244.7" your Squid IP? >> >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
