i'm sure that the issue is not related to firewall rules. because if I pass traffic from client IP (using NAT, browser is not configured to use proxy) it works. I think it is related to some SSL/TLS lib in the system. Because today i've tried CLI browser - links. Launching it directly from gateway (which has direct access to web), i was able to browse any site in text mode. Except youtube. So i guess it is related to some missing ssl lib. Could you please suggest how can i find all required libs for my squid?
# squid -v Squid Cache: Version 3.5.28 Service Name: squid This binary uses OpenSSL 1.0.2p 14 Aug 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--with-included-ltdl' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-eui' '--enable-cache-digests' '--disable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--without-heimdal-krb5' '--without-mit-krb5' '--without-gss' '--disable-htcp' '--disable-icap-client' '--disable-icmp' '--disable-ident-lookups' '--disable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--disable-snmp' '--enable-ssl' '--with-openssl=/usr/local' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--disable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--disable-pf-transparent' '--without-nat-devpf' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=none' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs ufs' '--enable-disk-io=DiskThreads AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing ' 'LDFLAGS= -pthread -L/usr/local/lib -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib -fstack-protector ' 'LIBS=' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing -Wno-unknown-warning-option -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess ' 'CPP=cpp' --enable-ltdl-convenience # uname -a FreeBSD gate.xxxxxx.local 11.2-RELEASE-p4 FreeBSD 11.2-RELEASE-p4 #0: Thu Sep 27 08:16:24 UTC 2018 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64 ср, 17 окт. 2018 г. в 8:48, Amos Jeffries <[email protected]>: > On 17/10/18 6:22 AM, Bruno de Paula Larini wrote: > > > > Em 16/10/2018 02:46, Timur Lagutenko escreveu: > >> Hello friends, > >> > >> recently I've updated my freebsd gateway. > >> from 11.1 to 11.2. > >> also I've updated squid form 3.5 to 4.1 > >> i have no transparency, no ssl-bump/splice etc.. > >> simple installation. > >> browser is configured to use proxy. > >> squid configuration is default. > > Then Squid interactino wit this traffic is a simple test of whether the > client IP address is within your LAN and then blindly shovel the HTTPS > traffic through. > > Problems are limited to routing, MTU/MSS misconfiguration somewhere > (network VPM tunnel?), and problems with the endpoints TLS negotiation > (browser or upstream server). > > > > >> everything works fine except youtube.com <http://youtube.com/> > >> Browser freezes on "trying to set secure connection", and after gives > >> time-out error. > >> i've also tied to downgrade squid back to 3,5 > >> no success. > > That downgrade not resolving the issue indicates that it is not Squid > related. > > As Bruno suggested, probably a change to the routing or firewall systems > that traffic is going through that appeared with the OS version bump. It > is pretty rare to see on small bumps, but can happen. > > Amos > _______________________________________________ > squid-users mailing list > [email protected] > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
