Hello, I have a squid proxy, trying to configure it to enforce traffic from a private cloud appliance (Azure Stack) to go over to the corporate proxy. traffic is mostly https, I see the below errors, note that ParentProxy-22 is the parent proxy listening on port 9090. also, why in the access logs I have some entries not going to parent proxy (e.g. 1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT 52.138.216.83:443 - HIER_NONE/- -)
### error logs ### Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello Message on FD 20 Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 20: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed Feb 4 15:26:38 azproxy squid[192272]: Detected DEAD Parent: ParentProxy-22 Feb 4 15:26:38 azproxy squid[192272]: Detected REVIVED Parent: ParentProxy-22 Feb 4 15:26:38 azproxy squid[192272]: Error parsing SSL Server Hello Message on FD 24 Feb 4 15:26:38 azproxy squid[192272]: ERROR: negotiating TLS on FD 24: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0) Feb 4 15:26:38 azproxy squid[192272]: TCP connection to ParentProxy-22/9090 failed The squid configuration is as follows: ### iptables setup ### [root@ azproxy ~] $ iptables -L -t nat -n -v Chain PREROUTING (policy ACCEPT 6089 packets, 376K bytes) pkts bytes target prot opt in out source destination 5029 261K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080 21742 1130K REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8090 ### squid.conf ## dns_v4_first on cache_peer ParentProxy-22 parent 9090 0 no-query sslcapath=/etc/pki/ca-trust/source/anchors/ acl local-network dstdomain .azcompany.com acl everything src 10.0.0.0/8 http_access allow everything never_direct deny local-network never_direct allow all http_port 8080 intercept https_port 8090 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/ssl_certs/azproxyCA.pem dynamic_cert_mem_cache_size=16MB #connection-auth=off http_port 8100 #forward port not used. sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all tls_outgoing_options /etc/pki/ca-trust/source/anchors/ca.crt debug_options ALL,9### excerpts from access log ### 1549282836.118 44 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 -: 1549282836.150 14 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282836.271 38 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282836.300 13 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282837.661 30 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282837.710 19 192.168.3.11 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282837.797 4 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - HIER_NONE/- -1549282837.856 42 192.168.3.11 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282840.277 15 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282840.300 17 192.168.3.7 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282848.695 19 192.168.3.17 TCP_MISS/200 2283 GET http://ocsp.aramco.com.sa/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTcIwl9uZE4WwaD1jq3IdqcP3CI0wQUBCvyP4WY3ATuQXNOru2Zj%2B6W%2BfcCExkAABWDWqKqrUfWBR8AAAAAFYM%3D - ORIGINAL_DST/10.1.152.115 application/ocsp-response 1549282853.233 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282853.266 14 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282853.299 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282853.329 14 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282865.527 13 192.168.3.10 NONE/200 0 CONNECT 52.138.216.83:443 - HIER_NONE/- - 1549282865.552 13 192.168.3.10 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? -FIRSTUP_PARENT/ParentProxy-22 text/html 1549282865.615 57 192.168.3.10 TCP_MISS/503 4689 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? -FIRSTUP_PARENT/ParentProxy-22 text/html 1549282875.690 38 192.168.3.17 TCP_MISS/503 4707 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? -FIRSTUP_PARENT/ParentProxy-22 text/html 1549282875.711 14 192.168.3.17 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282876.012 28 10.8.101.53 NONE/200 0 CONNECT 111.221.29.254:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282880.455 18 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282880.544 42 192.168.3.10 TCP_MISS_ABORTED/500 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - HIER_NONE/- text/html 1549282880.614 17 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282880.644 13 192.168.3.10 NONE/200 0 CONNECT 23.50.187.199:443 - FIRSTUP_PARENT/ParentProxy-22 - 1549282880.995 22 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282881.026 25 192.168.3.4 TCP_MISS_ABORTED/503 4272 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html 1549282882.164 19 192.168.3.17 TCP_MISS/503 4689 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab? - FIRSTUP_PARENT/ParentProxy-22 text/html ==== squid version and build === [root@azproxy ~] $ squid -v Squid Cache: Version 4.5 Service Name: squid This binary uses OpenSSL 1.0.2k-fips 26 Jan 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl- helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer, file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
