X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71 Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
### 0x01 squid version squid -v Squid Cache: Version 5.0.4 Service Name: squid This binary uses OpenSSL 1.0.2g 1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/usr' '--exec-prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--sharedstatedir=/var/lib' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid' '--enable-silent-rules' '--enable-dependency-tracking' '--with-openssl' '--enable-icmp' '--enable-delay-pools' '--enable-useragent-log' '--enable-esi' '--disable-ipv6' '--enable-ssl-crtd' '--enable-follow-x-forwarded-for' '--enable-auth' --enable-ltdl-convenience ### 0x02 peers.conf cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login =admin:squid name=crawler1 curl http://google.com -x https://admin:squid@localhost:3128 -v -k < HTTP/1.1 503 Service Unavailable < Server: squid/5.0.4 < Mime-Version: 1.0 < Date: Sun, 27 Sep 2020 15:55:05 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 1647 < X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71 < Vary: Accept-Language < Content-Language: en < X-Cache: MISS from example.com < Connection: keep-alive proxy is ok. 3129 is glider curl http://google.com -x https://admin:squid@localhost:3129 -v -k <HTML><HEAD><meta http-equiv="content-type" content= "text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/";>here</A>. </BODY></HTML> ### 0x03 the possible solution. DONT_VERIFY_PEER So.on squid 4/5, The DONT_VERIFY_PEER flag is deprecated. How to get the function on squid 5.0.4 ? ### 0x04 squid.conf acl SSL_ports port 443 acl Safe_ports port 1-65535 # unregistered ports acl CONNECT method CONNECT acl HEAD method HEAD http_access deny !Safe_ports http_access deny manager http_access allow all http_port 3128 ssl-bump generate-host-certificates=on \ dynamic_cert_mem_cache_size=100MB \ cert=/etc/squid/server.crt key=/etc/squid/server.key ssl_bump allow all #ssl_bump bump all sslproxy_cert_error allow all sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/ssl_db -M 400MB #sslproxy_flags DONT_VERIFY_PEER tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN sslproxy_cert_error allow all coredump_dir /var/spool/squid3 # based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q= #All File refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms) 1440 100% 129600 reload-into-ims refresh_pattern -i \. (rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100% 129600 reload-into-ims refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 1440 100% 129600 reload-into-ims refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)) 1440 100% 129600 reload-into-ims refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 1440 100% 129600 reload-into-ims refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 1440 100% 129600 reload-into-ims refresh_pattern -i \.(doc|pdf)$ 1440 50% 43200 reload-into-ims refresh_pattern -i \.(html|htm)$ 1440 50% 40320 reload-into-ims refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 # http options via off forwarded_for off vary_ignore_expire on # memory cache options cache_mem 512 MB maximum_object_size_in_memory 256 KB forwarded_for delete ipcache_size 4096 dns_nameservers 8.8.8.8 # error page cache_mgr ad...@example.com visible_hostname example.com email_err_data off err_page_stylesheet none #include /etc/squid/peers.conf # use glider to build an http(s)/socks5 proxy on same port 3129 # https://github.com/nadoo/glider # glider -listen admin:squid@0.0.0.0:3129 cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login =admin:squid name=crawler1 # never_direct: outgoing only by peers never_direct allow all cache_effective_user proxy
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
