I configured Squid6.3 as a MITM proxy and used Chrome to browse web pages
through this Squid proxy, such as twitter.com. However, I noticed these
error messages in the cache.log:
...
2023/11/22 01:33:38 kid1| ERROR: system call failure while accepting a TLS
connection on conn8925690 local=10.0.0.5:3128 remote=171.221.64.188:33454
FD 12 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:50 kid1| ERROR: system call failure while accepting a TLS
connection on conn8925909 local=10.0.0.5:3128 remote=171.221.64.188:33481
FD 42 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:50 kid1| ERROR: system call failure while accepting a TLS
connection on conn8925915 local=10.0.0.5:3128 remote=171.221.64.188:33484
FD 45 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
2023/11/22 01:33:51 kid1| ERROR: system call failure while accepting a TLS
connection on conn8925931 local=10.0.0.5:3128 remote=171.221.64.188:33488
FD 43 flags=1: SQUID_TLS_ERR_ACCEPT+TLS_IO_ERR=5+errno=104
current master transaction: master128
...
At the same time, the web pages are not displayed correctly. This error
does not occur when browsing all websites, only for a certain subset of
websites. I haven't found any obvious patterns regarding which websites
have issues and which do not.
And here is my squid.conf:
> debug_options ALL,1
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
> acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
> acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
> acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
> machines
> acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
> acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
> machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> acl bump_exclude_domains ssl::server_name
> "/opt/squid/var/bump_exclude_domains.conf"
> acl bump_exclude_ips dst "/opt/squid/var/bump_exclude_ips.conf"
>
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localhost
>
> http_access deny to_localhost
>
> http_access deny to_linklocal
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128 ssl-bump tls-cert=/opt/squid/var/localCA/myCA.crt
> tls-key=/opt/squid/var/localCA/myCA.key generate-host-certificates=on
> dynamic_cert_mem_cache_size=8MB
> tls-dh=prime256v1:/opt/squid/var/localCA/dhparam.pem
> sslpassword_program /opt/squid/var/localCA/keypass.sh
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir aufs /opt/squid/var/cache/squid 10240 256 256 max-size=5242880
>
> # Leave coredumps in the first cache dir
> coredump_dir /opt/squid/var/cache/squid
>
> sslcrtd_program /opt/squid/libexec/security_file_certgen -s
> /opt/squid/var/localCA/ssl_db -M 5120MB
> sslcrtd_children 32 startup=5 idle=1
>
> # at step 1 we're peeking at client TLS-request in order to find the "SNI"
> ssl_bump peek step1 all
> # peeking of bump_excludes at step2, leading to splice at step3 for them
> ssl_bump peek step2 bump_exclude_domains
> ssl_bump peek step2 bump_exclude_ips
> ssl_bump splice step3 bump_exclude_domains
> ssl_bump splice step3 bump_exclude_ips
> # staring for others, leading to bump at step3
> ssl_bump stare step2 all
> ssl_bump bump step3 all
>
>
> sslproxy_cert_error allow all
> tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN
>
>
> forwarded_for transparent
>
> via off
>
> on_unsupported_protocol respond all
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
Does anyone know what could be causing this problem, and how may I get rid
of it? thanks!
--
Regards.
Wen Yue
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
