Hello Amos
Thank you for looking in to this. Below is the configuration ...
###########################
logformat squid %tl %6tr %>a %<a %dt %<rd %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt
%<tt %<pt %{Nuance-Session-ID}>h
cache_access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid
visible_hostname nuance-ak-client-test2
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
cache deny all
dns_v4_first on
http_port 443 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=20MB cert=/etc/squid/squidCA.pem
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS
options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
# Below, a.b.c.d is the backend IP
cache_peer a.b.c.d parent 443 0 no-query proxy-only no-digest originserver ssl
sslcert=/etc/certs/abc.crt sslkey=/etc/certs/key.pem sslcapath=/etc/certs/
sslflags=DONT_VERIFY_PEER name=dev
acl dev myport 443
acl dev myport 80
acl dev myport 3129
http_access allow all
cache_peer_access dev allow dev
#cache_peer_access dev deny all
#URL_REWRITE_PROGRAM /etc/squid/rewrite-http.pl
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
________________________________
From: squid-users <[email protected]> on behalf of
[email protected]
<[email protected]>
Sent: Sunday, September 11, 2022 8:00 AM
To: [email protected] <[email protected]>
Subject: squid-users Digest, Vol 97, Issue 20
Send squid-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. https on frontend (Adiseshu Channasamudhram)
2. Re: https on frontend (Amos Jeffries)
----------------------------------------------------------------------
Message: 1
Date: Sat, 10 Sep 2022 18:19:23 +0000
From: Adiseshu Channasamudhram <[email protected]>
To: "[email protected]"
<[email protected]>
Subject: [squid-users] https on frontend
Message-ID:
<ph0pr14mb530976d868bcfacdf5bf6f20b3...@ph0pr14mb5309.namprd14.prod.outlook.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello Squid experts
I'm running in to an issue with the below setup
frontend
-----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend
When frontend is sending the http request, i see the tls exchange is successful
but then on the access log of squid, i see the below error
w.x.y.z is the IP of the frontend server.
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:34 +0000 0 w.x.y.z - - - TAG_NONE/400 4016 %16%03%03
%A1%DFXl%A1%90yf%1C - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:37 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:37 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:38 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
10/Sep/2022:00:13:38 +0000 0 w.x.y.z - - - TAG_NONE/400 4476 NONE
error:invalid-request - HIER_NONE/- text/html - - -
On the squid interface listening to the frontend, I have pointed it to a self
signed cert ...
Any help/suggestion would be greatly appreciated
Regards
Adi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.squid-cache.org/pipermail/squid-users/attachments/20220910/a27bfffa/attachment-0001.htm>
------------------------------
Message: 2
Date: Sun, 11 Sep 2022 09:11:35 +1200
From: Amos Jeffries <[email protected]>
To: [email protected]
Subject: Re: [squid-users] https on frontend
Message-ID: <[email protected]>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 11/09/22 06:19, Adiseshu Channasamudhram wrote:
> Hello Squid experts
>
> I'm running in to an issue with the below setup
>
> frontend
> -----------TLS-------------Squid-------------------------2WayTLS--------------------------Backend
>
> When frontend is sending the http request, i see the tls exchange is
> successful but then on the access log of squid, i see the below error
>
> w.x.y.z is the IP of the frontend server.
>
> 10/Sep/2022:00:13:34 +0000 ? ? ?0 w.x.y.z - - - TAG_NONE/400 4476 NONE
> error:invalid-request - HIER_NONE/- text/html - - -
...
> On the squid interface listening to the frontend, I have pointed it to a
> self signed cert ...
>
> Any help/suggestion would be greatly appreciated
>
Either the HTTP request messages received from the frontend inside the
TLS are invalid, or your frontend<->Squid is misconfigured.
We will need to see your squid.conf details. Specifically these
directives, though all settings (no comments or empty lines) would be
useful for a full check:
http_port, https_port, cache_peer, tls_outgoing_options
Also a cache/log trace made with "debug_options ALL,0 11,2" will be helpful.
Amos
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 97, Issue 20
*******************************************
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users
