My squid version is 6 and running on amazon linux 2023.
root@ip-172-24-9-245:/var/log/squid# squid --version
Squid Cache: Version 6.13
Service Name: squid
This binary uses OpenSSL 3.2.2 4 Jun 2024. configure options:
'--build=x86_64-amazon-linux-gnu' '--host=x86_64-amazon-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid'
'--disable-dependency-tracking' '--enable-eui'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM'
'--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP'
'--enable-auth-negotiate=kerberos'
'--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group'
'--enable-storeid-rewrite-helpers=file' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
'--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2'
'--disable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid'
'--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native'
'--disable-security-cert-validators' '--disable-strict-error-checking'
'--with-swapdir=/var/spool/squid' '--enable-translation'
'build_alias=x86_64-amazon-linux-gnu' 'host_alias=x86_64-amazon-linux-gnu'
'CC=gcc' 'CFLAGS=-O2 -ftree-vectorize -flto=auto -ffat-lto-objects
-fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1
-Wl,-dT,/builddir/build/BUILD/squid-6.13/.package_note-squid-6.13-1.amzn2023.0.1.x86_64.ld'
'CXX=g++' 'CXXFLAGS=-O2 -ftree-vectorize -flto=auto -ffat-lto-objects
-fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
'LT_SYS_LIBRARY_PATH=/usr/lib64:'
I am seeing this error in my cache-log
=============================
```
2025/09/14 09:46:34 kid1| ERROR: failure while accepting a TLS connection
on conn122766 local=3.225.139.255:443 remote=172.25.239.18:59114 FD 11
flags=33: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
current master transaction: master73677
2025/09/14 09:47:04 kid1| ERROR: failure while accepting a TLS connection
on conn122771 local=3.225.139.255:443 remote=172.25.239.18:46344 FD 11
flags=33: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1
```
open-ssl version
+++++++++++++
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
My squid.conf file is this
====================
visible_hostname squid
cache deny all
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_port 3128
http_port 3129 intercept
https_port 3130 cert=/path/to/squid.pem ssl-bump intercept
http_access allow SSL_ports
acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata
acl allowed_https_sites ssl::server_name .domain1.com .domain2.com .
domain3.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db
-M 8MB
sslcrtd_children 5
server_idle_pconn_timeout 60 minute
connect_timeout 60 minute
read_timeout 60 minute
write_timeout 60 minute
request_timeout 60 minute
http_access allow localnet allowed_https_sites
http_access allow localhost allowed_https_sites
http_access deny all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
logformat fqdn_log %tg:UTC %6tr client:%>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<A %mt %ssl::>sni
access_log /var/log/squid/access.log fqdn_log
logfile_rotate 10
debug_options ALL,1, rotate=1
Can somebody please recommend some changes to try out?, also it drops
connection sometime when trying to connect to salesforce BulkAPI and upon
contacting salesforce, their team mentioned that it happens if client
(squid) closes connection before salesforce server. will appreciate the
help. thanks
Usama
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
