Answer the question
In order to leave comments, you need to log in
X
X
xcuube2021-05-21 09:38:11
xcuube, 2021-05-21 09:38:11
How to cache https from cache_peer squid?
Hello! I can't figure out how squid can cache data that comes with cache_peer via https.
Squid is configured with ssl support, if you make requests immediately from the server on which it is installed (comment out never_direct allow all in the config ), then everything works fine, traffic (both http and https) is cached, but as soon as I start traffic through cache_peer, I get this error from squid:
At the same time, http works and is cached, only https does not work
And in the logs:
Logs
2021/05/20 12:24:59.036 kid1| Error parsing SSL Server Hello Message on FD 14
2021/05/20 12:24:59.036 kid1| ERROR: negotiating TLS on FD 14: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (1/-1/0)
2021/05/20 12:24:59.036 kid1| TCP connection to my_cache_peer_ip/8888 failed
2021/05/20 12:24:59.036 kid1| Error parsing SSL Server Hello Message on FD 14
2021/05/20 12:24:59.036 kid1| ERROR: negotiating TLS on FD 14: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (1/-1/0)
2021/05/20 12:24:59.036 kid1| TCP connection to my_cache_peer_ip/8888 failed
Squid config:
It is not complete, cut out acl, which are responsible for accessing the squid from the outside
spoiler
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
max_filedesc 65535
request_header_access X-Forwarded-For deny all
request_header_access X-Cache deny all
request_header_access Cache-Control deny all
via off
http_port 8024 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/bump.crt key=/etc/squid/bump.key
cache_peer my_cache_peer_ip parent 8888 0 no-query no-digest round-robin
never_direct allow all
# Настройки кэша в ОЗУ
cache_mem 16024 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
# Настройки дискового кэша
cache_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid 20000 48 256
maximum_object_size 20024 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 60
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump bump allsquid -v
Squid Cache: Version 4.6
Service Name: squid
Debian linux
This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/tmp/squid_build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Debian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enable-ssl-crtd' '--with-openssl' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/tmp/squid_build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gnu-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/tmp/squid_build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
Squid Cache: Version 4.6
Service Name: squid
Debian linux
This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/tmp/squid_build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Debian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enable-ssl-crtd' '--with-openssl' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/tmp/squid_build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gnu-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/tmp/squid_build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
I can not understand on which side I have an error and where to dig ..
Similar questions
L
S
U
V
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question