0
I'm using a Linode and Squid3 as proxy, but can't get it to work with https sites. It's working over http, but when I try to visit a site that has https, say https://google.com/, I just get a:
The connection was reset
The connection to the server was reset while the page was loading.
Update: It appears that I'm only having these issues on my home network. Trying by sharing to my phone and on another network (on a different ISP) it works. Not really sure how to debug that. Check the router? Can the ISP block proxy traffic? (Seems nuts)
I'm using Ubuntu 12.10
, and was initially using the squid3 installed with apt-get install squid3
. squid -v
showed:
Squid Cache: Version 3.1.20
configure options: '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/build/buildd/squid3-3.1.20
In my attempts at solving these issues I noted that squid3 wasn't compiled with --enable-ssl
. So I built from source with --enable-ssl
, and now squid3 -v
shows:
Squid Cache: Version 3.1.20
configure options: '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--enable-ssl' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-open-ssl=/etc/ssl/openssl.cnf' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/root/squid3-3.1.20
And I still get the same error. My config file looks like this:
via off
forwarded_for delete
follow_x_forwarded_for deny all
acl SSL method CONNECT
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
acl theUser proxy_auth myuser
http_access allow theUser
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 1153
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
https_port 1153 cert=/etc/squid3/ssl/squid.crt key=/etc/squid3/ssl/squid.key vhost
I have played around with the https_port number, and all ports are open, as I can telnet <IP> 1153
, and get a connection.
I'm not really sure what to try or do. I just want to be able to visit https/ssl sites with the proxy. Do I need other modules or is this a config issue? I don't need any caching or anything, as this is just a plain browser proxy setup.
Here are the proxy settings in firefox:
Does it work if you comment out the line beginning
https_port 1153
(this is for accessing squid over ssl rather than accessing ssl sites, so can be disabled for this test), and use http in the browser proxy settings? – Paul – 2013-01-05T13:05:29.007I removed the https_port line and I'm still getting the same issue. I have updated the post with a screenshot of Firefox proxy settings. – ErikPerik – 2013-01-05T13:31:14.923
Perhaps switch off the user auth? It looks like it should work, do you have any clues in the squid logs? – Paul – 2013-01-06T02:43:42.263
@Paul I switched off the user auth - nothing different happened. I have checked the access.log and cache.log for squid, and nothing is logged when visiting https sites (which fail). If I visit any other http site lines are added to the access.log. Are there any other logs I can check? – ErikPerik – 2013-01-06T09:48:12.323
Hang on, do you have openssl installed? – Paul – 2013-01-06T10:36:26.940
which openssl
returns/usr/bin/openssl
. Is that what you mean? – ErikPerik – 2013-01-06T11:02:35.690Yeah, well I wanted to confirm /etc/ssl/openssl.cnf existed like in the
squid -v
. Could you try addingdebug_options ALL,9
to the conf? – Paul – 2013-01-06T11:13:09.573I added the
– ErikPerik – 2013-01-06T11:53:30.430debug_options ALL,9
and instantly got more output in cache.log when trying to visit an https site. This is some output I captured from when trying a https site. It was really shooting out output, so it's a lot. https://gist.github.com/742b7320b7055f18304cYeah, but nothing related to SSL I can see. Lets just confirm ssl is working in general:
openssl s_client -connect google.com:443
will do the cert negotiation, and thenGET / HTTP/1.0
to get the first page. – Paul – 2013-01-06T20:43:20.863Running that returned the HTML for google.com. I noticed today that I'm only having problems when I'm on my home network. Trying the proxy from my phone internet, and it works, and trying from another apartment and it works. So it has to be something with my router or ISP. Have updated post with info. – ErikPerik – 2013-01-06T20:50:11.210