Re: Squid / ssl / behind firewall

From: Stephan Sachweh <sns@dont-contact.us>
Date: Mon, 18 May 1998 09:14:22 +0200

I am using squid 1.1.20 on Solaris 2.6 x86.
I tried to connect to a https site outside my local network via a netscape
proxy server 2.5. The netscape proxy server has authentification enabled!

After a long period of time i got the message "proxy authentification
failed" and was not able to get requested pages via https.

I think i have found two bugs in squid 1.1.20.

1. Squid performs DNS tests for https Servers outside the firewall which
causes the long delay.
2. Squid does not forward the basic authentification data to the parent
proxy if accessing SSL sites.

Perhaps there is something wrong with my configuration but otherwise i
would like to know when these bugs will be fixed or if they are fixed in
later versions of squid?

Best regards,

Stephan

Here is the relevant part from the configuration file squid.conf:
-----------------------------------------------------------------
cache_host firewall.intern parent 8080 0 no-query default
inside_firewall intern
single_parent_bypass off
#hierarchy_stoplist cgi-bin ?
cache_stoplist cgi-bin ?
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0

acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT

acl SISWEST src 18.0.0.0/255.0.0.0 17.0.0.0/255.0.0.0
127.0.0.1/255.255.255.255

http_access deny manager !SISWEST
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports

http_access allow SISWEST
icp_access allow all
ssl_proxy firewall.intern
#http_anonymizer off

DNS Tests are disable via startoption -D

Here is part of the logfile generated using debug_options ALL,9:
----------------------------------------------------------------
1998/05/14 16:08:42| dnsOpenServers: FD 6 connected to
/usr/local/squid/bin/dnsserver #1.
1998/05/14 16:08:42| dnsOpenServers: 'dns_server' 0 started
1998/05/14 16:08:42| ipcache_nbgethostbyname: FD 183935: Name
'firewall.intern'.
1998/05/14 16:08:42| ipcache_nbgethostbyname: HIT for 'firewall.intern'
1998/05/14 16:08:42| Configuring Parent firewall.intern/8080/0
1998/05/14 16:08:42| --> IP address #0: 18.121.6.1
1998/05/14 16:08:42| clientReadRequest: FD 17: reading request...
1998/05/14 16:08:42| clientReadRequest: len = 4095
1998/05/14 16:08:42| parseHttpRequest: Method is 'CONNECT'
1998/05/14 16:08:42| parseHttpRequest: Request is 'banking.sonline.de:443'
1998/05/14 16:08:42| parseHttpRequest: HTTP version is 'HTTP/1.0
Proxy-authorization: B'
1998/05/14 16:08:42| parseHttpRequest: Request Header is
Proxy-authorization: Basic c3liMzY6c293aWVzbw== User-Agent: Mozilla/4.05
[en] (WinNT; I)
1998/05/14 16:08:42| parseHttpRequest: Complete request received
1998/05/14 16:08:42| mime_get_header: looking for 'User-Agent'
1998/05/14 16:08:42| mime_get_header: checking 'User-Agent: Mozilla/4.05
[en] (WinNT; I)'
1998/05/14 16:08:42| mime_get_header: returning 'Mozilla/4.05 [en] (WinNT;
I)'
1998/05/14 16:08:42| aclCheck: checking 'http_access deny manager !SISWEST'
1998/05/14 16:08:42| aclMatchAclList: checking manager
1998/05/14 16:08:42| aclMatchAcl: checking 'acl manager proto cache_object'
1998/05/14 16:08:42| aclMatchAclList: returning 0
1998/05/14 16:08:42| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
1998/05/14 16:08:42| aclMatchAclList: checking CONNECT
1998/05/14 16:08:42| aclMatchAcl: checking 'acl CONNECT method CONNECT'
1998/05/14 16:08:42| aclMatchAclList: checking !SSL_ports
1998/05/14 16:08:42| aclMatchAcl: checking 'acl SSL_ports port 443 563'
1998/05/14 16:08:42| aclMatchAclList: returning 0
1998/05/14 16:08:42| aclCheck: checking 'http_access deny Dangerous_ports'
1998/05/14 16:08:42| aclMatchAclList: checking Dangerous_ports
1998/05/14 16:08:42| aclMatchAcl: checking 'acl Dangerous_ports port 7 9
19'
1998/05/14 16:08:42| aclMatchAclList: returning 0
1998/05/14 16:08:42| aclCheck: checking 'http_access allow SISWEST '
1998/05/14 16:08:42| aclMatchAclList: checking SISWEST
1998/05/14 16:08:42| aclMatchAcl: checking 'acl SISWEST src
18.0.0.0/255.0.0.0 17.0.0.0/255.0.0.0 127.0.0.1/255.255.255.255'
1998/05/14 16:08:42| aclMatchIp: h = 18.0.0.0
1998/05/14 16:08:42| aclMatchIp: addr1 = 18.0.0.0
1998/05/14 16:08:42| aclMatchIp: addr2 = 0.0.0.0
1998/05/14 16:08:42| aclMatchIp: returning 1
1998/05/14 16:08:42| aclMatchAclList: returning 1
1998/05/14 16:08:42| aclCheck: match found, returning 1
1998/05/14 16:08:42| clientAccessCheckDone: 'banking.sonline.de:443'
answer=1
1998/05/14 16:08:42| redirectStart: 'banking.sonline.de:443'
1998/05/14 16:08:42| clientRedirectDone: 'banking.sonline.de:443'
result=NULL
1998/05/14 16:08:42| mime_get_header: looking for 'If-Modified-Since'
1998/05/14 16:08:42| mime_get_header: looking for 'Pragma'
1998/05/14 16:08:42| mime_get_header: looking for 'Range'
1998/05/14 16:08:42| mime_get_header: looking for 'Request-Range'
1998/05/14 16:08:42| mime_get_header: looking for 'Authorization'
1998/05/14 16:08:42| mime_get_header: looking for 'Via'
1998/05/14 16:08:42| mime_get_header: looking for 'Cache-control'
1998/05/14 16:08:42| icpProcessRequest: CONNECT 'banking.sonline.de:443'
1998/05/14 16:08:42| sslStart: 'CONNECT banking.sonline.de:443'
1998/05/14 16:08:42| comm_add_close_handler: FD 20, handler=8075740,
data=9424108
1998/05/14 16:08:42| comm_add_close_handler: FD 17, handler=80756f0,
data=9424108
1998/05/14 16:08:42| ipcache_nbgethostbyname: FD 20: Name
'banking.sonline.de'.
1998/05/14 16:08:42| ipcache_nbgethostbyname: MISS for 'banking.sonline.de'
1998/05/14 16:08:42| ipcache_add_to_hash: name <banking.sonline.de>
1998/05/14 16:08:42| comm_write: FD 6: sz 19: tout 0: hndl 0: data 0.
1998/05/14 16:08:42| ipcache_dnsDispatch: Request sent to DNS server #1.

1998/05/14 16:09:34| ipcache_dnsHandleRead: Result from DNS ID 1 (99 bytes)
1998/05/14 16:09:34| ipcache_parsebuffer: parsing:
$fail banking.sonline.de
$message Name Server for domain 'banking.sonline.de' is unavailable.
$end
1998/05/14 16:09:34| ipcache_nbgethostbyname: FD 20: Name
'firewall.intern'.
1998/05/14 16:09:34| ipcache_nbgethostbyname: HIT for 'firewall.intern'
1998/05/14 16:09:34| sslConnect: client=17 server=20
1998/05/14 16:09:34| sslProxyConnected: FD 20 sslState=9424108
1998/05/14 16:09:34| sslProxyConnected: Sending 'CONNECT
banking.sonline.de:443 HTTP/1.0'
1998/05/14 16:09:34| comm_set_fd_lifetime: FD 20 lft 86400
1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
1998/05/14 16:09:34| comm_select: FD 20 ready for writing
1998/05/14 16:09:34| sslWriteServer FD 20, wrote 43 bytes
1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
1998/05/14 16:09:34| comm_select: FD 20 ready for reading
1998/05/14 16:09:34| sslReadServer FD 20, read 217 bytes
1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
1998/05/14 16:09:34| comm_select: FD 17 ready for writing
1998/05/14 16:09:34| sslWriteClient FD 17 len=217 offset=0
1998/05/14 16:09:34| sslWriteClient FD 17, wrote 217 bytes
1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
1998/05/14 16:09:34| comm_select: FD 20 ready for reading
1998/05/14 16:09:34| sslReadServer FD 20, read 271 bytes
1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
1998/05/14 16:09:34| comm_select: FD 17 ready for writing
1998/05/14 16:09:34| sslWriteClient FD 17 len=271 offset=0
1998/05/14 16:09:34| sslWriteClient FD 17, wrote 271 bytes
1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
1998/05/14 16:09:34| comm_select: FD 20 ready for reading
1998/05/14 16:09:34| sslReadServer FD 20, read 0 bytes
1998/05/14 16:09:34| comm_close: FD 17
1998/05/14 16:09:34| commCallCloseHandlers: FD 17
1998/05/14 16:09:34| comm_close: FD 20
1998/05/14 16:09:34| commCallCloseHandlers: FD 20
1998/05/14 16:09:34| sslStateFree: FD 20, sslState=9424108

---------------------------------------------------------------
Stephan Sachweh, Dipl.-Inform. Tel: +49 231 9704 221
ExperTeam GmbH Fax: +49 231 9704 299
Emil-Figge-Str. 85, 44227 Dortmund Mobile: +49 171 4632098
Received on Mon May 18 1998 - 00:24:56 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:13 MST