[squid-users] Trouble between Squid and SSL proxied host from mikek on 2010-09-14 (squid-users)

From: mikek <mike_at_verafex.com>
Date: Tue, 14 Sep 2010 17:40:53 -0700 (PDT)

Hi There

I've just setup a Squid proxy hosted on EC2 between my users and a Google
AppEngine application. (Google AppEngine currently doesn't support custom
domain SSL, so this is the only way to do it.)

(I was following the instructions here:
http://blog.earlystageit.com/2010/07/10/gae-proxy/)

The proxy seems to be working, except every now and then (about every 5 - 6
page views) I receive an error in the browser:

    ERROR
    The requested URL could not be retrieved
    While trying to retrieve the URL: https://xxxxx.appspot.com/handlerName
    The following error was encountered:
    Connection to 74.125.53.141 Failed
    The system returned:
      (71) Protocol error
    The remote host or network may be down. Please try the request again.

I also see this error in the cache.log:

fwdNegotiateSSL: Error negotiating SSL connection on FD 16:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)

My squid config looks like thsi:

     cache_effective_user squid
     cache_effective_group squid
     retry_on_error on
     acl all src 0.0.0.0/0.0.0.0
     acl Safe_ports port 443
     acl gae dstdomain xxxxx.appspot.com
     visible_hostname secure.xxxxx.com
     https_port 443 cert=/path/to.crt key=/path/to.pem
defaultsite=xxxxx.appspot.com
     cache_peer xxxxx.appspot.com parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER name=appspot
     cache_peer_access appspot allow gae
     always_direct allow gae
     http_access allow gae Safe_ports
     http_access deny all
     debug_options ALL,1

My question is:

a) What does the error mean? Is there a problem reaching the Google servers?
Is there a problem with their certificate? Why does the problem happen some
times but not others?
b) Have I set this up correctly?
c) Is there a better way to do it? (I've tried adding a connect_timeout, but
that didn't seem to help...)

Thanks so much for your help!

Cheers
Mike

-- 
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Trouble-between-Squid-and-SSL-proxied-host-tp2539814p2539814.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Wed Sep 15 2010 - 00:40:56 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 15 2010 - 12:00:03 MDT