My issues are as follows:
Issue 1: When I view a page from my website that is https, from the time I
first hit it, my access.log file gets hit with repeated TCP_MISS/200 for
the page and all the images. I have squid 2.6 STABLE9 running on a Red Hat
Linux Enterprise 4 box.
Issue 2: I get periodic fwdNegotiateSSL: Error negotiating SSL connection
on FD 23: error:140940F6:SSL routines:SSL3_READ_BYTES:unknown alert type
(1/-1/0) errors when I have squid started via command line and can see its
console.
My squid.conf file is below:
# Run Squid in virtual host mode
http_port 80 vhost
# company 1 reverse proxy config
https_port 172.16.0.107:443 protocol=https vhost
cert=/usr/local/squid/etc/devstore.pem
key=/usr/local/squid/etc/devstore.key
cache_peer 192.168.0.7 parent 80 0 no-query originserver
name=store.company1.com
acl company1 dstdomain store.company1.com
http_access allow company1
cache_peer_access store.company1.com allow company1
# company 2 Change reverse proxy config
https_port 172.16.0.111:443 protocol=https
cert=/usr/local/squid/etc/devstore.pem
key=/usr/local/squid/etc/devstore.key vhost
cache_peer 192.168.0.11 parent 80 0 no-query originserver
name=store.company2.com
acl company2 dstdomain store.company2.com
http_access allow company2
cache_peer_access store.company2.com allow company2
# company 3 reverse proxy config
https_port 172.16.0.105:443 protocol=https
cert=/usr/local/squid/etc/devstore.pem
key=/usr/local/squid/etc/devstore.key vhost
cache_peer 192.168.0.05 parent 80 0 no-query originserver
name=tradewins.company3.com
acl company3 dstdomain tradewins.company3.com
http_access allow company3
cache_peer_access tradewins.company3.com allow company3
# company 4 reverse proxy config
https_port 172.16.0.106:443 protocol=https
cert=/usr/local/squid/etc/mycert.pem key=/usr/local/squid/etc/mycert.key
vhost
cache_peer 192.168.0.06 parent 80 0 no-query originserver
name=store.company4.com
acl company4 dstdomain store.company4.com
http_access allow company4
cache_peer_access store.company4.com allow company4
# company 5 reverse proxy config
https_port 172.16.0.120:443 protocol=https
cert=/usr/local/squid/etc/opcert.pem key=/usr/local/squid/etc/opcert.key
vhost
cache_peer 192.168.0.20 parent 443 0 no-query originserver ssl
name=opaccess.company5.com
acl company5 dstdomain opaccess.company5.com
http_access allow company5
cache_peer_access opaccess.company5.com allow company5
# --- Begin default config options --- #
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# And finally deny all other access to this proxy
http_access deny all
# and finally allow by default
http_reply_access allow all
#Allow ICP queries from everyone
icp_access allow all
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache
***************************************************************************
Privilege and Confidentiality Notice
THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER THE APPLICABLE LAW.
If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any use of, disclosure, dissemination, distribution, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email or telephone, and delete the original message immediately.
***************************************************************************
Received on Tue Feb 20 2007 - 06:29:34 MST
This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST