[squid-users] Squid 2.7+SSL on Windows will not proxy SSL requests

From: Jake Hawkes <jakehawkes_at_computer.org>
Date: Thu, 30 Sep 2010 11:09:05 +0200

Hello,

I am running Squid 2.7.STABLE8 on Windows XP.  I am primarily doing
this for convenience for myself, since I often change from the
locked-down work environment to home, and having to change the proxy
config every time is a bother.

The idea is that Squid is configured to be the proxy in all the places
where this is needed, and then it will contact the parent at work, or
the internet at home.

This all works great.  I have even managed to allow my iPad to access
the internet while at work, which is great because the iPad can't
authenticate with the proxy at work.

It all falls down with HTTPS however.

I honestly can't remember if this has ever worked, (I seem to think it
did) but now I am completely stumped.
I have checked the windows firewall, and it is off.
I have downloaded the SSL package from acme, and there is no
difference in the behaviour.

The SSL connections from the browser timeout.  Chome reports "Waiting
for proxy tunnel" in the status bar, and then fails with this error:
Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.

I've tried to enable SSL debugging, but that seems to result in no
logging at all.  This seems to be a bug seperate to my problem.

Here's hoping someone out there can help =)

Regards,

 - Jake

squid.conf
========================================================================
http_port 8082
# work settings
acl INTERNAL src 172.28.0.0/255.255.0.0
cache_peer 172.25.x.y parent 8080 0      no-query default proxy-only
login=<user>:<pass> no-digest
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl NAUGHTY_STUFF dstdom_regex -i "c:\squid\etc\domain_blacklist"
acl PollingAPIs   dstdom_regex -i "c:\squid\etc\pollingAPIs"
acl BLOCKED    dstdom_regex -i "c:\squid\etc\abg_blocked"
http_access deny NAUGHTY_STUFF
http_access allow PollingAPIs
http_access allow manager localhost
http_access deny manager
http_access deny BLOCKED
http_access allow localhost
http_access allow INTERNAL
http_access deny all
#never_direct allow all
icp_access deny all
# debug ACL matching
# debug_options 28,3
# debug SSL
# debug_options 83, 3
# debug URL parsing
# debug_options 23,3
cache_effective_user squid
cache_effective_group wheel
httpd_suppress_version_string on
snmp_access deny all
visible_hostname a_computer
cachemgr_passwd 5432 all
#seconds.ms responsetime clientIP squidReqStat/HTTPStat replySize reqMethod
# reqUrl username squidHeirarchyStatus/serverOrPeerIP mime
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
# localtime, clientIP, reqURL, squidReqStat/HTTPStat, replySize,
logformat accessFormat %{%d/%b/%Y:%H:%M:%S}tl,%>a, %ru, %Ss/%03Hs, %<st
#access_log stdio:c:/squid/var/logs/localhost.access.log accessFormat localhost
#access_log stdio:c:/squid/var/logs/internal.access.log accessFormat INTERNAL
#access_log stdio:c:/squid/var/logs/pollingAPIs.access.log
accessFormat PollingAPIs
access_log stdio:c:/squid/var/logs/access.log accessFormat
cache_log c:/squid/var/logs/cache.log
cache_store_log none
log_mime_hdrs none
useragent_log none
referer_log none
pid_filename c:/squid/var/logs/squid.pid
strip_query_terms off

cache.log
========================================================================
2010/09/30 10:44:50| Starting Squid Cache version 2.7.STABLE8 for
i686-pc-winnt...
2010/09/30 10:44:50| Running on Windows XP
2010/09/30 10:44:50| Process ID 5072
2010/09/30 10:44:50| With 2048 file descriptors available
2010/09/30 10:44:50| With 512 CRT stdio descriptors available
2010/09/30 10:44:50| Windows sockets initialized
2010/09/30 10:44:50| Using select for the IO loop
2010/09/30 10:44:50| Performing DNS Tests...
2010/09/30 10:44:50| Successful DNS name lookup tests...
2010/09/30 10:44:50| DNS Socket created at 0.0.0.0, port 4787, FD 4
2010/09/30 10:44:50| Adding DHCP nameserver x.x.x.x from Registry
2010/09/30 10:44:50| Adding DHCP nameserver x.x.x.x from Registry
2010/09/30 10:44:50| Adding DHCP nameserver x.x.x.x from Registry
2010/09/30 10:44:50| Adding DHCP nameserver x.x.x.x from Registry
2010/09/30 10:44:50| Adding DHCP nameserver x.x.x.x from Registry
2010/09/30 10:44:50| Adding DHCP nameserver x.x.x.x from Registry
2010/09/30 10:44:50| Adding domain x.x.x.x  from Registry
2010/09/30 10:44:50| User-Agent logging is disabled.
2010/09/30 10:44:50| Referer logging is disabled.
2010/09/30 10:44:50| logfileOpen: opening log stdio:c:/squid/var/logs/access.log
2010/09/30 10:44:50| Unlinkd pipe opened on FD 7
2010/09/30 10:44:50| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2010/09/30 10:44:50| Target number of buckets: 425
2010/09/30 10:44:50| Using 8192 Store buckets
2010/09/30 10:44:50| Max Mem  size: 8192 KB
2010/09/30 10:44:50| Max Swap size: 102400 KB
2010/09/30 10:44:50| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2010/09/30 10:44:50| Store logging disabled
2010/09/30 10:44:50| Rebuilding storage in c:/squid/var/cache (CLEAN)
2010/09/30 10:44:50| Using Least Load store dir selection
2010/09/30 10:44:50| Current Directory is C:\squid
2010/09/30 10:44:50| Loaded Icons.
2010/09/30 10:44:50| Accepting proxy HTTP connections at 0.0.0.0, port
8082, FD 12.
2010/09/30 10:44:50| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
2010/09/30 10:44:50| Accepting HTCP messages on port 4827, FD 14.
2010/09/30 10:44:50| Accepting SNMP messages on port 3401, FD 15.
2010/09/30 10:44:50| Configuring 172.25.x.y  Parent 172.25.x.y /8080/0
2010/09/30 10:44:50| Ready to serve requests.
2010/09/30 10:44:50| Done reading c:/squid/var/cache swaplog (1106 entries)
2010/09/30 10:44:50| Finished rebuilding storage from disk.
2010/09/30 10:44:50|      1106 Entries scanned
2010/09/30 10:44:50|         0 Invalid entries.
2010/09/30 10:44:50|         0 With invalid flags.
2010/09/30 10:44:50|      1106 Objects loaded.
2010/09/30 10:44:50|         0 Objects expired.
2010/09/30 10:44:50|         0 Objects cancelled.
2010/09/30 10:44:50|         0 Duplicate URLs purged.
2010/09/30 10:44:50|         0 Swapfile clashes avoided.
2010/09/30 10:44:50|   Took 0.1 seconds (11766.0 objects/sec).
2010/09/30 10:44:50| Beginning Validation Procedure
2010/09/30 10:44:51|   Completed Validation Procedure
2010/09/30 10:44:51|   Validated 1106 Entries
2010/09/30 10:44:51|   store_swap_size = 23708k
2010/09/30 10:44:51| storeLateRelease: released 0 objects
access.log
========================================================================
30/Sep/2010:10:43:46,127.0.0.1, mail.google.com:443, TCP_MISS/000, 0
30/Sep/2010:10:48:01,127.0.0.1, www.dropbox.com:443, TCP_MISS/504, 0
Received on Thu Sep 30 2010 - 09:09:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 30 2010 - 12:00:04 MDT