Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Error certificates for reverse proxy since upgrade to squid 0.4.44_19

    Scheduled Pinned Locked Moved Cache/Proxy
    19 Posts 4 Posters 2.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • viktor_gV Offline
      viktor_g Netgate
      last edited by

      wait for 0.4.44_21 (~1 hour)
      or apply this patch:
      https://redmine.pfsense.org/issues/10434#note-4

      1 Reply Last reply Reply Quote 0
      • viktor_gV Offline
        viktor_g Netgate
        last edited by

        0.4.44_21 is ready, works OK

        I 1 Reply Last reply Reply Quote 1
        • I Offline
          ic_attila @viktor_g
          last edited by

          @viktor_g

          Hi!

          OWA Reverse Proxy still not working. Gives HTTP ERROR 403

          and on the Exchange server there are a flood of Event 36887 Schannel errors, with TLS fatal error code: 80

          viktor_gV 1 Reply Last reply Reply Quote 0
          • viktor_gV Offline
            viktor_g Netgate @ic_attila
            last edited by viktor_g

            @ic_attila said in Error certificates for reverse proxy since upgrade to squid 0.4.44_19:

            @viktor_g

            Hi!

            OWA Reverse Proxy still not working. Gives HTTP ERROR 403

            and on the Exchange server there are a flood of Event 36887 Schannel errors, with TLS fatal error code: 80

            Can you provide more details about you squid reverse proxy configuration?
            Content of /usr/local/etc/squid/squid.conf can also be useful

            latest update only affects squid ACLs by adding IDN hostname support

            I 1 Reply Last reply Reply Quote 0
            • I Offline
              ic_attila @viktor_g
              last edited by

              @viktor_g Good morning!

              here are some logs and a link that may useful:

              squid_redacted.conf.txt

              exchange_error_event_36887.txt

              403.png

              Event ID 36887 Schannel - Windows Server

              Is there a way to revert to 0.4.44_18? We had no configuration change, just updated the package. At _18 it was working about 130 - 140 days without restarting.

              viktor_gV 1 Reply Last reply Reply Quote 0
              • viktor_gV Offline
                viktor_g Netgate @ic_attila
                last edited by

                @ic_attila
                bug in 0.4.44_18-20 created invalid cert files,
                this is why ssl/tls errors happened,
                please update to 0.4.44_21, re-apply configuration
                and check the contents of the cert files:

                /usr/local/etc/squid/5ae6266c036e3.crt
                /usr/local/etc/squid/5ae6266c036e3.key
                
                • they must be nonempty
                I 1 Reply Last reply Reply Quote 0
                • I Offline
                  ic_attila @viktor_g
                  last edited by

                  @viktor_g Dear Viktor,

                  I've installed _21. The strange thing is that I can’t do a clean install. I’ve unchecked the “Keep Settings/Data” but after package reinstall all my settings are in place. Even if I deleted the entire /usr/local/etc/squid directory. No matter if I click reinstall or remove package and install it from the “Available Packages”. There is one thing to mention. I haven’t restarted the whole system after I noticed this error. Would it be desirable?
                  And yes, you are right. Those two files are not empty now. It seems working with other HTTPS reversing. Only the OWA part isn’t working.

                  viktor_gV 1 Reply Last reply Reply Quote 0
                  • viktor_gV Offline
                    viktor_g Netgate @ic_attila
                    last edited by

                    @ic_attila said in Error certificates for reverse proxy since upgrade to squid 0.4.44_19:

                    @viktor_g Dear Viktor,

                    I've installed _21. The strange thing is that I can’t do a clean install. I’ve unchecked the “Keep Settings/Data” but after package reinstall all my settings are in place.

                    I'll check it.
                    You can also create redmine issue:
                    https://docs.netgate.com/pfsense/en/latest/development/bug-reporting.html

                    Even if I deleted the entire /usr/local/etc/squid directory. No matter if I click reinstall or remove package and install it from the “Available Packages”. There is one thing to mention. I haven’t restarted the whole system after I noticed this error. Would it be desirable?

                    Actually your squid.conf looks fine,
                    but you can try to restart the system if it possible

                    And yes, you are right. Those two files are not empty now. It seems working with other HTTPS reversing. Only the OWA part isn’t working.

                    Can you post squid error log to check OWA?

                    There is no changes in OWA code from 0.4.44_18-21,
                    list of changes:

                    • IPv6 transparent mode support
                    • IPv6 addresses in localnet ACL ('Allow Users on Interface')
                    • IPv6 addresses ACL support
                    • extra WebGUI input validations
                    • whitelist/blacklist IDN hostnames support
                    I 2 Replies Last reply Reply Quote 0
                    • I Offline
                      ic_attila @viktor_g
                      last edited by

                      @viktor_g I'll reboot it in 3 hours. I'll report back after that.

                      1 Reply Last reply Reply Quote 0
                      • I Offline
                        ic_attila @viktor_g
                        last edited by

                        @viktor_g Rebooted, nothing changed.
                        And because the Event 36887 Schannel errors on the Exchange side say TLS handshake error, I just turned on “Ignore Internal Certificate Validation” under “Intermediate CA Certificate”. I’m not sure if this is OK from a security standpoint, but it is working now.

                        1 Reply Last reply Reply Quote 0
                        • E Offline
                          emeric
                          last edited by

                          @viktor_g , Thanks for or 0.4.44_21

                          I made myself a test platform identical to my prod then I tested an update to 0.4.44_21. It's OK for my reverse proxy.

                          I will test the update on my prod tonight

                          1 Reply Last reply Reply Quote 0
                          • A Offline
                            aDCoCa
                            last edited by

                            After update my DEV QA y PRD Server to 0.4.44_21 squid reverse proxy works fine. Many thanks!

                            1 Reply Last reply Reply Quote 0
                            • E Offline
                              emeric
                              last edited by

                              @viktor_g, finally

                              I check the logs after the upgrade to 0.4.44_21.
                              The reverse proxy works well.
                              But for each request arriving on the reverse proxy I have this error which follows :

                              NONE/000	error:transaction-end-before-headers
                              

                              I didn't have this before.

                              Do you have any idea ?

                              Thanks

                              viktor_gV 1 Reply Last reply Reply Quote 0
                              • viktor_gV Offline
                                viktor_g Netgate @emeric
                                last edited by

                                @emeric

                                *Unused connections received in http_port or https_port or transactions terminated before reading[parsing] request headers logged with URI error:transaction-end-before-headers.

                                These errors are meant to be logged for clients that open and close connections without sending any HTTP headers (or without sending complete HTTP headers — you can log HTTP request size to distinguish these two cases).*

                                What is your pfSense version? 2.4.4-p3 or 2.4.5?

                                Please give us more information about your squid setup

                                Do you use squid for your clients? In transparent mode?

                                1 Reply Last reply Reply Quote 0
                                • E Offline
                                  emeric
                                  last edited by

                                  Thanks for the time you take for my problem

                                  On my test platform I am in 2.4.5 and the version of squid is 0.4.44_22.

                                  Clients (internet) access my websites by the reverse proxy (squid).

                                  I have activated the proxy but not in transparent mode and only for my users on the lan to the internet (so internet clients are not affected by this proxy)

                                  I check my Headers Handling configuration on Squid :

                                  4ae0c07f-77f9-4a9f-929b-ce8b13f067df-image.png

                                  Do you need more information?

                                  viktor_gV 1 Reply Last reply Reply Quote 0
                                  • viktor_gV Offline
                                    viktor_g Netgate @emeric
                                    last edited by

                                    @emeric what if you disable squid for LAN users?
                                    or disable reverse squid?
                                    Will you see the same errors?

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.