squid invalidates https requests
-
Hi all,
I run squid-3.5.27_3 on pfSense 2.4.4 as well as in house Sugar CRM server.
Recently Sugar license validation and updates checks made to https://updates.sugarcrm.com/heartbeat/soap.php started failing (no changes made at our end).
Squid logs only produce 2 lines:
1587737506.670 0 192.168.5.30 TAG_NONE/400 4360 NONE error:invalid-request - HIER_NONE/- text/html 1587737506.978 301 192.168.5.30 TCP_MISS/301 464 POST http://updates.sugarcrm.com/heartbeat/soap.php - HIER_DIRECT/54.177.58.238 text/html
Increasing debug level to 9 hasn't added anything to this output and actually prevented squid from starting:
Apr 27 12:38:54 (squid-1) UFSSwapDir::openLog: Failed to open swap log.
Fixed with:
chown squid:proxy /var/squid/cache/swap.state*
The same requests go through fine directly (bypassing squid).
It appears that squid has decided to invalidate them.
Tcpdump in source reveals the following:
HTTP/1.1 400 Bad Request Server: squid/3.5.27 Mime-Version: 1.0 Date: Mon, 27 Apr 2020 13:34:47 GMT Content-Type: text/html;charset=utf-8 Content-Length: 4000 X-Squid-Error: ERR_INVALID_REQ 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from PROXY X-Cache-Lookup: NONE from PROXY:3128 Via: 1.1 PROXY (squid/3.5.27) Connection: close
It also produces:
Some possible problems are: - Missing or unknown request method. - Missing URL. - Missing HTTP Identifier (HTTP/1.0). - Request is too large. - Content-Length missing for POST or PUT requests. - Illegal character in hostname; underscores are not allowed. - HTTP/1.1 feature is being asked from an HTTP/1.0 software.
Can I determine which of the above is actually causing failures?
Why has it suddenly stopped working in March without any changes being made AFAIK?
Thanks,
Adam