Error Squid3 con HTTPS ERR_TIMED_OUT
-
EStimados
tengo el siguiente error
en algunas paginas https me da el error de err_timed_out, busque en los logs y cada vez que accedo a las paginas donde me da el error no queda registrado en el log de squid
squid3 esta en modo transparente, en modo proxy funciona bien
Anexo el archivo de squid.conf
http_port 192.168.0.128:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/local/share/certs/ http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/local/share/certs/ https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/local/share/certs/ icp_port 0 dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language es-ar icon_directory /usr/pbi/squid-i386/local/etc/squid/icons visible_hostname Sohipren cache_mgr sistemas@sohipren.com access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable off pinger_program /usr/pbi/squid-i386/local/libexec/squid/pinger sslcrtd_program /usr/pbi/squid-i386/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 sslproxy_capath /usr/pbi/squid-i386/local/share/certs/ sslproxy_cert_error allow all sslproxy_cert_adapt setValidBefore all logfile_rotate 10 debug_options rotate=10 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.0.0/24 forwarded_for on httpd_suppress_version_string on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 1000 16 256 minimum_object_size 0 KB maximum_object_size 4 KB offline_mode off cache_swap_low 90 cache_swap_high 95 acl donotcache dstdomain "/var/squid/acl/donotcache.acl" cache deny donotcache cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.0.0/24 acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings always_direct allow whitelist ssl_bump none whitelist # Custom options before auth always_direct allow all ssl_bump server-first all # Always allow access to whitelist domains http_access allow whitelist # Block access to blacklist domains http_access deny blacklist acl sglog url_regex -i sgr=ACCESSDENIED http_access deny sglog always_direct allow all ssl_bump server-first all # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc
Saludos
-
Qué version de PFSENSE Utilizas?
En Squid:
¿Está habilitada la casilla de HTTPS/SSL interception? si es así: ¿Tenés Instalado algun certificado SSL?
Comparando mi squid.conf con la tuya al parecer está todo bien.Te recomiendo que veas el siguiente video: https://www.youtube.com/watch?v=Vx9RsCwMsl4
-
gracias por la respuesta y si me olvide de colocar la version de pfsense
squid3 0.2.8
pfsense 2.2.4tengo creado el certificado y esta cargado en el navegador. muchas page como google y facebook que usan conexion https andan bien.
no tengo configurado squidguard3 porque como lo tengo instalado en un ambiente de testing estoy realizando los test por parte una vez que funcione squid3 instalaria squidguard3, "no se si es correcto esto"tengo la misma configuración que el video
Saludos!
-
Asegúrate de que estés resolviendo bien siempre (DNS).
http://www.vivaolinux.com.br:443/topico/Squid-Iptables/Erro-SSL
-
Gracias por la respuesta ballera voy a verificar por el lado de los dns
mantengo actualizado
Saludos!!