LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   squid3 gives error: '(71) Protocol error' (http://www.linuxquestions.org/questions/linux-server-73/squid3-gives-error-71-protocol-error-809143/)

eco 05-20-2010 03:51 PM

squid3 gives error: '(71) Protocol error'
 
Hi all,

I tried to get reverse proxy working with apache mod_proxy but that failed so I'm giving squid3 a go but with not much more luck. All connections to non ssl websites work fine. The following error I only get the second time I access the page, the first time the page is displayed properly! This does not make sense to me but maybe it will to one of you.

Code:

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: https://deb01.example.com/

The following error was encountered:
Connection to 192.168.122.11 Failed

The system returned:
    (71) Protocol error

The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.
Generated Thu, 20 May 2010 18:58:28 GMT by localhost (squid/3.0.STABLE8)

My setup
--------
Code:

                    +--> (deb02) vhosts running multile http
                    |
[WWW] -> KVM/SQUID ->+--> (deb01) vhost running a single https
                    |
                    +--> (deb03) vhosts running multile http and one https

My squid.conf
-------------

https_port 443 accel cert=/etc/ssl/deb01.example.com.crt key=/etc/ssl/deb01.example.com.pem defaultsite=deb01.example.com vhost protocol=https
http_port 80 accel defaultsite=deb02.example.com vhost

cache_peer 192.168.122.11 parent 443 0 no-query originserver login=PASS ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=srv01
cache_peer 192.168.122.2 parent 80 0 no-query originserver name=srv02

acl https proto https
acl sites_srv01 dstdomain deb01.example.com
acl sites_srv02 dstdomain deb02.example.com second.example.com

http_access allow sites_srv01
http_access allow sites_srv02
cache_peer_access srv01 allow sites_srv01
cache_peer_access srv02 allow sites_srv02

forwarded_for on
---

The first 'successful' connection gives the following entries in the logs:

-----BEGIN SSL SESSION PARAMETERS-----
MIGIAgEBAgIDAQQCADUEIDrfJnfrcvWw15QVzrwAlKJYsrinM/X+Ge9aeTyO8Fkx
BDBLAPhbkN6LTcdvHMF9YGm8ib5Qwjm05qP3rr7I+LBjpikfjzV5gJSXLfke83U0
ggOhBgIES/WH8aIEAgIBLKQCBACmFQQTZGViMDEucHJlY29nbmV0LmNvbQ==
-----END SSL SESSION PARAMETERS-----
2010/05/20 21:05:21| 192.168.122.11 digest requires version 17487; have: 5
2010/05/20 21:05:21| temporary disabling (invalid digest cblock) digest from 192.168.122.11
2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
[...]
2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed

==> /var/log/squid3/store.log <==
1274382321.365 RELEASE -1 FFFFFFFF B4F6358BEF575DB8EE08C9E4544D1ED8 200 1274382321 -1 -1 unknown -1/584 GET http://192.168.122.11:443/squid-inte...c/store_digest
1274382321.394 RELEASE 00 00000000 5B2811E3C3DBF846FB471299507A118F ? ? ? ? ?/? ?/? ? ?
1274382321.394 SWAPOUT 00 00000000 5B2811E3C3DBF846FB471299507A118F 200 1274382321 -1 -1 x-squid-internal/vary -1/0 GET https://deb01.example.com/
1274382321.394 RELEASE 00 00000008 00A5F16BB26487A2923FC532D7EAFB78 ? ? ? ? ?/? ?/? ? ?
1274382321.394 SWAPOUT 00 00000008 EEC31BDDF7F08E5301417EBDCA25AFFE 200 1274382319 1273748130 -1 text/html 69/69 GET https://deb01.example.com/
1274382321.580 RELEASE -1 FFFFFFFF 092DD741F44CA089263CADBF1B57C579 503 1274382321 0 -1 text/html 2166/2166 GET https://deb01.example.com/favicon.ico
---


The second 'failed' connection shows the following log events:


==> /var/log/squid3/cache.log <==
2010/05/20 21:06:11| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
[...]
2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed
2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed

==> /var/log/squid3/store.log <==
1274382371.814 RELEASE -1 FFFFFFFF 7CE73618FCCE2E2FAEACF611AA1A4E74 503 1274382371 0 -1 text/html 2078/2078 GET https://deb01.example.com/
1274382372.040 RELEASE -1 FFFFFFFF 73DFF8B44CF4A746EE44FF83754CC5E8 503 1274382372 0 -1 text/html 2166/2166 GET https://deb01.example.com/favicon.ico
---

Any help would be greatly apreciated.


As a side note. If anyone can tell me how to show the IP of the squid server rather than the internal IP of the webserver (as in the error) that would be a bonus ;)

Thanks.

eco 05-23-2010 02:45 PM

The problem turned out to be wish zlib in ssl.

These are the steps I did on the squid server and this is the link to the howto

The following steps are the steps I took and vary slightly from the link above.

Download needed packages for building OpenSSL:
Code:

apt-get build-dep libssl0.9.8
apt-get source libssl0.9.8
cd openssl-0.9.8c

Then you have to alter the debian/rules file so as to disable the zlib during compilation.

Code:

CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 no-zlib
Next you can start the build process:

Code:

dpkg-buildpackage -rfakeroot -b
cd ..
apt-get remove openssl
dpkg -i *.deb

The custom version is installed. You now have to prevent future updates from overwriting your custom versions:

Code:

dpkg --set-selections
openssl hold
libssl0.9.8 hold
^D

Of course, this means that when new openssl versions are released they won't be automatically installed. You have to repeat this process each time, specially since they tend to be security updates.

Hope this can help someone.


All times are GMT -5. The time now is 01:39 AM.