Can't See https pages with Squid3
Hello all !
I'm having a little problem with my squid3, i have a develop machine with debian lenny 5 and set up a squid3 proxy to cache the corporate proxy because is to slow, wich means, i connect to my debian box with squid3 and if i dont have the page it looks the parent proxy. Everything works fine less the https pages. Here is my squid3.conf Code:
acl manager proto cache_object Code:
1238431830.073 0 180.183.66.33 TCP_HIT/301 759 GET http://www.gmail.com/ - NONE/- text/html Thanks in advance |
squid's access.log entries look OK. How are the https pages "not working"? Are you getting a dialog from squid itself?
|
Hello Anomie, and thanks for the reply.
I'm not getting any dialog from squid, simply when i type a https page, the browser start loading for a while then nothing, the page stay blank, pure and simple white screen :D |
Are there errors showing up in cache.log?
Also, what browser is this? (Try with different browser // make sure https sites are working without going through a proxy.) |
Hello anomie, I tried with firefox, google chrome and IE8 and nothing, still blank page.
This is my cache.log Code:
intranet:/var/log/squid3# tailf cache.log |
I haven't seen the problem you're describing before. I would be curious to see what is happening at the tcp level:
# tcpdump port 443 Then try to get to https gmail again. What does that show? Is the tcp handshake completing? Are you getting packets back, but your browser just isn't rendering a page? I'm not sure this capture will lend itself to a solution, but it could be a starting point. --- edit: It sounds like you're on a Windows workstation. Packet captures can be run there using wireshark instead. |
Well, i'm having seen this either and yes, i'm in a windows machine but also can use the linux box and is the same problem, in fact i have wireshark installed due a problem not long ago with a xml, but i'm not good at this area of networking :D
Going to post since i hit gmail until stop loading. This is what tcpdump throws: Code:
intranet:~# tcpdump port 443 |
Quote:
You had to send twelve SYN packets to six different gmail servers (two to each server), and I did not see any SYN-ACK come back. --- The other thing that is weird is I told you the wrong tcpdump filter, but you still captured traffic. ;) You ran that tcpdump session on a client workstation, right? This likely means that you are not using the squid proxy for https traffic. In other words, squid's default tcp port is 3128 -- I should have told you to sniff there. Since we saw outbound traffic to tcp port 443, we know your browser is doing the wrong thing. So, check your browser settings. You'll need to point both http and https (and maybe ftp, etc.) traffic to your squid proxy. |
Good Morning Anomie,
Well, i logged into the squid box with putty and ran the tcpdump and all types of connection for proxy was checked in the browser, so this is a real mystery for me. I will use the windows machine with firefox to connect to the gmail and i will do a tcpdump on port 3128, same way of the last time, i hit gmail until stop loading. Code:
intranet:~# tcpdump port 3128 Any other info you need just tell me and thanks again |
pliqui: I do not see anything in that tcpdump output that indicates you are making https connections to gmail. Can you double check that your web browser is using the proxy for both http and https? Check here for an example of what firefox should look like: http://img168.imageshack.us/my.php?image=proxyshot.png
Also, I don't want to invade your privacy, but for your tcpdump output it would be better to not obfuscate the IP addresses. (It makes it too difficult to understand the tcp conversation.) |
One more thing we could try to support the point that the problem is likely on the end-user/browser side and not with squid itself -- run this on the squid server box:
Code:
$ /usr/sbin/squidclient https://mail.google.com/mail * If it dumps some html-formatted data telling you that the document has moved, then try squidclient with the moved URL (it may be rather long). Does that URL dump another page into your terminal? |
Sorry about the ip obfuscation, when i captured the port 3128 was only the packets between the squid box and the windows pc. And i'm using the squid in all protocols :D i cannot upload the pic from work, will do tonight at home.
The squid client command Code:
intranet:~# squidclient https://mail.google.com/mail |
Aha. Let's see your squid.conf (edit: I see you posted it already in the first post; reading it now.) -- maybe you're denying CONNECT method (although I would think that error message would be a bit different).
Code:
# egrep -v '(^$|^#)' squid.conf |
Well, I am out of ideas for the moment (unless you're doing some redirection as described in the thread I linked to above).
You installed squid from official Debian repositories? If "yes", then maybe see if an upgrade is available. If "no", then I would save your config and install from an official source. |
Yes, i installed squid from debian repositories, today installed the unstable version and same problem, was searching the error that the squid client told us and seems to be the squid.
Will search more and try to think a way to fix it. I really appreciate your time invested here, i learned a few tricks. Thanks ! |
All times are GMT -5. The time now is 06:51 AM. |