LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-20-2010, 02:51 PM   #1
eco
Member
 
Registered: May 2006
Location: BE
Distribution: Debian/Gentoo
Posts: 412

Rep: Reputation: 48
Question squid3 gives error: '(71) Protocol error'


Hi all,

I tried to get reverse proxy working with apache mod_proxy but that failed so I'm giving squid3 a go but with not much more luck. All connections to non ssl websites work fine. The following error I only get the second time I access the page, the first time the page is displayed properly! This does not make sense to me but maybe it will to one of you.

Code:
ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: https://deb01.example.com/ 

The following error was encountered: 
Connection to 192.168.122.11 Failed 

The system returned: 
    (71) Protocol error

The remote host or network may be down. Please try the request again. 

Your cache administrator is webmaster. 
Generated Thu, 20 May 2010 18:58:28 GMT by localhost (squid/3.0.STABLE8)
My setup
--------
Code:
                     +--> (deb02) vhosts running multile http
                     |
[WWW] -> KVM/SQUID ->+--> (deb01) vhost running a single https
                     |
                     +--> (deb03) vhosts running multile http and one https
My squid.conf
-------------

https_port 443 accel cert=/etc/ssl/deb01.example.com.crt key=/etc/ssl/deb01.example.com.pem defaultsite=deb01.example.com vhost protocol=https
http_port 80 accel defaultsite=deb02.example.com vhost

cache_peer 192.168.122.11 parent 443 0 no-query originserver login=PASS ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=srv01
cache_peer 192.168.122.2 parent 80 0 no-query originserver name=srv02

acl https proto https
acl sites_srv01 dstdomain deb01.example.com
acl sites_srv02 dstdomain deb02.example.com second.example.com

http_access allow sites_srv01
http_access allow sites_srv02
cache_peer_access srv01 allow sites_srv01
cache_peer_access srv02 allow sites_srv02

forwarded_for on
---

The first 'successful' connection gives the following entries in the logs:

-----BEGIN SSL SESSION PARAMETERS-----
MIGIAgEBAgIDAQQCADUEIDrfJnfrcvWw15QVzrwAlKJYsrinM/X+Ge9aeTyO8Fkx
BDBLAPhbkN6LTcdvHMF9YGm8ib5Qwjm05qP3rr7I+LBjpikfjzV5gJSXLfke83U0
ggOhBgIES/WH8aIEAgIBLKQCBACmFQQTZGViMDEucHJlY29nbmV0LmNvbQ==
-----END SSL SESSION PARAMETERS-----
2010/05/20 21:05:21| 192.168.122.11 digest requires version 17487; have: 5
2010/05/20 21:05:21| temporary disabling (invalid digest cblock) digest from 192.168.122.11
2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
[...]
2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed
2010/05/20 21:05:21| fwdNegotiateSSL: Error negotiating SSL connection on FD 16: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:05:21| TCP connection to 192.168.122.11/443 failed

==> /var/log/squid3/store.log <==
1274382321.365 RELEASE -1 FFFFFFFF B4F6358BEF575DB8EE08C9E4544D1ED8 200 1274382321 -1 -1 unknown -1/584 GET http://192.168.122.11:443/squid-inte...c/store_digest
1274382321.394 RELEASE 00 00000000 5B2811E3C3DBF846FB471299507A118F ? ? ? ? ?/? ?/? ? ?
1274382321.394 SWAPOUT 00 00000000 5B2811E3C3DBF846FB471299507A118F 200 1274382321 -1 -1 x-squid-internal/vary -1/0 GET https://deb01.example.com/
1274382321.394 RELEASE 00 00000008 00A5F16BB26487A2923FC532D7EAFB78 ? ? ? ? ?/? ?/? ? ?
1274382321.394 SWAPOUT 00 00000008 EEC31BDDF7F08E5301417EBDCA25AFFE 200 1274382319 1273748130 -1 text/html 69/69 GET https://deb01.example.com/
1274382321.580 RELEASE -1 FFFFFFFF 092DD741F44CA089263CADBF1B57C579 503 1274382321 0 -1 text/html 2166/2166 GET https://deb01.example.com/favicon.ico
---


The second 'failed' connection shows the following log events:


==> /var/log/squid3/cache.log <==
2010/05/20 21:06:11| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
[...]
2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed
2010/05/20 21:06:12| fwdNegotiateSSL: Error negotiating SSL connection on FD 15: error:1408F06B:SSL routines:SSL3_GET_RECORD:bad decompression (1/-1/0)
2010/05/20 21:06:12| TCP connection to 192.168.122.11/443 failed

==> /var/log/squid3/store.log <==
1274382371.814 RELEASE -1 FFFFFFFF 7CE73618FCCE2E2FAEACF611AA1A4E74 503 1274382371 0 -1 text/html 2078/2078 GET https://deb01.example.com/
1274382372.040 RELEASE -1 FFFFFFFF 73DFF8B44CF4A746EE44FF83754CC5E8 503 1274382372 0 -1 text/html 2166/2166 GET https://deb01.example.com/favicon.ico
---

Any help would be greatly apreciated.


As a side note. If anyone can tell me how to show the IP of the squid server rather than the internal IP of the webserver (as in the error) that would be a bonus

Thanks.
 
Old 05-23-2010, 01:45 PM   #2
eco
Member
 
Registered: May 2006
Location: BE
Distribution: Debian/Gentoo
Posts: 412

Original Poster
Rep: Reputation: 48
The problem turned out to be wish zlib in ssl.

These are the steps I did on the squid server and this is the link to the howto

The following steps are the steps I took and vary slightly from the link above.

Download needed packages for building OpenSSL:
Code:
apt-get build-dep libssl0.9.8
apt-get source libssl0.9.8
cd openssl-0.9.8c
Then you have to alter the debian/rules file so as to disable the zlib during compilation.

Code:
 CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 no-zlib
Next you can start the build process:

Code:
dpkg-buildpackage -rfakeroot -b
cd ..
apt-get remove openssl
dpkg -i *.deb
The custom version is installed. You now have to prevent future updates from overwriting your custom versions:

Code:
dpkg --set-selections
openssl hold
libssl0.9.8 hold
^D
Of course, this means that when new openssl versions are released they won't be automatically installed. You have to repeat this process each time, specially since they tend to be security updates.

Hope this can help someone.
 
  


Reply

Tags
proxy, reverse, squid, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote Protocol Error : Sendmail varun2109 Linux - Server 11 08-18-2009 07:09 AM
GnuPG Decryption Protocol Error! Marcidius Programming 2 05-30-2008 04:43 AM
error setting IPV6_V6ONLY: Protocol not available sinister1 Linux - Software 2 10-02-2007 06:10 AM
cs 1.6 server protocol error (46) client (47) cillie Linux - Games 12 12-29-2005 05:09 AM
konqueror protocol device error stratosgr Linux - Newbie 2 11-20-2005 02:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration