Re: [squid-users] No access to HTTPS sites and funny error page.

From: Kevin <[email protected]>
Date: Fri, 3 Mar 2006 04:22:10 -0600

On 3/2/06, Andre Labuschagne <alabuschagne@rmbprivatebank.com> wrote:
> >On 3/2/06, Andre Labuschagne <alabuschagne@rmbprivatebank.com> wrote:
> >> I am fairly new at running Squid and we are currently evaluating
> >> moving from ISA server to Squid. It now seems as if there is some
> >> difficulty in running Squid with https sites.
>
> >How are the clients configured to reach the proxy?
>
> The users all use IE5.5 or higher and we have Active Directory, so we
> use a Group Policy to send the proxy settings.

Good idea.

> >With the switch from ISA to Squid, are there any changes made to the
> client configuration?
>
> Other than an IP address change everything is still the same.
>
> >> I understand the concept of Squid effectively just passing through
> >> connections to https sites without impacting the data at all, but on
> >> our ISA server access to internet bank sites is permitted with no
> problem.
> >> On squid the response is slow and frequently the client gets a "While
>
> >> trying to retrieve the URL: failed:443". I have tried to Google with
> >> failed:443 but no results.
>
> >So for the banking sites you're seeing log lines like this?
>
> >1141285236.662 28014 10.42.8.4.252 TCP_MISS/200 25642 CONNECT
> >secure.somebank.com:443 - DIRECT/4.24.117.9 -
>
> Yes, this is exactly what I am seeing.

Sounds like everything is in order, no technical reason for the
connections to fail.

I've seen a few odd cases where MSIE would choose to go 'direct'
(TCP/443 to the internet IP) instead of connecting to the proxy server
and sending a "CONNECT" request, but this wouldn't show up in the
Squid log at all.

One thing I've found helpful is to find a usually reliable HTTPS
object (e.g. https://www.paypalobjects.com/en_US/i/logo/paypal_logo.gif)
and set up an automated process to retrieve this every five minutes
and record the result and any error codes.

>On squid the response is slow and frequently the client gets a "While
> trying to retrieve the URL: failed:443". I have tried to Google with
>failed:443 but no results.

That is definitely a squid error, but the "failed:443 " is odd, can
anybody point to where in Squid source this message would originate?

Since SSL objects are inherently uncachable, you could of course
choose to modify the client policy so these sessions always go direct,
bypass squid. Personally I wouldn't do that, and I route all browser
traffic through squid and do not see this problem.

Kevin
Received on Fri Mar 03 2006 - 03:22:13 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:03 MST