Can't connect to HTTPS websites via squid proxy

centos7 squid

I've just tried to create a proxy server on a OpenVZ VPS in CentOS7. All good, but I can't access https websites like google, instagram, facebook, etc..it says timeout, took too long to respond.

I've generated a myCA.pem certificate and using ssl_bump I've linked the signed certificate without errors (checked with systemctl status squid) and now all when I'm trying to connect to the websites above enumerated it gives me no internet error:

1

Below is my squid.conf and here my cache.log http://pastebin.com/MUkujTig

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3128 ssl-bump \
 generate-host-certificates=on \
 dynamic_cert_mem_cache_size=4MB \
 key=/etc/squid/ssl_cert/myCA.pem \
 cert=/etc/squid/ssl_cert/myCA.pem

# SSL Bump Config
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB    sslcrtd_children 8 startup=1 idle=1

hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
cache deny all

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

icp_port 3130

forwarded_for off

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all

I've added 3128 port in public zone using firewall-cmd


For my purpose it doesn't need to use sslbump so I have deleted it and solved it by adding this line in squid.conf dns_v4_first on


You log has the following line:

 (ssl_crtd): Failed to initialize /var/lib/ssl_db/index.txt file for writing

Which means that you got mistakes in your sslbump configuration.

The problem with your configuration is that you can't have /var/lib/ssl_db as your sslbump storage, since you won't be able to initialize it with a following command /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db. The ssl_db dir shoudn't exist before you issue the command or it will fail. But squid user can't create the directory in /var/lib because of permissions. So you need to change that directory to /var/lib/squid/ssl_db by doing the following commands (start as as root!):

  1. sudo su (or any other mean to get root shell)
  2. mkdir /var/lib/squid/
  3. chown -R squid:squid /var/lib/squid/
  4. su -l squid -s /bin/bash (next command should be run as squid user, so this step is important)
  5. /usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

If you are successful, the output should display:

 Initialization SSL db...
 Done

Now you change your squid.conf to the new ssl_db directory:

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

And this directive should go from a new line, you got a mistake in your config file:

sslcrtd_children 8 startup=1 idle=1

I hope this will help (unless you are doing some censorship, then I hope it won't :))!

P.S. This is not your case, but I'll add nevertheless:

Different distros place ssl_crtd command into different directories, but people got a tendency to copy config files without checking its existence first. Launching /usr/lib64/squid/ssl_crtd as squid user should display:

Uninitialized SSL certificate database directory: . To initialize, run "ssl_crtd -c -s ".

If it says that command not found, then ssl_crtd might be actually located in /usr/libexec/squid/ssl_crtd

P.P.S. After a two-hour skype session trying to fix the unfixable the solution was found - disabling ipv6, incorrectly configured by the hosting provider :)

Who would have thought, that it all will breakdown to the following commands:

 sysctl -w net.ipv6.conf.all.disable_ipv6=1
 sysctl -w net.ipv6.conf.default.disable_ipv6=1
 sysctl -w net.ipv6.conf.lo.disable_ipv6=1

And adding:

 dns_v4_first on

into squid.conf

Related

Configuring a custom HTTPS certificate on a Netgear Switch (e.g. GS724T)
Active Directory TLS
Why can't my Remote Desktop Server make proper use of the licensing server?
Apache httpd conf file configuration mismatch
Sharing NFS datastore between data centers
How to do restore test with limited testing resources?
KVM Live or Near-Live Migration from LVM to filesystem backend
Can I configure AC Power Restored option via iDRAC on a Dell PowerEdge server?
Debian: Get list of installed packages while in rescue mode
Large AWS Regional Data Transfer cost; ELB to blame?
bind dns entries not updating from master to slave
mount.cifs: mount error(112): Host is down