Squid error transaction end before headers

This topic has been deleted. Only users with topic management privileges can see it.

• Hi,
  i have version 2.4.5 of PfSense, i have installed squid in transparent mode (SSL/MITM Mode Splice All) + squidguard:
  

  Squid proxy SSL/MITM Mode Splice All and SquidGuard Default access ALL DENY and only a few domains allowed;

  in the squid log , from all clients I find many of these:

  NONE/000 error:transaction-end-before-headers
  NONE/503 http:443
  NONE/200 http:443

  

  Why?
  is it a problem?
  

• reading here:
  https://www.freshports.org/www/squid
  http://www.squid-cache.org/Versions/v4/squid-4.11-RELEASENOTES.html#ss3.2
  

  that with version 4.11 they solved the problem?
  how can I update my current version to 4.11?

  Thanks

• I installed the latest updates 0.4.44_26 but the Squid version is always 4.10

  

• MITM is always some pain in the back and it took me a while to make it work. Without to know your current config & ACLs it is impossible to point you in the right direction to find a solution but I can tell you that it works, if the setup is done right.

  Chris

• @CaliPilot
  in Squid there are no particular ACLs, the whole network passes through the transparent proxy,

  in SquidGuard Common ACL Target Categories «Default access [all]» is DENY and «Lark» is ALLOW
  in SquidGuard «Target categories» (Lark) witch Domain list
  

  the «error: transaction-end-before-headers» problem be fixed on version 4.11 or not?
  how do i update it?

• @xalex1977 You should post your squid.conf because (with no offense) I guess there are other issues. With splice all it should work more or less out of the box if the setup is right. You can also check this post …

  https://forum.netgate.com/topic/153933/solved-squid-0-4-44_25-assertion-failed-http-cc-1533-comm-monitorsread-serverconnection-fd/2

  … where I answered on our own issues and how we solved them.

  Chris

• 
  

  squid.conf:

  # This file is automatically generated by pfSense
  # Do not edit manually !
  
  http_port 192.168.1.253:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
  
  http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
  
  https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
  
  icp_port 0
  digest_generation off
  dns_v4_first on
  pid_filename /var/run/squid/squid.pid
  cache_effective_user squid
  cache_effective_group proxy
  error_default_language en
  icon_directory /usr/local/etc/squid/icons
  visible_hostname localhost
  cache_mgr admin@localhost
  access_log /var/squid/logs/access.log
  cache_log /var/squid/logs/cache.log
  cache_store_log none
  netdb_filename /var/squid/logs/netdb.state
  pinger_enable on
  pinger_program /usr/local/libexec/squid/pinger
  sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
  tls_outgoing_options capath=/usr/local/share/certs/
  tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
  tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
  tls_outgoing_options flags=DONT_VERIFY_PEER
  sslcrtd_children 5
  sslproxy_cert_error allow all
  
  logfile_rotate 7
  debug_options rotate=7
  shutdown_lifetime 3 seconds
  # Allow local network(s) on interface(s)
  acl localnet src  192.168.1.0/24
  forwarded_for on
  uri_whitespace strip
  
  acl dynamic urlpath_regex cgi-bin ?
  cache deny dynamic
  
  cache_mem 64 MB
  maximum_object_size_in_memory 256 KB
  memory_replacement_policy heap GDSF
  cache_replacement_policy heap LFUDA
  minimum_object_size 0 KB
  maximum_object_size 4 MB
  cache_dir ufs /var/squid/cache 100 16 256
  offline_mode off
  cache_swap_low 90
  cache_swap_high 95
  cache allow all
  # Add any of your own refresh_pattern entries above these.
  refresh_pattern ^ftp:    1440  20%  10080
  refresh_pattern ^gopher:  1440  0%  1440
  refresh_pattern -i (/cgi-bin/|?) 0  0%  0
  refresh_pattern .    0  20%  4320
  
  
  #Remote proxies
  
  
  # Setup some default acls
  # ACLs all, manager, localhost, and to_localhost are predefined.
  acl allsrc src all
  acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535 
  acl sslports port 443 563 8080 
  
  acl purge method PURGE
  acl connect method CONNECT
  
  # Define protocols used for redirects
  acl HTTP proto HTTP
  acl HTTPS proto HTTPS
  
  # SslBump Peek and Splice
  # http://wiki.squid-cache.org/Features/SslPeekAndSplice
  # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
  # Match against the current step during ssl_bump evaluation [fast]
  # Never matches and should not be used outside the ssl_bump context.
  #
  # At each SslBump step, Squid evaluates ssl_bump directives to find
  # the next bumping action (e.g., peek or splice). Valid SslBump step
  # values and the corresponding ssl_bump evaluation moments are:
  #   SslBump1: After getting TCP-level and HTTP CONNECT info.
  #   SslBump2: After getting TLS Client Hello info.
  #   SslBump3: After getting TLS Server Hello info.
  # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
  # they can be used there for custom configuration.
  acl step1 at_step SslBump1
  acl step2 at_step SslBump2
  acl step3 at_step SslBump3
  acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
  http_access allow manager localhost
  
  http_access deny manager
  http_access allow purge localhost
  http_access deny purge
  http_access deny !safeports
  http_access deny CONNECT !sslports
  
  # Always allow localhost connections
  http_access allow localhost
  
  request_body_max_size 0 KB
  delay_pools 1
  delay_class 1 2
  delay_parameters 1 -1/-1 -1/-1
  delay_initial_bucket_level 100
  delay_access 1 allow allsrc
  
  # Reverse Proxy settings
  
  
  # Package Integration
  url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
  url_rewrite_bypass off
  url_rewrite_children 16 startup=8 idle=4 concurrency=0
  
  # Custom options before auth
  
  
  # Always allow access to whitelist domains
  http_access allow whitelist
  ssl_bump peek step1
  ssl_bump splice all
  # Setup allowed ACLs
  # Allow local network(s) on interface(s)
  http_access allow localnet
  # Default block all to be sure
  http_access deny allsrc
  
  
  

  squidGuard.conf:

  # ============================================================
  # SquidGuard configuration file
  # This file generated automaticly with SquidGuard configurator
  # (C)2006 Serg Dvoriancev
  # email: dv_serg@mail.ru
  # ============================================================
  
  logdir /var/squidGuard/log
  dbhome /var/db/squidGuard
  
  # 
  dest Lark {
  	domainlist Lark/domains
  	log block.log
  }
  
  # 
  rew safesearch {
  	s@(google..*/search?.*q=.*)@1&safe=active@i
  	s@(google..*/images.*q=.*)@1&safe=active@i
  	s@(google..*/groups.*q=.*)@1&safe=active@i
  	s@(google..*/news.*q=.*)@1&safe=active@i
  	s@(yandex..*/yandsearch?.*text=.*)@1&fyandex=1@i
  	s@(search.yahoo..*/search.*p=.*)@1&vm=r&v=1@i
  	s@(search.live..*/.*q=.*)@1&adlt=strict@i
  	s@(search.msn..*/.*q=.*)@1&adlt=strict@i
  	s@(.bing..*/.*q=.*)@1&adlt=strict@i
  	s@(duckduckgo..*/?.*q=.*)@1&kp=1@i
  	s@(rambler..*/?.*query=.*)@1&adult=family@i
  	s@(qwant..*/?.*q=.*)@1&s=2@i
  	log block.log
  }
  
  # 
  acl  {
  	# 
  	default  {
  		pass !in-addr Lark none
  		redirect http://192.168.1.253:8080/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
  		log block.log
  	}
  }
  

  I also attach
  squidguard_conf.xml

• @xalex1977 said in Squid transparent proxy + SquidGuard error «transaction-end-before-headers»:

  reading here:
  https://www.freshports.org/www/squid
  http://www.squid-cache.org/Versions/v4/squid-4.11-RELEASENOTES.html#ss3.2
  

  that with version 4.11 they solved the problem?
  how can I update my current version to 4.11?

  Thanks

  when will squid-4.11 be installed from packages?

• can anyone tell me when squid-4.11 will be available to solve the problem?
  thank you

• Have sam issue here, after update to 4.10, users started to complain and have same errors in logs, squid 4.11 is not available for now in package manager

• @srlek have you encountered the same problem? how can we solve?

• Redmine issue created: https://redmine.pfsense.org/issues/10608

• Same Error….. too bad …..

• Same error here, squid-4.10

  I found some release notes about squid version 4.11, here:

  http://ftp.meisei-u.ac.jp/mirror/squid/squid-4.11-RELEASENOTES.html#toc3.2

  Section 3.2 Changes to existing tags:

  Unused connections received in http_port or https_port or transactions terminated before reading[parsing] request headers are logged with URI error:transaction-end-before-headers.

• @xalex1977 larksuite.com is running on a CDN. We faced the same issues like you, with other and more dramatic consequences (squid crashes and so on). We pinned it down to DNS. We changed from Google-DNS to the local ones from our ISPs, we made DNS-Resolver work (and played with minimum TTLs), fixed our Windows-DNS Servers and disabled the name caches (which doesn’t work, we clean them now manually every 5 Minutes via a script) and we disabled name-caching on our clients. Key is that your DNS between Pfsense, internal DNS and your clients is always sync. Squid is a b*tch if one of your boxes is responding with the wrong host or ips.

  We made for critical sites (like SAP C4C) static host overrides because they drive crazy with changing their IP every few minutes. All in all i’m very happy right now with or setup!

  Another trick we learned that you can use an Alias in Squid to Bypass traffic like for services hosted by Apple (iTunes, App-Store and so on). Key is that you add all known cnames from that cdn-hosted site to your Alias and add that Alias to Squid in the «bypass proxy for these destination IPs».

  

  

  

  I’m not a hardcore linux or network specialist but if you check your config, fix your dns and have everything in place it works pretty well. It is some work in the beginning (GotoMeeting, Teams and Apple stuff) and sometimes it’s challenging but it will work!

  Chris

• @CaliPilot hi, unfortunately larksuite has a lot of third level domains and it is impossible for me to create aliases;
  we use the windows active directory server dns, I would not want disabled Windows-DNS Servers name caches and name-caching on our clients, it is too uncomfortable.

  Will this problem not be corrected with a new version of Squid?

  Thanks

• The error in your log seems to be a CONNECT issue.
  The Browser opens a CONNECT session to the target site and will only accept a socket address, not a URL.
  The Rewrite URL from squidguard https://site.com/sgerror.php is parsed as a socket address like host:port

  We have squid with SSL MITM, ClamAV and Squidguard with correct url redirect working with the following setting:

  squid mitm: splice whitelist, bump otherwise

  additional advanced options:
  url_rewrite_access deny CONNECT
  url_rewrite_access allow all

  This will deny CONNECT sessions for non-whitelisted sites and will let the redirect work.

  As redirect function in squidguard you need to set «ext url move», not redirect.

• @xalex1977 também tenho esse mesmo problema! Estou com pfsnse 2.5.0 + Proxy Transparente + interceptação SSL. Notei que esses erros está diretamente relacionado ao dispositivo que acessam via wifi. Não sei se tem algo relacionado ou só consciência.

• Amigo onde você insere essa informação adicional?
  Seria no campo «Opções personalizadas (SSL / MITM)» ???

• @kasalencar i have version 2.4.5-RELEASE-p1 + squid in transparent mode (SSL/MITM Mode Splice All) + squidguard and i still have the problem

• @xalex1977 Eu notei que no acontece esse erro em páginas bloqueadas pelo SquidGuard e o dispositivo não possuí o certificado emitido pelo firewall.

  Após o usuário recarregar a consulta, a página mostrada é a do Squid com mensagem de block.

• Can confirm this is a DNS issue. Fixed by enabling «DNS Query Forwarding» under Services > DNS Resolver.

forum.lissyara.su

Русские солдаты не умирают — они отсутпают в рай, на перегруппировку

Медленная работа squid

Модератор: terminus

Медленная работа squid

Подскажите пожалуйста
Есть интернет шлюз FreeBSD 11.3 + squid 4.8_1

У пользователей которые используют прокси-сервер squid для выхода в интернет, иногда долго загружаются страницы, или вовсе зависают, нужно обновлять F5.
Обновление squid до последней версии, думаю не исправит проблему.

В логах squid иногда проскакивает:

Не знаю, относится это к вышеуказанной проблеме или нет.

Если нужна дополнительная информация, спрашивайте, напишу.

Услуги хостинговой компании Host-Food.ru

Медленная работа squid

Медленная работа squid

1) access.log я удалил. Squid создал новый, так что он пока что относительно пустой, место минимально занимет
2) КЭШ пересоздал
3) BIND думаю не причем, он просто форвардит всё на DNS провайдера. Да и пользователи которые без прокси-сервера в ИНЕТ ходят, проблем не испытывают. Если бы BIND тормозил, то и пользователи без прокси-сервера бы тормозили.
4 и 5) Не понял как проверить. Я этот squid много лет назад собрал, и забыл про него. Вот сейчас пытаюсь понять что к чему.

Прикрепляю конфиг сквида. Может в нем что напутал?

Медленная работа squid

(бывает, но очень редко, что бинд поддуривает, лучше сразу убедиться, что он не причем).

Про транспарент я имел ввиду настройки типа таких:

Но у Вас их не увидел.

Если с путями в системе все в порядке, то

Это правда для squid-3.5.20
Но лучше внимательно ознакомиться с каждой строчкой вывода на предмет ошибок.

Есть еще другие мысли:
а) Не протух-ли один из локальных сертификатов машины?
(можно перезалить с другой, более свежей установки)

Источник

прозрачный squid

настроено, все вроде как работает, но например если открываю сайт pikabu.ru через прокси, то он выглядит вот так

но если я открываю гугл, ютуб и т.д. то по https все ок открывается, в чем может проблема с pikabu ?

выключи его нафиг, если ты один пользователь, он тебе не нужен. федора известна своей «секьюрностью» по дефолту, ну а этот сайт вероятно не хочет общаться с прокси в таком конфиге

будет не один пользователь, вот такие «извращенцы» хотят все это завести на федоре, почему именно он не хочет, а другие хотят общаться через прокси?

Некоторые файлы на других доменах.

Подключаемые css, js тянуться не с pikabu. ru. grep DENI /var/log/squid3/access.log.(ну или где у тебя логи кальмара лежат)

про DENI ничего нет

А что говорит гугель про error:transaction-end-before-.

Unused connections received in http_port or https_port or transactions terminated before reading[parsing] request headers logged with URI error:transaction-end-before-headers.

These errors are meant to be logged for clients that open and close connections without sending any HTTP headers (or without sending complete HTTP headers — you can log HTTP request size to distinguish these two cases).

влияет ли это на мою проблему, не понятно

настроено, все вроде как работает, но например если открываю сайт pikabu.ru через прокси, то он выглядит вот так

Из-за этой ошибки не проходит куча запросов к пикабу.

в итоге поднял на сервере unbound, поставил

Источник

Как правильно настроить Squid на PfSense?

Здравствуйте! На PfSense собрал Squid, но на некоторые сайты доступ не дает, сразу уходит в аут.
Начал проверять логи Squid и наткнулся на это

Кто-нибудь сталкивался с такой проблемой?
Вот конфиг Squid

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 10.0.0.2:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.4096 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.4096 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.4096 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

tcp_outgoing_address 10.0.0.2
icp_port 0
digest_generation off
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language ru
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
tls_outgoing_options capath=/usr/local/share/certs/
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_children 5

logfile_rotate 30
debug_options rotate=30
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 10.0.0.0/22
forwarded_for on
via off
httpd_suppress_version_string on
uri_whitespace strip

cache_mem 64 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 512 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320

# Setup some default acls
# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
acl sslports port 443 563

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS

# SslBump Peek and Splice
# wiki.squid-cache.org/Features/SslPeekAndSplice
# wiki.squid-cache.org/ConfigExamples/Intercept/SslB.
# Match against the current step during ssl_bump evaluation [fast]
# Never matches and should not be used outside the ssl_bump context.
#
# At each SslBump step, Squid evaluates ssl_bump directives to find
# the next bumping action (e.g., peek or splice). Valid SslBump step
# values and the corresponding ssl_bump evaluation moments are:
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting TLS Client Hello info.
# SslBump3: After getting TLS Server Hello info.
# These ACLs exist even when ‘SSL/MITM Mode’ is set to ‘Custom’ so that
# they can be used there for custom configuration.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl allowed_subnets src 192.168.2.0/24 10.0.0.0/24 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24 10.0.6.0/24 10.0.7.0/24 10.0.8.0/24 10.0.9.0/24 10.0.10.0/24
acl whitelist dstdom_regex -i ‘/var/squid/acl/whitelist.acl’
http_access allow manager localhost

# Allow external cache managers
acl ext_manager src 127.0.0.1
http_access allow manager ext_manager

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Источник

Hi,
i have version 2.4.5 of PfSense, i have installed squid in transparent mode (SSL/MITM Mode Splice All) + squidguard:

Squid proxy SSL/MITM Mode Splice All and SquidGuard Default access ALL DENY and only a few domains allowed;

in the squid log , from all clients I find many of these:

NONE/000 error:transaction-end-before-headers
NONE/503 http:443
NONE/200 http:443

Why?
is it a problem?

reading here:
https://www.freshports.org/www/squid
http://www.squid-cache.org/Versions/v4/squid-4.11-RELEASENOTES.html#ss3.2

that with version 4.11 they solved the problem?
how can I update my current version to 4.11?

I installed the latest updates 0.4.44_26 but the Squid version is always 4.10

MITM is always some pain in the back and it took me a while to make it work. Without to know your current config & ACLs it is impossible to point you in the right direction to find a solution but I can tell you that it works, if the setup is done right.

@CaliPilot
in Squid there are no particular ACLs, the whole network passes through the transparent proxy,

in SquidGuard Common ACL Target Categories «Default access [all]» is DENY and «Lark» is ALLOW
in SquidGuard «Target categories» (Lark) witch Domain list

the «error: transaction-end-before-headers» problem be fixed on version 4.11 or not?
how do i update it?

@xalex1977 You should post your squid.conf because (with no offense) I guess there are other issues. With splice all it should work more or less out of the box if the setup is right. You can also check this post .

. where I answered on our own issues and how we solved them.

reading here:
https://www.freshports.org/www/squid
http://www.squid-cache.org/Versions/v4/squid-4.11-RELEASENOTES.html#ss3.2

that with version 4.11 they solved the problem?
how can I update my current version to 4.11?

when will squid-4.11 be installed from packages?

can anyone tell me when squid-4.11 will be available to solve the problem?
thank you

Have sam issue here, after update to 4.10, users started to complain and have same errors in logs, squid 4.11 is not available for now in package manager

@srlek have you encountered the same problem? how can we solve?

Redmine issue created: https://redmine.pfsense.org/issues/10608

Same Error. too bad .

Same error here, squid-4.10

I found some release notes about squid version 4.11, here:

Section 3.2 Changes to existing tags:

Unused connections received in http_port or https_port or transactions terminated before reading[parsing] request headers are logged with URI error:transaction-end-before-headers.

@xalex1977 larksuite.com is running on a CDN. We faced the same issues like you, with other and more dramatic consequences (squid crashes and so on). We pinned it down to DNS. We changed from Google-DNS to the local ones from our ISPs, we made DNS-Resolver work (and played with minimum TTLs), fixed our Windows-DNS Servers and disabled the name caches (which doesn’t work, we clean them now manually every 5 Minutes via a script) and we disabled name-caching on our clients. Key is that your DNS between Pfsense, internal DNS and your clients is always sync. Squid is a b*tch if one of your boxes is responding with the wrong host or ips.

We made for critical sites (like SAP C4C) static host overrides because they drive crazy with changing their IP every few minutes. All in all i’m very happy right now with or setup!

Another trick we learned that you can use an Alias in Squid to Bypass traffic like for services hosted by Apple (iTunes, App-Store and so on). Key is that you add all known cnames from that cdn-hosted site to your Alias and add that Alias to Squid in the «bypass proxy for these destination IPs».

I’m not a hardcore linux or network specialist but if you check your config, fix your dns and have everything in place it works pretty well. It is some work in the beginning (GotoMeeting, Teams and Apple stuff) and sometimes it’s challenging but it will work!

@CaliPilot hi, unfortunately larksuite has a lot of third level domains and it is impossible for me to create aliases;
we use the windows active directory server dns, I would not want disabled Windows-DNS Servers name caches and name-caching on our clients, it is too uncomfortable.

Will this problem not be corrected with a new version of Squid?

The error in your log seems to be a CONNECT issue.
The Browser opens a CONNECT session to the target site and will only accept a socket address, not a URL.
The Rewrite URL from squidguard https://site.com/sgerror.php is parsed as a socket address like host:port

We have squid with SSL MITM, ClamAV and Squidguard with correct url redirect working with the following setting:

squid mitm: splice whitelist, bump otherwise

additional advanced options:
url_rewrite_access deny CONNECT
url_rewrite_access allow all

This will deny CONNECT sessions for non-whitelisted sites and will let the redirect work.

As redirect function in squidguard you need to set «ext url move», not redirect.

@xalex1977 também tenho esse mesmo problema! Estou com pfsnse 2.5.0 + Proxy Transparente + interceptação SSL. Notei que esses erros está diretamente relacionado ao dispositivo que acessam via wifi. Não sei se tem algo relacionado ou só consciência.

Amigo onde você insere essa informação adicional?
Seria no campo «Opções personalizadas (SSL / MITM)» .

@kasalencar i have version 2.4.5-RELEASE-p1 + squid in transparent mode (SSL/MITM Mode Splice All) + squidguard and i still have the problem

@xalex1977 Eu notei que no acontece esse erro em páginas bloqueadas pelo SquidGuard e o dispositivo não possuí o certificado emitido pelo firewall.

Após o usuário recarregar a consulta, a página mostrada é a do Squid com mensagem de block.

Can confirm this is a DNS issue. Fixed by enabling «DNS Query Forwarding» under Services > DNS Resolver.

Источник

Hi,

I use squid 4.12 with LDAP (Active Directory).

All works great except sometimes I have the following errors in my
access.log file :

1598438527.315 0 192.168.0.50 NONE/000 0 NONE
error:transaction-end-before-headers — HIER_NONE/- —

How can i correct that ? Any suggestions ?

Below my squid.conf file :

  --8<--

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)

acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network
range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny bad_urls
http_access deny bad_domains

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -P -R
-b dc=lab,dc=local -D cn=squid,cn=users,dc=lab,dc=local -w squid -f
«(&(objectClass=person)(sAMAccountName=%s))» -v 3 192.168.0.7:389

acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_mgr informatique@lab.local

  -->8--

Thank you very much !

Cheers,

Eric F.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

Не помешает все-таки п.3

(бывает, но очень редко, что бинд поддуривает, лучше сразу убедиться, что он не причем).

Про транспарент я имел ввиду настройки типа таких:

https_port 192.168.1.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squid.pem key=/usr/local/etc/squid/ssl/squid.key
http_port 192.168.1.1:3128 options=NO_SSLv3:NO_SSLv2

Но у Вас их не увидел.

Если с путями в системе все в порядке, то

Покажет нам нутро настроек, включая те, что явным образом не заданы в конфиге:

2020/08/21 15:52:25| Startup: Initializing Authentication Schemes ...
2020/08/21 15:52:25| Startup: Initialized Authentication Scheme 'basic'
2020/08/21 15:52:25| Startup: Initialized Authentication Scheme 'digest'
2020/08/21 15:52:25| Startup: Initialized Authentication Scheme 'negotiate'
2020/08/21 15:52:25| Startup: Initialized Authentication Scheme 'ntlm'
2020/08/21 15:52:25| Startup: Initialized Authentication.
2020/08/21 15:52:25| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2020/08/21 15:52:25| Processing: acl localnet src 192.168.1.0/24
...
2020/08/21 15:52:25| Processing: dns_nameservers 127.0.0.1
...
2020/08/21 15:52:25| Processing: forwarded_for off
2020/08/21 15:52:25| Initializing https proxy context
2020/08/21 15:52:25| Initializing https_port 192.168.1.1:3129 SSL context
2020/08/21 15:52:25| Using certificate in /usr/local/etc/squid/ssl/squid.pem

Это правда для squid-3.5.20
Но лучше внимательно ознакомиться с каждой строчкой вывода на предмет ошибок…

Есть еще другие мысли:
а) Не протух-ли один из локальных сертификатов машины?
(можно перезалить с другой, более свежей установки)

ls /etc/ssl
total 12
lrwxr-xr-x  1 root  wheel     38  8 янв.   2018 cert.pem -> /usr/local/share/certs/ca-root-nss.crt
ls /usr/local/share/certs/ca-root-nss.crt
-rw-r--r--  1 root  wheel  821046  8 янв.   2018 /usr/local/share/certs/ca-root-nss.crt

б) Нет-ли проблемы с адтрастом на клиентских машинах (это с конца мая, кажется, началось) soft-f3/pro-sertifikat-addtrust-s-opens … ml#p391952
в) Все-ли сайты тупят через прокси или есть с которыми проблем нет?
Хотя, наверное, эти последние два пункта можно и местами поменять…