[squid-users] ERROR The requested URL could not be retrieved

Discussion:

Uchenna Nebedum

2018-10-29 15:20:01 UTC

Good Day All,
I have setup squid 3.5 with mikrotik, and ssl bumping is enabled. after
accepting the certificate on the browser prompt, Squid throws an error on
the browser, "*unable to forward this request at this time.*" it throws
this error for http sites as well. please what could be causing this error.

*Please find attached my squid.conf*

*#cache_log /var/log/squid/cache.logcache_effective_user proxyacl localnet
src 10.0.0.0/24 <http://10.0.0.0/24>acl localnet src 172.16.0.0/12
<http://172.16.0.0/12>acl localnet src 192.168.0.0/16
<http://192.168.0.0/16>acl localnet src fc00::/7acl localnet src
fe80::/10acl SSL_ports port 443 acl Safe_ports port 80 # httpacl
Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl
Safe_ports port 70 # gopheracl Safe_ports port 210 #
waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port
280 # http-mgmtacl Safe_ports port 488 # gss-httpacl
Safe_ports port 591 # filemakeracl Safe_ports port 777 #
multiling httpacl CONNECT method CONNECThttp_access deny
!Safe_portshttp_access deny CONNECT !SSL_portsnever_direct allow
allhttp_access allow localhost managerhttp_access deny managerhttp_access
allow localnethttp_access allow localhosthttp_access deny
allvisible_hostname localhosthttp_port 3126 intercepthttp_port 3128
ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/opt/websafety/etc/myca.pem https_port 3127 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/opt/websafety/etc/myca.pemsslcrtd_program
/usr/local/squid/libexec/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1sslproxy_cert_error allow
all#sslproxy_cert_error allow ssl_error_domains#sslproxy_cert_error allow
ssl_error_ipsacl step1 at_step SslBump1acl step2 at_step SslBump2acl step3
at_step SslBump3ssl_bump peek step1 allssl_bump stare step2 allssl_bump
bump step3 allssl_bump splice localhostssl_bump splice allvia
offforwarded_for onrequest_header_access From deny allrequest_header_access
Cache-Control deny allrequest_header_access Keep-Alive deny
allrequest_header_access Other deny allreply_header_access Set-Cookie deny
allreply_header_access Set-Cookie2 deny allreply_header_access Other deny
alladaptation_access greasyspoon allow alldns_timeout 30
secondsdns_v4_first on#ecap_enable officap_enable onicap_preview_enable
officap_preview_size 2048icap_persistent_connections
onadaptation_send_client_ip onadaptation_send_username onicap_service
greasyspoon respmod_precache icap://127.0.0.1:1344/response
<http://127.0.0.1:1344/response> bypass=0refresh_pattern ^ftp:
1440 20% 10080refresh_pattern ^gopher: 1440 0%
1440refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern .
0 20% 4320shutdown_lifetime 10 seconds*

*and my access.log*

*1540823796.041 1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443
<http://52.114.76.34:443> - HIER_NONE/- -1540823796.041 1 10.0.0.252
TAG_NONE/200 0 CONNECT 52.114.76.34:443 <http://52.114.76.34:443> -
HIER_NONE/- -1540823840.186 1 10.0.0.252 TAG_NONE/200 0 CONNECT
52.114.76.34:443 <http://52.114.76.34:443> - HIER_NONE/-
-1540823864.291 1 10.0.0.252 TAG_NONE/200 0 CONNECT 191.239.240.49:443
<http://191.239.240.49:443> - HIER_NONE/- -1540823864.297 8 10.0.0.252
TAG_NONE/200 0 CONNECT 191.239.240.49:443 <http://191.239.240.49:443> -
HIER_NONE/- -1540823864.342 1 10.0.0.252 TAG_NONE/200 0 CONNECT
191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/-
-1540823864.628 1 10.0.0.252 TAG_NONE/200 0 CONNECT 152.199.19.161:443
<http://152.199.19.161:443> - HIER_NONE/- -1540823864.628 1 10.0.0.252
TAG_NONE/200 0 CONNECT 152.199.19.161:443 <http://152.199.19.161:443> -
HIER_NONE/- -1540823864.644 1 10.0.0.252 TAG_NONE/200 0 CONNECT
152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/-
-1540824133.725 117 10.0.0.253 TCP_MISS/500 4215 GET
http://init-p01md.apple.com/bag <http://init-p01md.apple.com/bag> -
HIER_NONE/- text/html1540824133.725 114 10.0.0.253 TCP_MISS/500 4215 GET
http://init-p01md.apple.com/bag <http://init-p01md.apple.com/bag> -
HIER_NONE/- text/html1540824133.729 112 10.0.0.253 TCP_MISS/500 4310 GET
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag
<http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag>? - HIER_NONE/-
text/html1540824133.729 109 10.0.0.253 TCP_MISS/500 4310 GET
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag
<http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag>? - HIER_NONE/-
text/html1540824133.850 14 10.0.0.253 TAG_NONE/200 0 CONNECT
95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/-
-1540824133.850 11 10.0.0.253 TAG_NONE/200 0 CONNECT 95.101.216.92:443
<http://95.101.216.92:443> - HIER_NONE/- -1540824133.854 12 10.0.0.253
TAG_NONE/200 0 CONNECT 95.101.216.92:443 <http://95.101.216.92:443> -
HIER_NONE/- -1540824133.966 122 10.0.0.253 TCP_MISS/500 4205 GET
http://init-p01st.push.apple.com/bag <http://init-p01st.push.apple.com/bag>
- HIER_NONE/- text/html1540824133.987 164 10.0.0.253 TAG_NONE/200 0
CONNECT 95.101.188.60:443 <http://95.101.188.60:443> - HIER_NONE/-
-1540824133.987 164 10.0.0.253 TAG_NONE/200 0 CONNECT 17.137.166.4:443
<http://17.137.166.4:443> - HIER_NONE/- -1540824134.251 4 10.0.0.253
TAG_NONE/200 0 CONNECT 95.101.188.60:443 <http://95.101.188.60:443> -
HIER_NONE/- -1540824134.336 4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.167.193.43:443 <http://17.167.193.43:443> - HIER_NONE/-
-1540824136.162 17 10.0.0.253 TAG_NONE/200 0 CONNECT 192.12.31.78:443
<http://192.12.31.78:443> - HIER_NONE/- -1540824136.299 4 10.0.0.253
TAG_NONE/200 0 CONNECT 157.119.235.19:443 <http://157.119.235.19:443> -
HIER_NONE/- -1540824150.357 4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.167.192.128:443 <http://17.167.192.128:443> - HIER_NONE/-
-1540824159.403 4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.167.192.128:443
<http://17.167.192.128:443> - HIER_NONE/- -1540824769.945 601 10.0.0.253
TCP_MISS/500 4217 GET http://captive.apple.com/hotspot-detect.html
<http://captive.apple.com/hotspot-detect.html> - HIER_NONE/-
text/html1540824770.651 135 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/-
-1540824770.654 136 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443
<http://104.83.75.199:443> - HIER_NONE/- -1540824771.204 351 10.0.0.253
TAG_NONE/200 0 CONNECT 17.151.240.36:443 <http://17.151.240.36:443> -
HIER_NONE/- -1540824771.451 10 10.0.0.253 TAG_NONE/200 0 CONNECT
17.120.225.140:443 <http://17.120.225.140:443> - HIER_NONE/-
-1540824771.452 7 10.0.0.253 TAG_NONE/200 0 CONNECT 17.120.225.140:443
<http://17.120.225.140:443> - HIER_NONE/- -1540824771.680 827 10.0.0.253
TAG_NONE/200 0 CONNECT 216.58.223.202:443 <http://216.58.223.202:443> -
HIER_NONE/- -1540824771.688 833 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/-
-1540824771.688 1 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443
<http://216.58.223.202:443> - HIER_NONE/- -1540824771.693 6 10.0.0.253
TAG_NONE/200 0 CONNECT 104.83.64.191:443 <http://104.83.64.191:443> -
HIER_NONE/- -1540824771.847 159 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/-
-1540824771.882 30 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443
<http://216.58.223.202:443> - HIER_NONE/- -1540824771.883 30 10.0.0.253
TAG_NONE/200 0 CONNECT 216.58.223.194:443 <http://216.58.223.194:443> -
HIER_NONE/- -1540824771.887 36 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/-
-1540824772.034 42 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.206:443
<http://216.58.223.206:443> - HIER_NONE/- -1540824772.036 6 10.0.0.253
TAG_NONE/200 0 CONNECT 216.58.223.194:443 <http://216.58.223.194:443> -
HIER_NONE/- -1540824772.042 1 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/-
-1540824772.078 5 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443
<http://216.58.223.194:443> - HIER_NONE/- -1540824772.146 15 10.0.0.253
TAG_NONE/200 0 CONNECT 17.151.240.36:443 <http://17.151.240.36:443> -
HIER_NONE/- -1540824772.150 4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/-
-1540824772.172 5 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443
<http://104.83.75.199:443> - HIER_NONE/- -1540824772.243 90 10.0.0.253
TAG_NONE/200 0 CONNECT 216.58.223.194:443 <http://216.58.223.194:443> -
HIER_NONE/- -1540824772.278 5 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/-
-1540824772.296 4 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.194:443
<http://216.58.223.194:443> - HIER_NONE/- -1540824772.341 8 10.0.0.253
TAG_NONE/200 0 CONNECT 216.58.223.194:443 <http://216.58.223.194:443> -
HIER_NONE/- -1540824772.719 10 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/-
-1540824772.722 5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443
<http://17.151.240.36:443> - HIER_NONE/- -1540824772.787 9 10.0.0.253
TAG_NONE/200 0 CONNECT 17.248.146.179:443 <http://17.248.146.179:443> -
HIER_NONE/- -1540824772.868 4 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/-
-1540824773.239 5 10.0.0.253 TAG_NONE/200 0 CONNECT 216.58.223.202:443
<http://216.58.223.202:443> - HIER_NONE/- -1540824773.810 8 10.0.0.253
TAG_NONE/200 0 CONNECT 17.151.240.36:443 <http://17.151.240.36:443> -
HIER_NONE/- -1540824773.868 4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/-
-1540824774.898 4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443
<http://17.151.240.36:443> - HIER_NONE/- -1540824774.964 7 10.0.0.253
TAG_NONE/200 0 CONNECT 17.248.146.179:443 <http://17.248.146.179:443> -
HIER_NONE/- -1540824776.218 4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/-
-1540824956.204 56 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443
<http://104.83.75.199:443> - HIER_NONE/- -1540824956.374 110 10.0.0.253
TCP_MISS/500 4205 GET http://init-p01st.push.apple.com/bag
<http://init-p01st.push.apple.com/bag> - HIER_NONE/-
text/html1540824956.966 5 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/-
-1540824957.034 7 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443
<http://17.151.240.36:443> - HIER_NONE/- -1540824957.043 3 10.0.0.253
TAG_NONE/200 0 CONNECT 104.83.75.199:443 <http://104.83.75.199:443> -
HIER_NONE/- -1540824957.124 23 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/-
-1540824957.190 13 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443
<http://17.151.240.36:443> - HIER_NONE/- -1540824957.273 4 10.0.0.253
TAG_NONE/200 0 CONNECT 104.83.75.199:443 <http://104.83.75.199:443> -
HIER_NONE/- -1540824957.355 4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/-
-1540824957.495 4 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443
<http://104.83.75.199:443> - HIER_NONE/- -1540824957.573 4 10.0.0.253
TAG_NONE/200 0 CONNECT 17.151.240.36:443 <http://17.151.240.36:443> -
HIER_NONE/- -1540824957.642 5 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/-
-1540824957.723 4 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443
<http://17.151.240.36:443> - HIER_NONE/- -1540824957.783 4 10.0.0.253
TAG_NONE/200 0 CONNECT 104.83.75.199:443 <http://104.83.75.199:443> -
HIER_NONE/- -1540824967.333 5 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/-
-1540824967.398 5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.151.240.36:443
<http://17.151.240.36:443> - HIER_NONE/- -1540824967.454 4 10.0.0.253
TAG_NONE/200 0 CONNECT 104.83.75.199:443 <http://104.83.75.199:443> -
HIER_NONE/- -1540824970.474 4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/-
-1540824971.300 5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.56.48.13:443
<http://17.56.48.13:443> - HIER_NONE/- -1540824971.625 9 10.0.0.253
TAG_NONE/200 0 CONNECT 92.122.44.112:443 <http://92.122.44.112:443> -
HIER_NONE/- -1540825078.056 4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/-
-1540825078.058 14 10.0.0.253 TAG_NONE/200 0 CONNECT 104.83.75.199:443
<http://104.83.75.199:443> - HIER_NONE/- -1540825078.224 8 10.0.0.253
TAG_NONE/200 0 CONNECT 104.83.75.199:443 <http://104.83.75.199:443> -
HIER_NONE/- -1540825584.867 258 10.0.0.253 TCP_MISS/500 4217 GET
http://captive.apple.com/hotspot-detect.html
<http://captive.apple.com/hotspot-detect.html> - HIER_NONE/- text/html*

please i'll provide any other information required. please i really need
help. I noticed my last two questions weren't answered, i really need help.
I've noticed google and facebook are reachable.

--
Nebedum Uchenna

Stephen Borrill

2018-10-29 15:23:33 UTC

Permalink

Post by Uchenna Nebedum
Good Day All,
I have setup squid 3.5 with mikrotik, and ssl bumping is enabled. after
accepting the certificate on the browser prompt, Squid throws an error
on the browser, "*unable to forward this request at this time.*" it
throws this error for http sites as well. please what could be causing
this error.

never_direct allow all

How is your proxy meant to forward on requests? You have no cache peers,
but have told it never to go direct (i.e. always use a cache peer).

Post by Uchenna Nebedum
*Please find attached my squid.conf*
/#cache_log /var/log/squid/cache.log
cache_effective_user proxy
acl localnet src 10.0.0.0/24 <http://10.0.0.0/24>
acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>
acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
never_direct allow all
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
visible_hostname localhost
http_port 3126 intercept
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
#sslproxy_cert_error allow ssl_error_domains
#sslproxy_cert_error allow ssl_error_ips
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump stare step2 all
ssl_bump bump step3 all
ssl_bump splice localhost
ssl_bump splice all
via off
forwarded_for on
request_header_access From deny all
request_header_access Cache-Control deny all
request_header_access Keep-Alive deny all
request_header_access Other deny all
reply_header_access Set-Cookie deny all
reply_header_access Set-Cookie2 deny all
reply_header_access Other deny all
adaptation_access greasyspoon allow all
dns_timeout 30 seconds
dns_v4_first on
#ecap_enable off
icap_enable on
icap_preview_enable off
icap_preview_size 2048
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response
<http://127.0.0.1:1344/response> bypass=0
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
shutdown_lifetime 10 seconds/
*and my access.log*
/1540823796.041      1 10.0.0.252 TAG_NONE/200 0 CONNECT
52.114.76.34:443 <http://52.114.76.34:443> - HIER_NONE/- -
1540823796.041      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443
<http://52.114.76.34:443> - HIER_NONE/- -
1540823840.186      1 10.0.0.252 TAG_NONE/200 0 CONNECT 52.114.76.34:443
<http://52.114.76.34:443> - HIER_NONE/- -
1540823864.291      1 10.0.0.252 TAG_NONE/200 0 CONNECT
191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/- -
1540823864.297      8 10.0.0.252 TAG_NONE/200 0 CONNECT
191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/- -
1540823864.342      1 10.0.0.252 TAG_NONE/200 0 CONNECT
191.239.240.49:443 <http://191.239.240.49:443> - HIER_NONE/- -
1540823864.628      1 10.0.0.252 TAG_NONE/200 0 CONNECT
152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/- -
1540823864.628      1 10.0.0.252 TAG_NONE/200 0 CONNECT
152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/- -
1540823864.644      1 10.0.0.252 TAG_NONE/200 0 CONNECT
152.199.19.161:443 <http://152.199.19.161:443> - HIER_NONE/- -
1540824133.725    117 10.0.0.253 TCP_MISS/500 4215 GET
http://init-p01md.apple.com/bag - HIER_NONE/- text/html
1540824133.725    114 10.0.0.253 TCP_MISS/500 4215 GET
http://init-p01md.apple.com/bag - HIER_NONE/- text/html
1540824133.729    112 10.0.0.253 TCP_MISS/500 4310 GET
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - HIER_NONE/-
text/html
1540824133.729    109 10.0.0.253 TCP_MISS/500 4310 GET
http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag? - HIER_NONE/-
text/html
1540824133.850     14 10.0.0.253 TAG_NONE/200 0 CONNECT
95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/- -
1540824133.850     11 10.0.0.253 TAG_NONE/200 0 CONNECT
95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/- -
1540824133.854     12 10.0.0.253 TAG_NONE/200 0 CONNECT
95.101.216.92:443 <http://95.101.216.92:443> - HIER_NONE/- -
1540824133.966    122 10.0.0.253 TCP_MISS/500 4205 GET
http://init-p01st.push.apple.com/bag - HIER_NONE/- text/html
1540824133.987    164 10.0.0.253 TAG_NONE/200 0 CONNECT
95.101.188.60:443 <http://95.101.188.60:443> - HIER_NONE/- -
1540824133.987    164 10.0.0.253 TAG_NONE/200 0 CONNECT 17.137.166.4:443
<http://17.137.166.4:443> - HIER_NONE/- -
1540824134.251      4 10.0.0.253 TAG_NONE/200 0 CONNECT
95.101.188.60:443 <http://95.101.188.60:443> - HIER_NONE/- -
1540824134.336      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.167.193.43:443 <http://17.167.193.43:443> - HIER_NONE/- -
1540824136.162     17 10.0.0.253 TAG_NONE/200 0 CONNECT 192.12.31.78:443
<http://192.12.31.78:443> - HIER_NONE/- -
1540824136.299      4 10.0.0.253 TAG_NONE/200 0 CONNECT
157.119.235.19:443 <http://157.119.235.19:443> - HIER_NONE/- -
1540824150.357      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.167.192.128:443 <http://17.167.192.128:443> - HIER_NONE/- -
1540824159.403      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.167.192.128:443 <http://17.167.192.128:443> - HIER_NONE/- -
1540824769.945    601 10.0.0.253 TCP_MISS/500 4217 GET
http://captive.apple.com/hotspot-detect.html - HIER_NONE/- text/html
1540824770.651    135 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824770.654    136 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824771.204    351 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824771.451     10 10.0.0.253 TAG_NONE/200 0 CONNECT
17.120.225.140:443 <http://17.120.225.140:443> - HIER_NONE/- -
1540824771.452      7 10.0.0.253 TAG_NONE/200 0 CONNECT
17.120.225.140:443 <http://17.120.225.140:443> - HIER_NONE/- -
1540824771.680    827 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
1540824771.688    833 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824771.688      1 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
1540824771.693      6 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.64.191:443 <http://104.83.64.191:443> - HIER_NONE/- -
1540824771.847    159 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824771.882     30 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
1540824771.883     30 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824771.887     36 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
1540824772.034     42 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.206:443 <http://216.58.223.206:443> - HIER_NONE/- -
1540824772.036      6 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824772.042      1 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824772.078      5 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824772.146     15 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824772.150      4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824772.172      5 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824772.243     90 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824772.278      5 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
1540824772.296      4 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824772.341      8 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.194:443 <http://216.58.223.194:443> - HIER_NONE/- -
1540824772.719     10 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
1540824772.722      5 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824772.787      9 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
1540824772.868      4 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
1540824773.239      5 10.0.0.253 TAG_NONE/200 0 CONNECT
216.58.223.202:443 <http://216.58.223.202:443> - HIER_NONE/- -
1540824773.810      8 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824773.868      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
1540824774.898      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824774.964      7 10.0.0.253 TAG_NONE/200 0 CONNECT
17.248.146.179:443 <http://17.248.146.179:443> - HIER_NONE/- -
1540824776.218      4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824956.204     56 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824956.374    110 10.0.0.253 TCP_MISS/500 4205 GET
http://init-p01st.push.apple.com/bag - HIER_NONE/- text/html
1540824956.966      5 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824957.034      7 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824957.043      3 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824957.124     23 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824957.190     13 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824957.273      4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824957.355      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824957.495      4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824957.573      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824957.642      5 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824957.723      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824957.783      4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824967.333      5 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824967.398      5 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824967.454      4 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540824970.474      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540824971.300      5 10.0.0.253 TAG_NONE/200 0 CONNECT 17.56.48.13:443
<http://17.56.48.13:443> - HIER_NONE/- -
1540824971.625      9 10.0.0.253 TAG_NONE/200 0 CONNECT
92.122.44.112:443 <http://92.122.44.112:443> - HIER_NONE/- -
1540825078.056      4 10.0.0.253 TAG_NONE/200 0 CONNECT
17.151.240.36:443 <http://17.151.240.36:443> - HIER_NONE/- -
1540825078.058     14 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540825078.224      8 10.0.0.253 TAG_NONE/200 0 CONNECT
104.83.75.199:443 <http://104.83.75.199:443> - HIER_NONE/- -
1540825584.867    258 10.0.0.253 TCP_MISS/500 4217 GET
http://captive.apple.com/hotspot-detect.html - HIER_NONE/- text/html
/*
*
please i'll provide any other information required. please i really need
help. I noticed my last two questions weren't answered, i really need
help. I've noticed google and facebook are reachable.
--
Nebedum Uchenna
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users

Amos Jeffries

2018-10-29 21:21:33 UTC

Permalink

Post by Stephen Borrill

never_direct allow all
How is your proxy meant to forward on requests? You have no cache peers,
but have told it never to go direct (i.e. always use a cache peer).

Post by Uchenna Nebedum
*Please find attached my squid.conf*

There are some other issues I can already see which will be coming up

Post by Stephen Borrill

Post by Uchenna Nebedum
visible_hostname localhost

Any other proxy calling itself "localhost" will cause forwarding loops.
Either let Squid locate the proxy machines hostname automatically, or
configure a FQDN for the above. The name used should resolve to the
proxy IP when clients look it up in DNS.

Post by Stephen Borrill

Post by Uchenna Nebedum
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump stare step2 all
ssl_bump bump step3 all

The lines above contain other non-splice actions required to always
happen at every step of the SSL-Bumping process.

Post by Stephen Borrill

Post by Uchenna Nebedum
ssl_bump splice localhost
ssl_bump splice all
via off

Removal of via is only a bandaid to make those forwarding loops created
by visible_hostname not be visible anymore. They can still happen and
annoy other admin elsewhere on the networks your traffic goes to.

Post by Stephen Borrill

Post by Uchenna Nebedum
forwarded_for on
request_header_access From deny all
request_header_access Cache-Control deny all
request_header_access Keep-Alive deny all
request_header_access Other deny all

Er, the above *only* affect requests sent to upstream servers.

Removing Cache-Control in particular is definitely going to lead to
major problems for your clients.

"Other" is also tricky. It removes all HTTP headers which Squid has not
explicitly bee coded to understand.

So removing headers with "Other" like this a) breaks any modern HTTP
features your Squid does not explicitly support, and b) lets through
many headers you probably don't want to just because Squid does "know" them.

Keep-Alive is unnecessary since Squid already removes that problematic
header on sight.

Post by Stephen Borrill

Post by Uchenna Nebedum
reply_header_access Set-Cookie deny all
reply_header_access Set-Cookie2 deny all
reply_header_access Other deny all
adaptation_access greasyspoon allow all
dns_timeout 30 seconds
dns_v4_first on
#ecap_enable off
icap_enable on
icap_preview_enable off
icap_preview_size 2048
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response
bypass=0
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
shutdown_lifetime 10 seconds/
please i'll provide any other information required. please i really need
help. I noticed my last two questions weren't answered, i really need
help. I've noticed google and facebook are reachable.

Meaning traffic to those does not go through the proxy or any of the
ports you are intercepting. Probably via QUIC or similar non-HTTP(S)
protocol.

If you are trying to do those weird header changes for privacy or
anonymity their traffic working is a very bad sign.

Amos

Amos Jeffries

2018-10-31 02:07:47 UTC

Permalink

Thanks a lot it works now... I've added site bumping exceptions, and it
still throws invalid certificate exceptions even though it uses the
'ssl_bump stare' configuration, is it possible to reduce the errors?
Uchenna Nebedum

Maybe, the above is a bit vague on details.

What exactly do you have configured now after those changes?

And what exact error(s) are you seeing now?

Amos

PS. please reply to the list instead of me personally.

PPS. If you want dedicated support I do provide it commercially, but you
started this on-list so I assume you are not wanting to receive an
invoice for responses.

Uchenna Nebedum

2018-10-31 15:08:11 UTC

Permalink

Thanks a lot Amos, I really didn't notice I had been sending private
emails, Really sorry about that.

About the config, The proxy works fine now, it bumps the traffic
successfully.
I've added the sites i want to be bumped but the browser errors thrown are
too much, and it's a scenario where I can't install the certificate on
every device.

So i wanted to know if there was a way to reduce the privacy errors. thanks
a lot.

Uchenna Nebedum

Post by Amos Jeffries

Maybe, the above is a bit vague on details.
What exactly do you have configured now after those changes?
And what exact error(s) are you seeing now?
Amos
PS. please reply to the list instead of me personally.
PPS. If you want dedicated support I do provide it commercially, but you
started this on-list so I assume you are not wanting to receive an
invoice for responses.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users

Amos Jeffries

2018-11-01 04:03:59 UTC

Permalink

Post by Uchenna Nebedum
Thanks a lot Amos, I really didn't notice I had been sending private
emails, Really sorry about that.
About the config, The proxy works fine now, it bumps the traffic
successfully.
I've added the sites i want to be bumped but the browser errors thrown
are too much, and it's a scenario where I can't install the certificate
on every device.

In that case you already have it going as well as it will ever do for
this setup. Having the certificate installed on the device is the only
way to prevent the warning messages. The whole point of TLS is to
generate those warnings when an unknown or untrusted CA is used.

Amos

Continue reading on narkive:

Search results for '[squid-users] ERROR The requested URL could not be retrieved' (Questions and Answers)

replies

i am getting this error message for every site?

started 2012-07-26 10:07:29 UTC

security

replies

When trying to open a page I often get error the requested url could not be retrieved, what should I do?

started 2007-01-29 13:35:45 UTC

internet

replies

dattebayo ERROR (url could not be found?) what?