Created
August 12, 2021 05:28
-
-
Save mailman-2097/c61a99b02f8ad38becb073a0eed74a72 to your computer and use it in GitHub Desktop.
SSL Connect Error through Squid Proxy on RHEL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| It looks like proxy is aborting connection. After some debugging using openssl, tcpdump and curl, I observed that the rhui3 server is rejecting the SSL connection if we connect via https_proxy (NAT) without a valid certificate. | |
| I could see that this instance is connecting to the outside world via squid proxy's network interface (eni-04555c95115a75e50. Looking at the squid configuration, I assume that you might have setup transparent squid proxy as per the following blog post. So you dont have to explicitly define proxy variables in redhat instance. | |
| https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/ | |
| I would suggest you to update your proxy configuration to bypass ssl certificate validation as given below and check if yum update works. | |
| 1. Append the following line to your squid configuration file | |
| # echo "sslproxy_cert_error allow allowed_https_sites" >> /etc/squid/squid.conf | |
| 2. Reload squid service | |
| # /usr/sbin/squid -k parse && /usr/sbin/squid -k reconfigure | |
| 3. Ensure that you have following prerouting rules to redirect traffic on port 80/443 to 3129/3130 (squid) | |
| ------------------------------------------------------------------------------------------ | |
| # iptables -t nat -L | |
| Chain PREROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3129 | |
| REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 3130 | |
| Chain INPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain POSTROUTING (policy ACCEPT) | |
| target prot opt source destination | |
| ------------------------------------------------------------------------------------------ | |
| 4. If the above rules are not found, you can add them as given below. | |
| # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 | |
| # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 | |
| 1. Remove proxy variables in /etc/yum.conf if you have defined. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment