FreeBSD Squid 3.2 Reverse Proxy with HTTPS

dweimer dweimer at
Fri Mar 8 20:34:39 UTC 2013

    I am stuck in a kind of desperate situation, I have been managing 
several FreeBSD systems as forward proxy servers with Squid on them for 
13 years, and a few with reverse proxies for around 4 years.  But for 
the last few months, I have been struggling with HTTPS uploads failing 
on the reverse proxies.  I have personally built and destroyed over 20 
virtual machines, and spent countless hours on this.  Every time 
duplicating the problem, no matter how basic I strip the process down, I 
have tried FreeBSD 8.3, 9.0, 9.1, with Squid 3.2.6, 3.2.7, 3.2.8, and a 
couple different versions of the Squid 3.1 port.
    Everything installs without errors, services all start, pages load 
all looks great, until you try to do a POST on HTTPS.  I thought at 
first it was just when the size was over a certain amount, but that 
turned out to be a wrong assumption.  I have a test scenario that can 
duplicate the problem with exact same results every time.  In the end my 
test is just simple HTML form that submits a file to a PHP script that 
saves it.  I have a directory of 7 .png image files that are screenshots 
from some documentation I wrote for our PC support desk.  3 of the files 
upload successfully, and 4 of them fail.  Its the same 3 and 4 every 
time, I can't find any thing in common between that ones that succeed 
and fail.  They will all work if you use http going to the same exact 
HTML form and PHP script.  If I remove Squid and go directly to the 
Apache process using HTTPS all files upload fine.
    After a lot of debugging, and painstakingly reading very long Squid 
debugging logs.  I found out that Squid appears to continue waiting for 
the end of the file after the client browser has stopped sending data, 
for almost 5 minutes, before just returning complete, and not actually 
submitting the file to the Apache process.  If you actually stop the 
browser while its sitting there waiting for a response, the file gets 
submitted to Apache process and saves successfully.
    I have a couple existing production servers that are running 9.0, 
with Squid 3.1.21, that are working, but I am in desperate need of 
updating them to meet requirements.  I have posted several messages to 
the Squid mailing list, received some initial suggestions that didn't 
get anywhere, but I haven't been able to get any more help.

    I am hoping to find someone else out there that is running FreeBSD 
with Squid in a Reverse proxy setup with HTTPS that has not ran into 
this issue and is willing to share configurations with me, so I can 
possibly find out what's wrong with my setup.  Or if you have also ran 
into this issue, perhaps we can share notes and possibly find something 
to will make it possible to file a bug report somewhere.  Even though I 
can reproduce this without fail none of my debugging output actually 
gives an error, it just doesn't behave correctly.

    Dean E. Weimer

More information about the freebsd-questions mailing list