Open zwChan opened 9 years ago
It seems nobody pay attention to this ...
From the log, I see SPDY protocol is not negotiated in backend. Check that backend SPDY proxy supports NPN. For SSL/TLS stuff, check tls version and cipher suites.
In fact, I know little about the proxy (I buy the service of the proxy, but it just support Chrome browser by a plugin), and the proxy works OK when using a pac-script in chrome, like "return 'HTTPS 106.187.39.217:443' ". I capture the packets, and it occur exactly the same negotiation(including tls version and cipher suites), without decryption_failed(21). So I think something wrong with the key-file or cacert. I don't understand the options " --cacert , --client-private-key-file, --client-cert-file" very much, not much info i can get about them in the help-info. Now I create cacert/client-key/client-cert using the above openssl command on my linux server. Should it work ? Could you offer more hint?
The debugging info in Chrome is really cool! When it works OK, I get the SPDY session info as follow : SPDY Enabled: true Use Alternate Protocol: true Force SPDY Always: false Force SPDY Over SSL: true Next Protocols: http/1.1,spdy/3,spdy/3.1
87493: SPDY_SESSION maps.google.com:443 (HTTPS ipad1826.pw:443) Start Time: 2014-12-30 01:50:33.010
t=344605 [st= 0] +SPDY_SESSION [dt=?] --> host = "maps.google.com:443" --> proxy = "HTTPS ipad1826.pw:443" t=344605 [st= 0] SPDY_SESSION_INITIALIZED --> protocol = "spdy/3.1" --> source_dependency = 87479 (SOCKET) t=344605 [st= 0] SPDY_SESSION_SEND_SETTINGS --> settings = ["[id:4 flags:0 value:1000]","[id:7 flags:0 value:10485760]"] t=344606 [st= 1] SPDY_STREAM_UPDATE_RECV_WINDOW --> delta = 10420224 --> window_size = 10485760 t=344606 [st= 1] SPDY_SESSION_SENT_WINDOW_UPDATE_FRAME --> delta = 10420224 --> stream_id = 0 t=344608 [st= 3] SPDY_SESSION_SYN_STREAM --> fin = true --> :host: maps.google.com :method: GET :path: /maps?biw=1366&bih=667&q=%E9%99%B6%E7%93%B7%E6%A0%87%E9%A2%98&bav=on.2,or.r_cp.&um=1&ie=UTF-8&sa=X&ei=042hVMTXCtLZoASZ4YDYDA&ved=0CAcQAUoAg :scheme: https :version: HTTP/1.1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8 accept-encoding: gzip, deflate, sdch accept-language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4 cookie: [811 bytes were stripped] ra-sid: CB6EAFB3-20140731-015918-084620-688fb4 ra-ver: 2.8.6 referer: https://www.google.com/ user-agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 x-client-data: CJO2yQEIorbJAQiptskBCMS2yQEInobKAQjwiMoB --> spdy_priority = 0 --> stream_id = 1 --> unidirectional = false t=344791 [st=186] SPDY_SESSION_RECV_SETTINGS --> clear_persisted = false --> host = "maps.google.com:443" t=344791 [st=186] SPDY_SESSION_RECV_SETTING --> flags = 1 --> id = 4 --> value = 100 t=344791 [st=186] SPDY_SESSION_UPDATE_STREAMS_SEND_WINDOW_SIZE --> delta_window_size = 0 t=344791 [st=186] SPDY_SESSION_RECV_SETTING --> flags = 0 --> id = 7 --> value = 65536 t=344791 [st=186] SPDY_SESSION_RECEIVED_WINDOW_UPDATE_FRAME --> delta = 983040 --> stream_id = 0 t=344791 [st=186] SPDY_SESSION_UPDATE_SEND_WINDOW --> delta = 983040 --> window_size = 1048576 t=344848 [st=243] SPDY_SESSION_SYN_REPLY --> fin = false --> :status: 302 Found :version: HTTP/1.1 alternate-protocol: 443:quic,p=0.02 cache-control: private content-length: 391 content-type: text/html; charset=UTF-8 date: Mon, 29 Dec 2014 17:49:57 GMT location: https://www.google.com/maps?biw=1366&bih=667&q=%E9%99%B6%E7%93%B7%E6%A0%87%E9%A2%98&bav=on.2,or.r_cp.&um=1&ie=UTF-8&sa=X&ei=042hVMTXCtLZoASZ4YDYDA&ved=0CAcQ_AUoAg server: gws x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block --> stream_id = 1 t=344849 [st=244] SPDY_SESSION_RECV_DATA --> fin = false --> size = 391 --> stream_id = 1 t=344849 [st=244] SPDY_SESSION_UPDATE_RECV_WINDOW --> delta = -391 --> window_size = 10485369 t=344849 [st=244] SPDY_SESSION_RECV_DATA --> fin = true --> size = 0 --> stream_id = 1 t=344849 [st=244] SPDY_SESSION_PING --> is_ack = false --> type = "received" --> unique_id = 0 t=344849 [st=244] SPDY_SESSION_PING --> is_ack = true --> type = "sent" --> unique_id = 0 t=344851 [st=246] SPDY_STREAM_UPDATE_RECV_WINDOW --> delta = 391 --> window_size = 10485760
87472: CONNECT_JOB ssl/maps.google.com:443 Start Time: 2014-12-30 01:50:32.228
t=343823 [st= 0] +SOCKET_POOL_CONNECT_JOB [dt=103] --> group_name = "ssl/maps.google.com:443" t=343823 [st= 0] +SOCKET_POOL_CONNECT_JOB_CONNECT [dt=103] t=343823 [st= 0] HOST_RESOLVER_IMPL [dt=0] --> source_dependency = 87473 (HOST_RESOLVER_IMPL_REQUEST) t=343823 [st= 0] HOST_RESOLVER_IMPL [dt=0] --> source_dependency = 87476 (HOST_RESOLVER_IMPL_REQUEST) t=343926 [st=103] CONNECT_JOB_SET_SOCKET --> source_dependency = 87479 (SOCKET) t=343926 [st=103] -SOCKET_POOL_CONNECT_JOB_CONNECT t=343926 [st=103] -SOCKET_POOL_CONNECT_JOB 87473: HOST_RESOLVER_IMPL_REQUEST ipad1826.pw:443 Start Time: 2014-12-30 01:50:32.228
t=343823 [st=0] +HOST_RESOLVER_IMPL_REQUEST [dt=0] --> address_family = 0 --> allow_cached_response = true --> host = "ipad1826.pw:443" --> is_speculative = false --> source_dependency = 87472 (CONNECT_JOB) t=343823 [st=0] HOST_RESOLVER_IMPL_CACHE_HIT t=343823 [st=0] -HOST_RESOLVER_IMPL_REQUEST 87476: HOST_RESOLVER_IMPL_REQUEST maps.google.com:443 Start Time: 2014-12-30 01:50:32.228
t=343823 [st=0] +HOST_RESOLVER_IMPL_REQUEST [dt=0] --> address_family = 0 --> allow_cached_response = true --> host = "maps.google.com:443" --> is_speculative = false --> source_dependency = 87472 (CONNECT_JOB) t=343823 [st=0] -HOST_RESOLVER_IMPL_REQUEST --> net_error = -804 (ERR_DNS_CACHE_MISS) 87479: SOCKET ssl/maps.google.com:443 Start Time: 2014-12-30 01:50:32.228
t=343823 [st= 0] +SOCKET_ALIVE [dt=225564] --> source_dependency = 87472 (CONNECT_JOB) t=343823 [st= 0] +TCP_CONNECT [dt=103] --> address_list = ["106.187.100.125:443"] t=343824 [st= 1] TCP_CONNECT_ATTEMPT [dt=102] --> address = "106.187.100.125:443" t=343926 [st= 103] -TCP_CONNECT --> source_address = "192.168.0.103:49226" t=343926 [st= 103] +SOCKET_IN_USE [dt=225461] --> source_dependency = 87471 (CONNECT_JOB) t=343926 [st= 103] +SSL_CONNECT [dt=103] t=343926 [st= 103] SOCKET_BYTES_SENT --> byte_count = 217 t=344028 [st= 205] SOCKET_BYTES_RECEIVED --> byte_count = 145 t=344028 [st= 205] SSL_CERTIFICATES_RECEIVED --> certificates = -----BEGIN CERTIFICATE----- MIIFRjCCBC6gAwIBAgIRALshNgnDpv7e6ZgpZKC9YnEwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTQxMTE4MDAwMDAwWhcNMTUxMTE4MjM1OTU5WjBPMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRQw EgYDVQQDEwtpcGFkMTgyNi5wdzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBANpBHYXRLlR9cRAJLLTmgw0drhQner9ZNcUD5sSgJd20qXfFtMFu0XfunXGX aZgwNl7FdRNdgQQ5+Mx6auFsN6b1lX6COmYMEAEYfnJg9cQVAoyJYtCtvUOWG0i9 4dWiHCswW/KWKUdtW7YxlAuck78xqVVPpBUPfHDbZknP5Ky46QGZjHu1uoJkaZhr 62GdTfeGsTpXtrlMzfCJMngombdsaLQkJAuttABU9J9MUFNOXPJwahfEf5W8M6Am +mz5Jdce6/XLIDCGvw1kGkANVx/0PIfAcPP1vI4vRu96QOBF/MV6E77TYPiBLZbJ hw8sZAa3sbdgmV4FQne1pYOvG/UCAwEAAaOCAdkwggHVMB8GA1UdIwQYMBaAFJCv ajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBQNAo8xiYD8N6kiAb7GGRWzZmQy azAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsG AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEw VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RP UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYBBQUH AQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJwYDVR0RBCAwHoILaXBhZDE4 MjYucHeCD3d3dy5pcGFkMTgyNi5wdzANBgkqhkiG9w0BAQsFAAOCAQEAcl05iAPJ gcEolqt4T9kU3YP3hfK9QhNjTlyYSlaFsSOpOTN7j3sKryQhAZBZY6tlJMr0apsa Y5SBi7UbBhFQMn/zCgyne8VnghuyGVlCz+WGMVss/U+Rbd3lsMzvuk6nrbRp9Da2 /xl9YnDJEQ2U9znLChyha79Cc+QMRbyUM0Wx63mgt5HkHns6x/aSnrGUJTH4Xi07 sBy/26Loo8mHDfyZNLlsuHfLxxrjOH+OGfGp2RC5RP2A80WlZ3pSudNiA0vbnOhs vMmwqVm9Krk5QSwjCwVvFu2ATfgf+DCrnv6IuwMdQ0erSbUKPvsKo2BFktLHUTVo Jiy2Fe4of4orbA== -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----
t=344029 [st= 206] SOCKET_BYTES_SENT --> byte_count = 59 t=344029 [st= 206] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED --> embedded_scts = "" --> scts_from_ocsp_response = "" --> scts_from_tls_extension = "" t=344029 [st= 206] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED --> invalid_scts = [] --> unknown_logs_scts = [] --> verified_scts = [] t=344029 [st= 206] -SSL_CONNECT t=344029 [st= 206] +SOCKET_IN_USE [dt=225358] --> source_dependency = 87467 (CONNECT_JOB) t=344029 [st= 206] +HTTP_TRANSACTION_TUNNEL_SEND_REQUEST [dt=1] t=344029 [st= 206] HTTP_TRANSACTION_SEND_TUNNEL_HEADERS --> CONNECT maps.google.com:443 HTTP/1.1 Host: maps.google.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 t=344029 [st= 206] HTTP_TRANSACTION_SEND_REQUEST_HEADERS --> CONNECT maps.google.com:443 HTTP/1.1 Host: maps.google.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 t=344030 [st= 207] SSL_SOCKET_BYTES_SENT --> byte_count = 220 t=344030 [st= 207] SOCKET_BYTES_SENT --> byte_count = 282 t=344030 [st= 207] -HTTP_TRANSACTION_TUNNEL_SEND_REQUEST t=344030 [st= 207] +HTTP_TRANSACTION_TUNNEL_READ_HEADERS [dt=320] t=344030 [st= 207] +HTTP_STREAM_PARSER_READ_HEADERS [dt=320] t=344350 [st= 527] SOCKET_BYTES_RECEIVED --> byte_count = 69 t=344350 [st= 527] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 39 t=344350 [st= 527] -HTTP_STREAM_PARSER_READ_HEADERS t=344350 [st= 527] HTTP_TRANSACTION_READ_TUNNEL_RESPONSE_HEADERS --> HTTP/1.1 200 Connection established t=344350 [st= 527] -HTTP_TRANSACTION_TUNNEL_READ_HEADERS t=344350 [st= 527] +SOCKET_IN_USE [dt=225037] --> source_dependency = 87466 (CONNECT_JOB) t=344350 [st= 527] +SSL_CONNECT [dt=254] t=344351 [st= 528] SSL_SOCKET_BYTES_SENT --> byte_count = 215 t=344351 [st= 528] SOCKET_BYTES_SENT --> byte_count = 282 t=344567 [st= 744] SOCKET_BYTES_RECEIVED --> byte_count = 3957 t=344567 [st= 744] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 3918 t=344568 [st= 745] SSL_CHANNEL_ID_REQUESTED t=344568 [st= 745] SSL_GET_DOMAIN_BOUND_CERT [dt=0] t=344568 [st= 745] SSL_CHANNEL_ID_PROVIDED t=344579 [st= 756] SSL_CERTIFICATES_RECEIVED --> certificates = -----BEGIN CERTIFICATE----- MIIGxTCCBa2gAwIBAgIIAl5EtcNJFrcwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTEzMzM3WhcNMTUwMzEwMDAwMDAw WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmng6ZoVeVmmAplSC 9TcTQkkosO5zaPDTXLuuzQU3Bl5JUSF/11w6dlXdJJHXIQ3cIirUuyd288ORbu93 FrTTTaOCBF0wggRZMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCCAyYG A1UdEQSCAx0wggMZggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw ZW5naW5lLmdvb2dsZS5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIWKi5nb29nbGUt YW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2ds ZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2ds ZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdv b2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8q Lmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29n bGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyou Z29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdv b2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVv LmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoq Lmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAq LnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1 YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5k cm9pZC5jb22CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdv b2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUu YmWCC3lvdXR1YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbTALBgNVHQ8EBAMC B4AwaAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2ds ZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29v Z2xlLmNvbS9vY3NwMB0GA1UdDgQWBBTn6rT+UWACLuZnUas2zTQJkdrq5jAMBgNV HRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1Ud IAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBb4wU7IjXL msvaYqFlYYDKiYZhBUGHxxLkFWR72vFugYkJ7BbMCaKZJdyln5xL4pCdNHiNGfub /3ct2t3sKeruc03EydznLQ78qrHuwNJdqUZfDLJ6ILAQUmpnYEXrnmB7C5chCWR0 OKWRLguwZQQQQlRyjZFtdoISHNveel/UkS/Jwijvpbw/wGg9W4L4En6RjDeD259X zYvNzIwiEq50/5ZQCYE9EH0mWguAji9tuh5NJKPEeaaCQ3lp/UEAkq5uYls7tuSs MTI9LMZRiYFJab/LYbq2uaz4B/lSuE9vku+ikNYA+J2Qv6eqU3U+jmUOSCfYJ2Qt zSl8TUu4bL8a -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE
+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6
8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS
etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i
vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP
WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8
VOBHBw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
t=344579 [st= 756] SSL_SOCKET_BYTES_SENT --> byte_count = 254 t=344579 [st= 756] SOCKET_BYTES_SENT --> byte_count = 330 t=344580 [st= 757] +CERT_VERIFIER_REQUEST [dt=24] t=344580 [st= 757] CERT_VERIFIER_REQUEST_BOUND_TO_JOB --> source_dependency = 87489 (CERT_VERIFIER_JOB) t=344604 [st= 781] -CERT_VERIFIER_REQUEST t=344604 [st= 781] SIGNED_CERTIFICATE_TIMESTAMPS_RECEIVED --> embedded_scts = "" --> scts_from_ocsp_response = "" --> scts_from_tls_extension = "" t=344604 [st= 781] SIGNED_CERTIFICATE_TIMESTAMPS_CHECKED --> invalid_scts = [] --> unknown_logs_scts = [] --> verified_scts = [] t=344604 [st= 781] -SSL_CONNECT t=344604 [st= 781] +SOCKET_IN_USE [dt=224783] --> source_dependency = 87462 (HTTP_STREAM_JOB) t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 28 t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 49 t=344606 [st= 783] SOCKET_BYTES_SENT --> byte_count = 122 t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 16 t=344606 [st= 783] SSL_SOCKET_BYTES_SENT --> byte_count = 37 t=344606 [st= 783] SOCKET_BYTES_SENT --> byte_count = 106 t=344608 [st= 785] SSL_SOCKET_BYTES_SENT --> byte_count = 1423 t=344608 [st= 785] SSL_SOCKET_BYTES_SENT --> byte_count = 1444 t=344608 [st= 785] SOCKET_BYTES_SENT --> byte_count = 1514 t=344791 [st= 968] SOCKET_BYTES_RECEIVED --> byte_count = 389 t=344791 [st= 968] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 356 t=344791 [st= 968] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 44 t=344848 [st= 1025] SOCKET_BYTES_RECEIVED --> byte_count = 853 t=344848 [st= 1025] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 825 t=344848 [st= 1025] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 762 t=344849 [st= 1026] SSL_SOCKET_BYTES_SENT --> byte_count = 12 t=344849 [st= 1026] SSL_SOCKET_BYTES_SENT --> byte_count = 33 t=344849 [st= 1026] SOCKET_BYTES_SENT --> byte_count = 106 t=569385 [st=225562] SOCKET_BYTES_RECEIVED --> byte_count = 133 t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 94 t=569385 [st=225562] SOCKET_BYTES_RECEIVED --> byte_count = 0 t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 52 t=569385 [st=225562] SSL_SOCKET_BYTES_RECEIVED --> byte_count = 0 t=569386 [st=225563] SOCKET_CLOSED t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_IN_USE t=569387 [st=225564] -SOCKET_ALIVE
I don't understand the options " --cacert , --client-private-key-file, --client-cert-file" very much, not
--cacert: CA certificates shrpx trusts when connecting backend connection. If backend host uses self-signed certs and you'd like to make sure that it is really is, specify its cert here.
--client-private-key-file and --client-cert-file: Specify client private key and certificate file. They are only required if backend TLS server requires them. Usually backend server service says somethings about this; for example, signing your client certs with their keys.
(get the file from http://pan.baidu.com/s/1mgNx5Mg)
I use shrpx as a front-end proxy, connect to another spdy proxy. But encounter a error of decryption_failed(21). I try google a lot, but there so few material for reading.
The backend server "106.187.39.217,443" is a spdy proxy, and it work OK if I use it in a pac-file on Chrome.
I know not much about openssl, but I make the crt-file by openssl using the following command. openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
The shrpx option used: src/shrpx -p --backend=106.187.39.217,443 --frontend=0.0.0.0,8808 --log-level=INFO --insecure --cacert=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt --client-private-key-file=/etc/pki/CA/private/ca.key --client-cert-file=/etc/pki/CA/certs/ca.crt --tls-proto-list=TLSv1.0
It seems no error in the log:
[INFO] Resolving backend address (shrpx.cc:1183) [INFO] Address resolution for 106.187.39.217 succeeded: 106.187.39.217 (shrpx.cc:105) [INFO] Unable to get IPv6 address for 0.0.0.0: Address family for hostname not supported (shrpx.cc:148) [INFO] Listening on 0.0.0.0, port 8808 (shrpx.cc:186) [INFO] Entering event loop (shrpx.cc:299) [INFO] [LISTEN:0x1000260] Accepted connection. fd=9 (shrpx_listen_handler.cc:101) [INFO] [UPSTREAM:0xfe3a00] HTTP request started (shrpx_https_upstream.cc:78) [INFO] [UPSTREAM:0xfe3a00] HTTP request headers completed (shrpx_https_upstream.cc:135) [INFO] [UPSTREAM:0xfe3a00] HTTP request headers CONNECT clients4.google.com:443 HTTP/1.1 Host: clients4.google.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
[INFO] [CLIENT_HANDLER:0xfd5dd0] Downstream connection pool is empty. Create new one (shrpx_client_handler.cc:309) [INFO] [DCONN:0xfbd720] Attaching to DOWNSTREAM:0xfd6070 (shrpx_spdy_downstream_connection.cc:101) [INFO] [UPSTREAM:0xfe3a00] Downstream output buffer is full (shrpx_https_upstream.cc:311) [INFO] [DSPDY:0xfd6130] Connecting to downstream server (shrpx_spdy_session.cc:393) [INFO] [DSPDY:0xfd6130] Connection established (shrpx_spdy_session.cc:249) [INFO] [DSPDY:0xfd6130] Negotiated next protocol: (shrpx_spdy_session.cc:1049) [INFO] [DSPDY:0xfd6130] Disconnecting (shrpx_spdy_session.cc:72) [INFO] [DSPDY:0xfd6130] Closing fd=10 (shrpx_spdy_session.cc:103) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleting (shrpx_client_handler.cc:173) [INFO] [DOWNSTREAM:0xfd6070] Deleting (shrpx_downstream.cc:67) [INFO] [DCONN:0xfbd720] Deleting (shrpx_spdy_downstream_connection.cc:59) [INFO] [DCONN:0xfbd720] Deleted (shrpx_spdy_downstream_connection.cc:76) [INFO] [DOWNSTREAM:0xfd6070] Deleted (shrpx_downstream.cc:77) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleted (shrpx_client_handler.cc:202) [INFO] [LISTEN:0x1000260] Accepted connection. fd=9 (shrpx_listen_handler.cc:101)
[INFO] [CLIENT_HANDLER:0xfd5dd0] EOF (shrpx_client_handler.cc:83) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleting (shrpx_client_handler.cc:173) [INFO] [CLIENT_HANDLER:0xfd5dd0] Deleted (shrpx_client_handler.cc:202) [INFO] [LISTEN:0x1000260] Accepted connection. fd=9 (shrpx_listen_handler.cc:101) [INFO] [UPSTREAM:0x101d470] HTTP request started (shrpx_https_upstream.cc:78) [INFO] [UPSTREAM:0x101d470] HTTP request headers completed (shrpx_httpsupstream.cc:135) [INFO] [UPSTREAM:0x101d470] HTTP request headers GET http://www.baidu.com/ HTTP/1.1 Host: www.baidu.com Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/_;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: BAIDUID=1BA2C2A8FF4226E396526FE4BE6B740E:FG=1; BAIDUPSID=1BA2C2A8FF4226E396526FE4BE6B740E; BD_HOME=0; H_PS_PSSID=10382_1444_10571_10211_10501_10496_10753_10646_10459_10219_10687_10356_10666_10596_10096_10657_10443_10699_10403_10360_10617_10702_10627; BD_UPN=1b314353
[INFO] [CLIENT_HANDLER:0xfd5dd0] Downstream connection pool is empty. Create new one (shrpx_client_handler.cc:309) [INFO] [DCONN:0xf2f400] Attaching to DOWNSTREAM:0xfed6c0 (shrpx_spdy_downstream_connection.cc:101) [INFO] [UPSTREAM:0x101d470] HTTP request completed (shrpx_https_upstream.cc:227) [INFO] [DSPDY:0xfd6130] Connecting to downstream server (shrpx_spdy_session.cc:393) [INFO] [LISTEN:0x1000260] Accepted connection. fd=11 (shrpx_listen_handler.cc:101) [INFO] [UPSTREAM:0x10177f0] HTTP request started (shrpx_https_upstream.cc:78) [INFO] [UPSTREAM:0x10177f0] HTTP request headers completed (shrpx_https_upstream.cc:135)