[squid-users] squid "internal?" loop - with no firewall nat going on..?
kl at vsen.dk
Thu Mar 12 14:48:45 UTC 2015
I just found the config, stating that ssl-bump is only supported in
intercept mode.. that invalides accel :)
I setup a client on same LAN as squid, and told it to use squid box as
default gw. for traffic to public addresses..
intercept on port 80 works fine.
on https however I get an SSL connect error.
This is my config related to that:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/etc/ssl/certs/cache/ -M 4MB
sslcrtd_children 8 startup=1 idle=1
https_port 3130 intercept ssl-bump
always_direct allow all
http_port 3129 intercept
sslproxy_cert_error allow all
ssl_bump server-first all
I'm running squid-3.4.9. (I can easily upgrade to newer if that will
help any :) - on centos 7.0.
What debug options should/could I set to hopefully enlighten me? squid
logs nothing in cache.log or access.log except:
1426171540.277 0 10.43.18.168 TAG_NONE/400 4047 NONE
error:invalid-request - HIER_NONE/- text/html
Amos Jeffries wrote on 03/12/2015 02:27 PM:
> On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
>> I'd rather not have to route everything (incl. normal ingoing web
>> traffic) through the squid box.. and the firewalls are proprietary stuff
>> - so can't install squid there :)
> You don't, port 80 TCP is all that *needs* it, and only for the traffic
> from clients you want to go through Squid.
> If you are passing outgoing web traffic through Squid the responses
> (incoming) have to come back through it.
> If you have external stuff making requests to internal servers, that can
> be left alone in the same way Squid' outgoing traffic is.
> Are we talking more or less than 100Mbps of port 80 traffic here?
>> It works fine in accel mode.. and I can limit what urls each client ip
>> is able to access, and disable caching..
>> Shouldn't accel mode, for this use case (curl access from websites - all
>> using http/1.1 with host header) be good enough - or are there security
>> issues I am not aware of?
> You guessed it. CVE-2009-0801 - the Host header is not trustworthy.
> accel/reverse-proxy mode has no protection at all since the upstream
> servers are expected to be explicitly configured or the allowed domains
> restricted to those hosted by the CDN the proxy is part of.
> ... and the Host header is not always present, though that case has
> declined a lot in the past few years.
>> I realize I move the DNS lookup to the squid box - but that's actually
>> what I want in this case.
> Actually you will need two DN lookups to be happening if you use accel.
> Only the intercept mode with NAT lookups has ability to avoid the second
> one by using ORIGINAL_DST.
> accel mode normaly avoids the second DNS lookup by having the upstream
> servers explicitly configured. You dont want to do that manually for
> every Internet server in existence so forcing a DNS lookup with
> "always_direct allow all" is required.
> Routings your friend, really :-)
> squid-users mailing list
> squid-users at lists.squid-cache.org
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
More information about the squid-users