[squid-users] squid "internal?" loop - with no firewall nat going on..?

Klavs Klavsen kl at vsen.dk
Thu Mar 12 14:48:45 UTC 2015


I just found the config, stating that ssl-bump is only supported in 
intercept mode.. that invalides accel :)

I setup a client on same LAN as squid, and told it to use squid box as 
default gw. for traffic to public addresses..

intercept on port 80 works fine.

on https however I get an SSL connect error.

This is my config related to that:
sslcrtd_program                /usr/lib64/squid/ssl_crtd -s 
/etc/ssl/certs/cache/ -M 4MB
sslcrtd_children               8 startup=1 idle=1
https_port                     3130 intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
key=/etc/squid/ca.private cert=/etc/squid/ca.cert
sslproxy_flags                 DONT_VERIFY_PEER
always_direct                  allow all
http_port                      3129 intercept
shutdown_lifetime              3
sslproxy_cert_error            allow all
ssl_bump                       server-first all

I'm running squid-3.4.9. (I can easily upgrade to newer if that will 
help any :) - on centos 7.0.

What debug options should/could I set to hopefully enlighten me? squid 
logs nothing in cache.log or access.log except:
1426171540.277      0 10.43.18.168 TAG_NONE/400 4047 NONE 
error:invalid-request - HIER_NONE/- text/html


Amos Jeffries wrote on 03/12/2015 02:27 PM:
> On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
>> I'd rather not have to route everything (incl. normal ingoing web
>> traffic) through the squid box.. and the firewalls are proprietary stuff
>> - so can't install squid there :)
>
> You don't, port 80 TCP is all that *needs* it, and only for the traffic
> from clients you want to go through Squid.
>
> If you are passing outgoing web traffic through Squid the responses
> (incoming) have to come back through it.
>
> If you have external stuff making requests to internal servers, that can
> be left alone in the same way Squid' outgoing traffic is.
>
> Are we talking more or less than 100Mbps of port 80 traffic here?
>
>
>>
>> It works fine in accel mode.. and I can limit what urls each client ip
>> is able to access, and disable caching..
>>
>> Shouldn't accel mode, for this use case (curl access from websites - all
>> using http/1.1 with host header) be good enough - or are there security
>> issues I am not aware of?
>
> You guessed it. CVE-2009-0801 - the Host header is not trustworthy.
> accel/reverse-proxy mode has no protection at all since the upstream
> servers are expected to be explicitly configured or the allowed domains
> restricted to those hosted by the CDN the proxy is part of.
>
> ... and the Host header is not always present, though that case has
> declined a lot in the past few years.
>
>
>>
>> I realize I move the DNS lookup to the squid box - but that's actually
>> what I want in this case.
>
> Actually you will need two DN lookups to be happening if you use accel.
> Only the intercept mode with NAT lookups has ability to avoid the second
> one by using ORIGINAL_DST.
>
> accel mode normaly avoids the second DNS lookup by having the upstream
> servers explicitly configured. You dont want to do that manually for
> every Internet server in existence so forcing a DNS lookup with
> "always_direct allow all" is required.
>
>
> Routings your friend, really :-)
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer



More information about the squid-users mailing list