[squid-users] squid "internal?" loop - with no firewall nat going on..?

Klavs Klavsen kl at vsen.dk
Thu Mar 12 14:53:22 UTC 2015

I think I found it..

trying to run ssl_crtd myself to issue a cert it says:
  Error while parsing the crtd request: Broken signing certificate!

shouldn't that end up in squid logs as well?

Klavs Klavsen wrote on 03/12/2015 03:48 PM:
> I just found the config, stating that ssl-bump is only supported in
> intercept mode.. that invalides accel :)
> I setup a client on same LAN as squid, and told it to use squid box as
> default gw. for traffic to public addresses..
> intercept on port 80 works fine.
> on https however I get an SSL connect error.
> This is my config related to that:
> sslcrtd_program                /usr/lib64/squid/ssl_crtd -s
> /etc/ssl/certs/cache/ -M 4MB
> sslcrtd_children               8 startup=1 idle=1
> https_port                     3130 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/squid/ca.private cert=/etc/squid/ca.cert
> sslproxy_flags                 DONT_VERIFY_PEER
> always_direct                  allow all
> http_port                      3129 intercept
> shutdown_lifetime              3
> sslproxy_cert_error            allow all
> ssl_bump                       server-first all
> I'm running squid-3.4.9. (I can easily upgrade to newer if that will
> help any :) - on centos 7.0.
> What debug options should/could I set to hopefully enlighten me? squid
> logs nothing in cache.log or access.log except:
> 1426171540.277      0 TAG_NONE/400 4047 NONE
> error:invalid-request - HIER_NONE/- text/html
> Amos Jeffries wrote on 03/12/2015 02:27 PM:
>> On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
>>> I'd rather not have to route everything (incl. normal ingoing web
>>> traffic) through the squid box.. and the firewalls are proprietary stuff
>>> - so can't install squid there :)
>> You don't, port 80 TCP is all that *needs* it, and only for the traffic
>> from clients you want to go through Squid.
>> If you are passing outgoing web traffic through Squid the responses
>> (incoming) have to come back through it.
>> If you have external stuff making requests to internal servers, that can
>> be left alone in the same way Squid' outgoing traffic is.
>> Are we talking more or less than 100Mbps of port 80 traffic here?
>>> It works fine in accel mode.. and I can limit what urls each client ip
>>> is able to access, and disable caching..
>>> Shouldn't accel mode, for this use case (curl access from websites - all
>>> using http/1.1 with host header) be good enough - or are there security
>>> issues I am not aware of?
>> You guessed it. CVE-2009-0801 - the Host header is not trustworthy.
>> accel/reverse-proxy mode has no protection at all since the upstream
>> servers are expected to be explicitly configured or the allowed domains
>> restricted to those hosted by the CDN the proxy is part of.
>> ... and the Host header is not always present, though that case has
>> declined a lot in the past few years.
>>> I realize I move the DNS lookup to the squid box - but that's actually
>>> what I want in this case.
>> Actually you will need two DN lookups to be happening if you use accel.
>> Only the intercept mode with NAT lookups has ability to avoid the second
>> one by using ORIGINAL_DST.
>> accel mode normaly avoids the second DNS lookup by having the upstream
>> servers explicitly configured. You dont want to do that manually for
>> every Internet server in existence so forcing a DNS lookup with
>> "always_direct allow all" is required.
>> Routings your friend, really :-)
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the squid-users mailing list