[squid-users] Secrecy and TCP Reset and Allow Direct

Sat Dec 3 23:13:01 UTC 2016

On 4/12/2016 11:08 a.m., creditu wrote:
> I am trying to finalize an accelerator configuration  in 3.1.  The
> accelerator has cache disabled (we use an external service) with cache
> deny all. We have several public IPs that send requests to back end
> Apache servers using http.  The accelerator will provide both http and
> https for a while.  A few questions:
> 
> Trying to get a A rating in Qualys site and the best I can get is A- due
> to forward secrecy not supported for a few browsers.  I think this is
> due to Squid not being able to support ECDHE (which some of those
> browsers need).  Just wanted to confirm that we're not missing
> something.  Is there any alternate configuration that we may be able to
> do? 

ECDHE is enabled when the https_port tls-dh= option is given a curve
name. This is supported in 3.5.13+.

> 
> I have an ACL that I want to send a TCP reset if the url being requested
> matches a regx.  It seems to work, but in testing the first time a
> browser request the url, the upper left corner of the browser has the
> word "reset" in it.  Subsequent requests seem to work as expected and
> the client/browser gets the reset.  In the cache log I see:   
>  errorpage.cc(293) errorTryLoadText:
>  '/usr/share/squid/errors/en-us/TCP_RESET': (2) No such file or
>  directory
> WARNING: Error Pages Missing Language: en-us
> errorpage.cc(293) errorTryLoadText:
> '/usr/share/squid/errors/en/TCP_RESET': (2) No such file or directory"
> "WARNING: Error Pages Missing Language: en
> I touched an empty file in the directories and the errors went away. 
> Now after a squid restart I get "max-age=86400" in the upper left corner
> once then it goes away and works as expected (client gets reset).  Just
> curious if  this is expected?  Here is the ACL:
> 
> acl www_url url_regex -i [^:]+://www.example.com.*
> deny_info TCP_RESET www_url

You can omit the trailing ".*" , but yes that is correct.

The browser showing some text is odd. You can use "debug_options 11,2"
to get a cache.log trace of the HTTP message headers and see what is
going on there.

> 
> Trying to understand if we should use the always direct directive with
> this configuration.   As stated, we just want to send public requests to
> the backend servers. The current ACL for this is:
> 
> acl apache dst 10.10.10.0/24
> always_direct allow apache
> always_direct deny all

This directives only purpose is to prevent cache_peer links being used
for the traffic which has an "allow" action.

Amos