[squid-users] https_port Listen on different IP

houheming houhm at greenet.net.cn
Sat Oct 20 13:47:54 UTC 2018 

Hi Alex & Amos,

Thanks for your replies, sorry for my poor English, I will add more information.

 

#1

1. Configure Squid to automatically generate origin server certificates

(signed by a configured CA X) and send them to browsers/clients that go

to those origin servers.

 

This is my situation.

 

#2

If I configure squid like the following:

https_port 443 ...

https_port 180.97.33.107:443 ...

https_port 180.97.33.108:443 ...

 

when I reconfigure squid, no errors come out, but when I check the tcp port listening using "netstat -tln", the line2 and line3 with specific IP do not work:



 

#3

If I configure squid like:

https_port 180.97.33.107:443 ...

https_port 180.97.33.108:443

https_port 443

 

when I use “squid –k reconfigure” to reconfigure squid, no error message. But when I check the tcp ports listening:



 

 

#4

I also tried to specific a different port for IP 0.0.0.0, like this:

https_port 180.97.33.107:443 ...

https_port 180.97.33.108:443

https_port 4433   #here specify a different port from above

 

and it works.



 

https_port 0.0.0.0:443

https_port 1.1.1.1:443

I was just curious that the above two types of rules cannot exist together, whichever you put the first in squid.conf, it will overwrite the second one.

 

Using a different port for wildcard, it is a good solution in this case, it is just that ,if I could use the same tcp port for IP-0.0.0.0, it will be easier for my situation.

In my case, the destination server IP and root CA are dynamically send to me by anther configure server, so I choose to use default https port 443 to receive all https traffic.

If I have to use different ports for IP-0.0.0.0, I think I have to write one iptables rule for one https server IP, in normal case this is ok, in my case I have to do it dynamically, in another way of saying, whenever I receive a configure rule, I have to write an iptables rule for it. Anyway, that is my problem, thank you guys!

 

 

Heming Hou

-----邮件原件-----
发件人: Amos Jeffries [mailto:squid3 at treenet.co.nz] 
发送时间: 2018年10月20日 12:10
收件人: squid-users at lists.squid-cache.org
主题: Re: [squid-users] https_port Listen on different IP

 

On 20/10/18 6:04 AM, Alex Rousskov wrote:

> On 10/19/2018 01:10 AM, houheming wrote:

>> https_port 443 ...

>> https_port 180.97.33.107:443 ...

>> https_port 180.97.33.108:443 ...

> 

> I am not sure, but perhaps the first https_port line (the one without an

> explicit IP address) should come _last_ so that Squid can listen on the

> addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by

> the other two ports?

 

I think that is what was meant by "If I switch line1 with line2 and

line3 ..., then only line2 and line3 will get its chance to work, line1

will not work. "

 

The problem is that TCP does not permit any IP:port combination to have

two simultaneous listening sockets with different parameters. These

configuration lines differ in both address and protocol they are receiving.

 

 

houheming:

you have to use different ports to receive the traffic into Squid.

 

Since you are using TPROXY there is no requirement for the proxy

listening port to be 443. Squid can listen on any port you want.

 

This problem should disappear if you set the wildcard port to another

number and update the TPROXY rule which is sending traffic to it.

 

Amos

_______________________________________________

squid-users mailing list

squid-users at lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181020/0fa185b5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6363 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181020/0fa185b5/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 7094 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181020/0fa185b5/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 7702 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181020/0fa185b5/attachment-0005.png>

More information about the squid-users mailing list