[squid-users] https_port Listen on different IP

Alex Rousskov rousskov at measurement-factory.com
Sat Oct 20 17:12:16 UTC 2018 

On 10/20/18 7:47 AM, houheming wrote:
> 1. Configure Squid to automatically generate origin server certificates
> (signed by a configured CA X) and send them to browsers/clients that go
> to those origin servers.
  
OK.


> If I configure squid like:
> 
> https_port 180.97.33.107:443 ...
> https_port 180.97.33.108:443
> https_port 443

> when I use “squid –k reconfigure” to reconfigure squid, no error message.

In general, avoid using "-k anything" as the primary configuration test.
It just complicates matters by introducing a different error checking
context. Use a clean start. I am _not_ saying that a clean start would
have solved your problem in this particular case.


> But when I check the tcp ports listening:

[image showing the first two out of three configured :443 ports]

If Squid did not complain about anything but did not start listening on
one of the configured ports, then there is a Squid error reporting bug
somewhere. Feel free to report it to Squid bugzilla.

My suggestion to reorder those https_port lines was wrong. The wildcard
bind(INADDR_ANY) system call does not bind to "any available" address.
It binds to "all" addresses and, hence, fails if one of the addresses is
not available.

As Amos said and you have confirmed, using a different port for the
third https_port avoids these problems. Using a different/specific IP
address for the third https_port is another option.


> I was just curious that the above two types of rules cannot exist
> together, whichever you put the first in squid.conf, it will overwrite
> the second one.

https_port lines do not overwrite each other. The ports are independent,
but since they all consume a common resource (system IPs and ports),
they may conflict with each other. Use unique IPs and/or unique ports to
avoid conflicts.


Cheers,

Alex.


> -----邮件原件-----
> 发件人: Amos Jeffries [mailto:squid3 at treenet.co.nz]
> 发送时间: 2018年10月20日12:10
> 收件人: squid-users at lists.squid-cache.org
> 主题: Re: [squid-users] https_port Listen on different IP
> 
>  
> 
> On 20/10/18 6:04 AM, Alex Rousskov wrote:
> 
>> On 10/19/2018 01:10 AM, houheming wrote:
> 
>>> https_port 443 ...
> 
>>> https_port 180.97.33.107:443 ...
> 
>>> https_port 180.97.33.108:443 ...
> 
>> 
> 
>> I am not sure, but perhaps the first https_port line (the one without an
> 
>> explicit IP address) should come _last_ so that Squid can listen on the
> 
>> addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by
> 
>> the other two ports?
> 
>  
> 
> I think that is what was meant by "If I switch line1 with line2 and
> 
> line3 ..., then only line2 and line3 will get its chance to work, line1
> 
> will not work. "
> 
>  
> 
> The problem is that TCP does not permit any IP:port combination to have
> 
> two simultaneous listening sockets with different parameters. These
> 
> configuration lines differ in both address and protocol they are receiving.
> 
>  
> 
>  
> 
> houheming:
> 
> you have to use different ports to receive the traffic into Squid.
> 
>  
> 
> Since you are using TPROXY there is no requirement for the proxy
> 
> listening port to be 443. Squid can listen on any port you want.
> 
>  
> 
> This problem should disappear if you set the wildcard port to another
> 
> number and update the TPROXY rule which is sending traffic to it.
> 
>  
> 
> Amos
> 
> _______________________________________________
> 
> squid-users mailing list
> 
> squid-users at lists.squid-cache.org
> 
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list