[squid-users] Help with transparent whitelisting proxy on Squid 4.4

Jared Fox jared.fox at practiv.com
Wed Jun 26 02:45:25 UTC 2019 

Hi Amos / Squid-Users

So some good news and bad news and i'm still blocked.

== Good news ==
I have managed to get Squid 4.7 running on Centos 7.6.1810, with the
squid & squid-helpers binary rpms from
`http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/`.

FYI: The squid-helpers rpm does not work in Amazon Linux 2 due to
incomplete dependencies. out of scope of this help request, as i'm not
concerned by this at the moment. It's a 3rd party rpm anyway.

The squid-helpers security_file_certgen, required a symlink to work as
the security_file_certgen is not in the default path. Symlink was
quicker than just updating PATH. `ln -s
/usr/lib64/squid/security_file_certgen
/usr/local/sbin/security_file_certgen`

Only squid.conf change (from what was previously listed) was to add:
http_port 3128

== Bad news / Major Blocker ==
https connections to cloud tracing is still being blocked, these are
TLS 1.2 and uses SNI as seen via tcpdump.

    26/Jun/2019:02:23:13    956 Kube-Node-Zone-B-IP 162.247.242.26
TCP_TUNNEL/200 3059 CONNECT 162.247.242.26:443
collector-001.newrelic.com HTTP/1.1
    26/Jun/2019:02:23:14    978 Kube-Node-Zone-B-IP 162.247.242.26
TCP_TUNNEL/200 3059 CONNECT 162.247.242.26:443
collector-001.newrelic.com HTTP/1.1
    26/Jun/2019:02:23:16     95 Kube-Node-Zone-B-IP 216.58.199.74
NONE/200 0 CONNECT 216.58.199.74:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:16     96 Kube-Node-Zone-B-IP 216.58.199.42
NONE/200 0 CONNECT 216.58.199.42:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:16     94 Kube-Node-Zone-B-IP 172.217.167.106
NONE/200 0 CONNECT 172.217.167.106:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:16     95 Kube-Node-Zone-B-IP 172.217.167.74
NONE/200 0 CONNECT 172.217.167.74:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:16     94 Kube-Node-Zone-B-IP 172.217.25.170
NONE/200 0 CONNECT 172.217.25.170:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:16     96 Kube-Node-Zone-B-IP 172.217.25.138
NONE/200 0 CONNECT 172.217.25.138:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:17     94 Kube-Node-Zone-B-IP 216.58.203.106
NONE/200 0 CONNECT 216.58.203.106:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:17     96 Kube-Node-Zone-B-IP 216.58.200.106
NONE/200 0 CONNECT 216.58.200.106:443 cloudtrace.googleapis.com
HTTP/1.1
    26/Jun/2019:02:23:17    848 Kube-Node-Zone-B-IP 162.247.242.27
TCP_TUNNEL/200 3112 CONNECT 162.247.242.27:443
collector-001.newrelic.com HTTP/1.1
    26/Jun/2019:02:23:18    994 Kube-Node-Zone-B-IP 162.247.242.27
TCP_TUNNEL/200 3059 CONNECT 162.247.242.27:443
collector-001.newrelic.com HTTP/1.1
    26/Jun/2019:02:23:19    833 Kube-Node-Zone-B-IP 162.247.242.27
TCP_TUNNEL/200 3059 CONNECT 162.247.242.27:443
collector-001.newrelic.com HTTP/1.1
    26/Jun/2019:02:23:20   1192 Kube-Node-Zone-B-IP 162.247.242.27
TCP_TUNNEL/200 3059 CONNECT 162.247.242.27:443
collector-001.newrelic.com HTTP/1.1

I really need to get Google Stackdriver Cloud Tracing working with
squid so am open to any advice / recommendations.

Kind regards

Jared Fox

DevOps Architect - Practiv

More information about the squid-users mailing list