[squid-users] icap not answering

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 11 10:40:05 UTC 2019 

On 11/03/19 8:26 am, steven wrote:
> 
> On 05.03.19 06:13, Amos Jeffries wrote:
>> On 5/03/19 12:10 pm, steven wrote:
>>> Ah thank you for that clarification, the python icap servers i tested so
>>> far are not very promissing but at least theres a connection now.
>>>
>>> sadly squid does not allow http access at all, only https access.
>>>
>> Er, that would be because the only http_port you have is configured with
>> 'accl' - making it a reverse-proxy port. But you do not have any
>> cache_peer configured to handle that type of traffic.
>>
>>
>> So, is there any particular reason you have that port receiving 'accel'
>> / reverse-proxy mode traffic?
>>  If not remove that mode flag and things should all work for HTTP too.
>>
> 
> removed the accel mode but still no luck with http, when opening the adress:
> 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/http-port-with-quot-transparent-quot-or-quot-intercept-quot-td4677133.html
> 
> 
> The following error was encountered while trying to retrieve the URL:
> /http-port-with-quot-transparent-quot-or-quot-intercept-quot-td4677133.html
> 

Ah, that is an origin-form URL.


> 
> in this tutorial:
> 
> https://www.reddit.com/r/sysadmin/comments/a67hly/squid_proxy_a_short_guide_forward_transparent/
> 
> 
> the guy uses two ports for http like this:
> 
> |http_port 3128 # Listen on this HTTP port, intercepting requests
> http_port 3129 intercept and then with iptables he redirects 80 to port
> 3129 which does not work here :( export

Which should work fine ... provided the right type of traffic is passed
to each port.


> http_proxy=http://192.168.10.215:3140 && wget google.de # im using 3140
> as intercept port. config at the end. --2019-03-10 20:20:56--
> http://google.de/ Connecting to 192.168.10.215:3140... connected. Proxy
> request sent, awaiting response... 403 Forbidden 2019-03-10 20:20:56
> ERROR 403: Forbidden. |
> 

Hmm. You keep mixing port modes and traffic types.


Port 3128, 80 and 443 all have different traffic syntax and handling
requirements. The mode flags tell Squid which syntax is expected and
valid arriving at that port. Default mode is forward/explicit-proxy so
there is no flag for that mode/syntax.


Ports with 'intercept' flags must *only* have traffic passed to them
from the OS NAT subsystem.

Clients should be connecting directly to the domain origin on port 80.
Do not configure them with any details about the proxy. Eg passing the
http_proxy environment variable is configuring wget to use an
explicit-proxy port.

Your wget test should be using port 3128 in that http_proxy= setting. Or
not using that setting at all for tests of the port 80 and port 443
traffic (which should be getting intercepted by NAT).


> 
> grep -v '#' squid.conf
> 
...

NP: You are missing the default security rules to protect against DoS
and other nasty attacks.


> http_access allow localnet
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320


> http_port 3128

Above port is for forward-proxy / explicit-proxy traffic. Clients need
to be explicitly configured to send traffic here, or instructed to by
response URLs generated by this proxy.

You do not have 'ssl-bump' so any TLS/SSL/HTTPS traffic from these
clients will go through in CONNECT tunnels without inspection.


> http_port 3140 intercept

Above port is for NAT intercepted port 80 traffic. Clients are
contacting HTTP origin servers directly.

There is no TLS/SSL/HTTPS traffic on this port. Attempts by the client
to Upgrade to non-HTTP protocols (including HTTPS) will be ignored.


> https_port 3129 ssl-bump intercept generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem


Above port is for NAT intercepted port 443 traffic, with SSL-Bump'ing.
Clients are contacting HTTPS origin servers directly.

There is no plain-text HTTP traffic on this port. Attempts by the client
to Upgrade to non-HTTPS protocols (including HTTP) will be ignored.

on_unsupported_protocol determines what happens to non-TLS traffic
arriving at this port. Internet requirements are that traffic is
rejected, though abuse of port 443 for sneaking other things through
this port is so popular it may not always be possible.



> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB
> acl step1 at_step SslBump1
> 
> ssl_bump peek step1
> ssl_bump bump all
> 

NP: SSL-Bump'ing operations are performed on all traffic without
knowledge of the server X.509 certificate details. This introduces
TLS/SSL errors and several classes of security vulnerability.

Amos

More information about the squid-users mailing list