[squid-users] (no subject)
Vieri Di Paola
vieridipaola at gmail.com
Tue Oct 22 10:22:01 UTC 2019
Hi,
On Fri, Oct 18, 2019 at 10:13 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> If you are able to share your config maybe we could help spot something,
> both for that and for the timeout issue.
I prepared and tested a trimmed-down squid conf:
# cat squid.conf
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslflags=NO_DEFAULT_CA
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10
cache_dir diskd /var/cache/squid 32 16 256
acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl good_useragents req_header User-Agent Firefox/
acl good_useragents req_header User-Agent Edge/
acl good_useragents req_header User-Agent Microsoft-CryptoAPI/
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access allow CONNECT interceptedssl SSL_ports
http_access deny !good_useragents
http_access allow localnet
debug_options rotate=1 ALL,9
reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all
email_err_data on
client_lifetime 480 minutes
httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for transparent
cache_mem 32 MB
max_filedescriptors 65536
icap_service_failure_limit -1
icap_persistent_connections off
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
> You said Squid used TPROXY. The spoofing of packets causes a different
> set of routing tables and rules to be applied than normal server
> outgoing traffic.
I use Shorewall on this system. This program configures iptables and routing.
I dumped all the network information while trying to access port 80 on
host with IP addr. 104.113.250.104 form local host with IP addr.
10.215.144.48:
https://drive.google.com/file/d/13Pr2OCgCInY6E72krCci9BiHrB1lrMce/view?usp=sharing
> Looks like Squid is doing everything right and the issues is somewhere
> between the TCP SYN send and SYN ACK returning.
I suspect there must be something wrong with my routing or marking
(please see dump).
Thanks,
Vieri
More information about the squid-users
mailing list