[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 5 03:40:50 UTC 2024 

On 5/03/24 08:03, Dragos Pacher wrote:
> Hello,
> 
> I am a Squid beginner and we would like to use Squid inside our 
> organization only as a HTTPS traffic inspection/logging tool for some 
> 3rd party apps that we bought,
> something close to what a "MITM proxy" is called but we will not do 
> that, instead we use a self signed certificate and the 3rd party app 
> owners know this. Everything is
> 100% completely legal. (Ps: I am the IT lead).
> 

FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in 
security terminology, "proxy" means "intermediary" in networking 
terminology.
  So that term just means "intermediary intermediary", yeah.



Any serious HTTPS inspection/logging by Squid needs some form of 
SSL-Bump configuration and those 3rd-party Apps MUST be configured with 
trust for the self-signed root CA you are using.


Without that nothing Squid (or any other proxy) does will allow traffic 
inspection beyond the initial TLS handshake.



Assuming that you have checked that detail, on to your issue ...


> We will be using Squid only internally, no outside access. Here is my 
> issue with the current knowledge of Squid: POC running well on 3 servers 
> but on the 4th I get no IPv6
> sockets:
> ubuntu at A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> tcp        0      0 10.10.0.16:3128         0.0.0.0:*               
> LISTEN      2891391/(squid-1)


Your problem is the https(s)_port "port" configuration parameter.


This Squid is configured to listen like:

   http_port 10.10.0.16:3128

or

   http_port example.com:3128

(when example.com has only address 10.10.0.16)


The "http_port" receives port 80 syntax traffic, it may also be
"https_port" which receives port 443 syntax traffic.


> 
> and on the other 3 I have IPv6:
> ubuntu at A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> tcp        0      0 x.x.x.x:52386    x.x.x.x:443     ESTABLISHED 
> 997651/(squid-1)
> tcp6       0      0 :::3128                 :::*                   
>   LISTEN      997651/(squid-1)


These Squid are configured to listen like:

  http_port 3128


Ensure that the machine/server the 4th Squid is running on has its 
http(s)_port line matching the other three machines port value.

At this point do not care about the "mode" or options later in the line. 
Your issue is solely the "port" parameter.


Cheers
Amos

More information about the squid-users mailing list