[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Dragos Pacher dragosrp at proton.me
Tue Mar 5 12:22:52 UTC 2024


So far it seems there are some issues with my docker networks on the host, thank you for your help, I will come later if this will not be the case.

Kind regards,

Dragos

On Tuesday, March 5th, 2024 at 11:59 AM, Dragos Pacher <dragosrp at proton.me> wrote:

> Please see my replies in between the lines below.
> 
> On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries squid3 at treenet.co.nz wrote:
> 
> > On 5/03/24 08:03, Dragos Pacher wrote:
> > 
> > > Hello,
> > > 
> > > I am a Squid beginner and we would like to use Squid inside our
> > > organization only as a HTTPS traffic inspection/logging tool for some
> > > 3rd party apps that we bought,
> > > something close to what a "MITM proxy" is called but we will not do
> > > that, instead we use a self signed certificate and the 3rd party app
> > > owners know this. Everything is
> > > 100% completely legal. (Ps: I am the IT lead).
> > 
> > FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in
> > security terminology, "proxy" means "intermediary" in networking
> > terminology.
> > So that term just means "intermediary intermediary", yeah.
> 
> 
> I did not coined this term, I was referring to this: https://mitmproxy.org,
> I guess it entered IT popular culture somehow..
> 
> > Any serious HTTPS inspection/logging by Squid needs some form of
> > SSL-Bump configuration and those 3rd-party Apps MUST be configured with
> > trust for the self-signed root CA you are using.
> > 
> > Without that nothing Squid (or any other proxy) does will allow traffic
> > inspection beyond the initial TLS handshake.
> 
> 
> I specified in my first email I did this already, maybe I was not so clear but
> my self-signed certificate is working with the 3rd party apps.
> 
> > Assuming that you have checked that detail, on to your issue ...
> > 
> > > We will be using Squid only internally, no outside access. Here is my
> > > issue with the current knowledge of Squid: POC running well on 3 servers
> > > but on the 4th I get no IPv6
> > > sockets:
> > > ubuntu at A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> > > tcp 0 0 10.10.0.16:3128 0.0.0.0:*
> > > LISTEN 2891391/(squid-1)
> > 
> > Your problem is the https(s)_port "port" configuration parameter.
> > 
> > This Squid is configured to listen like:
> > 
> > http_port 10.10.0.16:3128
> > 
> > or
> > 
> > http_port example.com:3128
> > 
> > (when example.com has only address 10.10.0.16)
> > 
> > The "http_port" receives port 80 syntax traffic, it may also be
> > "https_port" which receives port 443 syntax traffic.
> > 
> > > and on the other 3 I have IPv6:
> > > ubuntu at A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED
> > > 997651/(squid-1)
> > > tcp6 0 0 :::3128 :::*
> > > LISTEN 997651/(squid-1)
> > 
> > These Squid are configured to listen like:
> > 
> > http_port 3128
> > 
> > Ensure that the machine/server the 4th Squid is running on has its
> > http(s)_port line matching the other three machines port value.
> > 
> > At this point do not care about the "mode" or options later in the line.
> > Your issue is solely the "port" parameter.
> 
> 
> So far it seems I was missing [::] in my http_port in the problem server, because of automatic deployment
> something went wrong and I assumed my Squid configuration is all the same all over the place. I fixed this but the issue is still there,
> please see: this is inside a docker container on a healthy server:
> # netstat -patun
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 127.0.0.11:41421 0.0.0.0:* LISTEN 1574/dockerd
> tcp 0 1 172.18.0.10:46950 10.10.0.16:3128 SYN_SENT 307601/node
> udp 0 0 127.0.0.11:57486 0.0.0.0:* 1574/dockerd
> 
> and same netstat on the unhealthy server, still inside docker:
> 
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 127.0.0.11:38339 0.0.0.0:* LISTEN 273025/dockerd
> tcp 0 0 172.18.0.4:50666 10.10.0.11:3128 ESTABLISHED 494253/node
> tcp6 0 0 :::8080 :::* LISTEN 494253/node
> tcp6 0 0 127.0.0.1:8080 127.0.0.1:46168 TIME_WAIT -
> tcp6 0 0 127.0.0.1:8080 127.0.0.1:44480 TIME_WAIT -
> udp 0 0 127.0.0.11:56639 0.0.0.0:* 273025/dockerd
> 
> and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue container with the SYN sent only
> 
> root at A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv
> tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot length 262144 bytes
> 09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr 0,nop,wscale 11], length 0
> 
> 09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x48f3), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708120778 ecr 0,nop,wscale 11], length 0
> 
> 09:56:21.852827 IP (tos 0x0, ttl 64, id 40650, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x4504), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708121785 ecr 0,nop,wscale 11], length 0
> 
> 09:56:23.868762 IP (tos 0x0, ttl 64, id 40651, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x3d24), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708123801 ecr 0,nop,wscale 11], length 0
> 
> 09:56:27.996768 IP (tos 0x0, ttl 64, id 40652, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x2d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708127929 ecr 0,nop,wscale 11], length 0
> 
> 09:56:36.188758 IP (tos 0x0, ttl 64, id 40653, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708136121 ecr 0,nop,wscale 11], length 0
> 
> 09:56:52.316463 IP (tos 0x0, ttl 64, id 40654, offset 0, flags [DF], proto TCP (6), length 60)
> 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0xce03), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708152249 ecr 0,nop,wscale 11], length 0
> 
> 
> 7 packets captured
> 7 packets received by filter
> 
> 
> Why the SYN sent only state? Any ideas?
> 
> Thank you,
> 
> Dragos
> 
> > Cheers
> > Amos
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list