<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"纯文本 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"批注框文本 Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:9.0pt;
font-family:"Calibri","sans-serif";}
span.Char
{mso-style-name:"纯文本 Char";
mso-style-priority:99;
mso-style-link:纯文本;
font-family:"Calibri","sans-serif";}
span.Char0
{mso-style-name:"批注框文本 Char";
mso-style-priority:99;
mso-style-link:批注框文本;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-CN link=blue vlink=purple style='text-justify-trim:punctuation'><div class=WordSection1><p class=MsoPlainText><span lang=EN-US>Hi Alex & Amos,<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US> Thanks for your replies, sorry for my poor English, I will add more information.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>#1<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>1. Configure Squid to automatically generate origin server certificates<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>(signed by a configured CA X) and send them to browsers/clients that go<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>to those origin servers.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>This is my situation.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>#2<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>If I configure squid like the following:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 180.97.33.107:443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 180.97.33.108:443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>when I reconfigure squid, no errors come out, but when I check the tcp port listening using "netstat -tln", the line2 and line3 with specific IP do not work:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><img width=597 height=163 id="图片_x0020_1" src="cid:image001.png@01D468B9.52DE8420"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>#3<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>If I configure squid like:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 180.97.33.107:443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 180.97.33.108:443<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 443<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>when I use </span><span lang=EN-US style='font-family:"Courier New"'>“</span><span lang=EN-US>squid </span><span lang=EN-US style='font-family:"Courier New"'>–</span><span lang=EN-US>k reconfigure</span><span lang=EN-US style='font-family:"Courier New"'>”</span><span lang=EN-US> to reconfigure squid, no error message. But when I check the tcp ports listening:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><img width=597 height=177 id="图片_x0020_2" src="cid:image002.png@01D468B9.52DE8420"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>#4<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>I also tried to specific a different port for IP 0.0.0.0, like this:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 180.97.33.107:443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 180.97.33.108:443<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 4433 #here specify a different port from above<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>and it works.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><img width=610 height=192 id="图片_x0020_3" src="cid:image003.png@01D468B9.52DE8420"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 0.0.0.0:443<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>https_port 1.1.1.1:443<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>I was just curious that the above two types of rules cannot exist together, whichever you put the first in squid.conf, it will overwrite the second one.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Using a different port for wildcard, it is a good solution in this case, it is just that ,if I could use the same tcp port for IP-0.0.0.0, it will be easier for my situation.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>In my case, the destination server IP and root CA are dynamically send to me by anther configure server, so I choose to use default https port 443 to receive all https traffic.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>If I have to use different ports for IP-0.0.0.0, I think I have to write one iptables rule for one https server IP, in normal case this is ok, in my case I have to do it dynamically, in another way of saying, whenever I receive a configure rule, I have to write an iptables rule for it. Anyway, that is my problem, thank you guys!<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Heming Hou<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>-----</span><span style='font-family:宋体'>邮件原件</span><span lang=EN-US>-----<br></span><span style='font-family:宋体'>发件人</span><span lang=EN-US>: Amos Jeffries [mailto:squid3@treenet.co.nz] <br></span><span style='font-family:宋体'>发送时间</span><span lang=EN-US>: 2018</span><span style='font-family:宋体'>年</span><span lang=EN-US>10</span><span style='font-family:宋体'>月</span><span lang=EN-US>20</span><span style='font-family:宋体'>日</span><span lang=EN-US> 12:10<br></span><span style='font-family:宋体'>收件人</span><span lang=EN-US>: squid-users@lists.squid-cache.org<br></span><span style='font-family:宋体'>主题</span><span lang=EN-US>: Re: [squid-users] https_port Listen on different IP</span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>On 20/10/18 6:04 AM, Alex Rousskov wrote:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> On 10/19/2018 01:10 AM, houheming wrote:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>>> https_port 443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>>> https_port 180.97.33.107:443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>>> https_port 180.97.33.108:443 ...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> I am not sure, but perhaps the first https_port line (the one without an<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> explicit IP address) should come _last_ so that Squid can listen on the<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>> the other two ports?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>I think that is what was meant by "If I switch line1 with line2 and<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>line3 ..., then only line2 and line3 will get its chance to work, line1<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>will not work. "<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>The problem is that TCP does not permit any IP:port combination to have<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>two simultaneous listening sockets with different parameters. These<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>configuration lines differ in both address and protocol they are receiving.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>houheming:<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US> you have to use different ports to receive the traffic into Squid.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Since you are using TPROXY there is no requirement for the proxy<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>listening port to be 443. Squid can listen on any port you want.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>This problem should disappear if you set the wildcard port to another<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>number and update the TPROXY rule which is sending traffic to it.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-US>Amos<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>_______________________________________________<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>squid-users mailing list<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>squid-users@lists.squid-cache.org<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-US>http://lists.squid-cache.org/listinfo/squid-users<o:p></o:p></span></p></div></body></html>