[squid-users] Assertion failure: DestinationIp.cc:60

Steve Hill steve at opendium.com
Thu Nov 20 11:00:55 UTC 2014 

On 19/11/14 05:29, Amos Jeffries wrote:

> What is your config? In particular anything using ACLs.

auth_param basic program /usr/lib64/squid/basic_pam_auth -r
auth_param basic children 50
auth_param basic realm Iceni Web Proxy
auth_param basic credentialsttl 2 hours

workers 4
shutdown_lifetime 3 seconds
forward_max_tries 40
icap_service_failure_limit -1
host_verify_strict off
spoof_client_ip deny all

logformat iceni %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt "%{User-Agent}>h" %lp
access_log stdio:/var/log/squid-nocache/access.log iceni
cache_log /var/log/squid-nocache/cache.log
cache_store_log none
pid_filename /var/run/squid-nocache.pid
coredump_dir /var/spool/squid-nocache
state_dir /var/run/squid-nocache


external_acl_type preauth children-max=1 concurrency=100 ttl=60
negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth
/etc/iceni/authcached/authcached.psk
acl preauth		external preauth
acl preauth_tproxy	external preauth transparent
acl preauth_ok		note auth_tag preauth_ok
acl preauth_done	note auth_tag preauth_done
acl need_http_auth	note auth_tag http_auth
acl need_cp_auth	note auth_tag cp_auth
acl need_postauth_sync	note auth_tag postauth_sync
acl need_postauth_async	note auth_tag postauth_async

external_acl_type postauth_async children-max=1 concurrency=100 ttl=0
grace=100 %SRC %>{User-Agent} %LOGIN %EXT_USER /usr/sbin/squid-postauth
/etc/iceni/authcached/authcached.psk
external_acl_type postauth_sync cache=0 children-max=1 concurrency=100
ttl=0 grace=0 %SRC %>{User-Agent} %LOGIN %EXT_USER
/usr/sbin/squid-postauth /etc/iceni/authcached/authcached.psk
acl postauth_async	external postauth_async
acl postauth_sync	external postauth_sync

acl show_login_page	src all
deny_info
302:https://%h/webproxy/captive_portal/captive_portal_login?c=%o
show_login_page

# A bodge to ensure accesses to this machine aren't authenticated
# /etc/squid/local_ips is automatically updated by the init script when
# Squid starts or reloads, so Squid should be reloaded whenever the
# machine's IPs change (yuck!).
acl local_ips		dst "/etc/squid/local_ips"

acl SSL_ports		port 443

acl Safe_ports		port 80		# http
acl Safe_ports		port 21		# ftp
acl Safe_ports		port 443	# https
acl Safe_ports		port 70		# gopher
acl Safe_ports		port 210	# wais
acl Safe_ports		port 1025-65535	# unregistered ports
acl Safe_ports		port 280	# http-mgmt
acl Safe_ports		port 488	# gss-http
acl Safe_ports		port 591	# filemaker
acl Safe_ports		port 777	# multiling http

acl CONNECT		method CONNECT
acl https		proto https

acl proxy_auth		proxy_auth REQUIRED
acl tproxy		myportname tproxy
acl tproxy_ssl		myportname tproxy_ssl

acl dstdomain_localhost	dstdomain localhost


######
# Start of http_access access control.
######

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

# Unauthenticated access to the local server
http_access allow local_ips
http_access allow !tproxy !tproxy_ssl !https preauth
http_access allow !preauth_done preauth_tproxy
http_access allow need_http_auth need_postauth_sync proxy_auth postauth_sync
http_access allow need_http_auth need_postauth_async proxy_auth
postauth_async
http_access allow need_http_auth proxy_auth postauth_async

http_access deny preauth_ok show_login_page
http_access deny all
icp_access deny all
htcp_access deny all


acl icap_says_bump req_header X-SSL-Bump -i Yes
ssl_bump server-first icap_says_bump
ssl_bump server-first tproxy_ssl
sslproxy_cert_error allow all
request_header_access Via deny https
request_header_access X-Forwarded-For deny https


######
# Listening ports
######

http_port 3128 ssl-bump generate-host-certificates=on
cert=/etc/pki/tls/certs/squid-sslbump.crt
key=/etc/pki/tls/private/squid-sslbump.key dynamic_cert_mem_cache_size=128KB
http_port 8080 ssl-bump generate-host-certificates=on
cert=/etc/pki/tls/certs/squid-sslbump.crt
key=/etc/pki/tls/private/squid-sslbump.key dynamic_cert_mem_cache_size=128KB
http_port 3130 tproxy name=tproxy
https_port 3131 ssl-bump generate-host-certificates=on
cert=/etc/pki/tls/certs/squid-sslbump.crt
key=/etc/pki/tls/private/squid-sslbump.key tproxy name=tproxy_ssl
dynamic_cert_mem_cache_size=128KB
tcp_outgoing_mark 0x2 tproxy
tcp_outgoing_mark 0x2 tproxy_ssl
cache_peer [::1] parent 3129 0 proxy-only no-query no-digest no-tproxy
name=caching
cache_peer_access caching deny CONNECT
cache_peer_access caching deny https
cache_peer_access caching deny tproxy_ssl
cache_peer_access caching deny to_localhost
cache_peer_access caching deny dstdomain_localhost
cache_peer_access caching allow all

cache_mem 0
cache deny all
never_direct deny CONNECT
never_direct deny https
never_direct deny tproxy_ssl
never_direct deny to_localhost
never_direct deny dstdomain_localhost
never_direct allow all

icap_enable on
icap_service_revival_delay 30
icap_preview_enable on
icap_preview_size 50000
icap_send_client_ip on
icap_send_client_username on

icap_service iceni_reqmod_precache reqmod_precache 0
icap://localhost6:1344/reqmod_precache
icap_service iceni_respmod_postcache respmod_precache 0
icap://localhost6:1344/respmod_postcache

adaptation_service_set iceni_reqmod_precache iceni_reqmod_precache
adaptation_service_set iceni_respmod_postcache iceni_respmod_postcache

adaptation_access iceni_reqmod_precache deny local_ips
adaptation_access iceni_reqmod_precache deny to_localhost
adaptation_access iceni_reqmod_precache deny dstdomain_localhost
adaptation_access iceni_reqmod_precache allow all

adaptation_access iceni_respmod_postcache deny local_ips
adaptation_access iceni_respmod_postcache deny to_localhost
adaptation_access iceni_respmod_postcache deny dstdomain_localhost
adaptation_access iceni_respmod_postcache allow all

-- 

 - Steve

-- 

 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve at opendium.com
   Email:            steve at opendium.com
   Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
   Email:            sales at opendium.com
   Phone:            +44-1792-825748 / sip:sales at opendium.com

Support contacts:
   Email:            support at opendium.com
   Phone:            +44-1792-824568 / sip:support at opendium.com

More information about the squid-users mailing list