[squid-users] T3/T3S Protocol

Amos Jeffries squid3 at treenet.co.nz
Sun Apr 12 07:17:49 UTC 2015 

On 12/04/2015 4:41 p.m., Farci, Anatole V wrote:
> Hi,
> 
> I have a JavaClient that uses T3S:443 to connect to Oracle's WLS
application server. WLS is in DMZ and I have Squid proxy between the DMZ
and our Intranet (in its own DMZ) to fwd all requests to WLS. The ports
(443) is open since the browsers can talk to the WLS but it appears that
the T3S is not going thru the proxy. I have searched to see what I can
add to allow this T3 (RMI protocol) to go thru and our Squid
configuration is very simple and have a whitelist and allows all traffic
on port 80 and 443 to go thru.
> 
> On the client side, I get this error:
> javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://xxxx.yyy.intel.com:443: Destination xxx.yyy.zzz.www, 443 unreachable; nested exception is:
>         java.net.ConnectException: Connection timed out: connect; No available router to destination]

Does this Java application support HTTP proxying ?

Squid is an HTTP proxy, use of any other protocol over it has to be via
HTTP mechanisms. CONNECT requests in this case. It wont help at all if
the Java application cannot do HTTP enough to perform an HTTP CONNECT
request.

> 
> on the Squid Acccess.log where <dns> and <fqdn> are the correct values and using a browser, I can open reach the WLS with either of them using HTTPS:443
> 1428776399.835  27238 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 1428776414.999  15117 10.254.98.83 TCP_MISS/200 2199 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 1428776430.068  27768 10.254.98.83 TCP_MISS/200 9658 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 1428776445.200  15085 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 1428776460.396  15118 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 1428776480.270  15211 10.254.98.83 TCP_MISS/200 9722 CONNECT <FQDN>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 1428776495.293  27207 10.254.98.83 TCP_MISS/200 2439 CONNECT <dns>.intel.com:443 - DIRECT/xxx.yyy.zzz.www -
> 

Yes. However note that HTTPS != T3S


> Store.log has this one entry only:
> 1428773672.888 RELEASE -1 FFFFFFFF 93F32BC091B147DF27B4355731396BC9  200 1428770072 1428770072 1428773672 application/cache-digest 144/144 GET internal://proxy..intel.com/squid-internal-periodic/store_digest
> 

CONNECT are not cacheable. There is nothing that can be stored to disk.


> and the squid config looks like this:
> visible_hostname proxy.intel.com
> http_port 912

APEX and HTTP protocols are not safe to be mixing up. Use of 3128 is
sufficient for Squid proxy (its even registered for Squid use).

> 
> logfile_rotate 30
> cache_access_log C:/squid/var/logs/access.log

That should be:
 access_log C:/squid/var/logs/access.log


> 
> acl all src 0.0.0.0/0.0.0.0
> acl whitelist dstdomain .intel.com
> acl http proto http t3
> acl port_80 port 80
> acl port_443 port 443
> acl port_23791 port 23791
> acl CONNECT method CONNECT
> 
> 
> # rules allowing non-authenticated users
> http_access allow http port_80 whitelist
> http_access allow CONNECT port_443 whitelist
> http_access allow CONNECT port_23791 whitelist

Highly dangerous. Please use the recommended defaults:

 acl SSL_ports port 443
 acl Safe_ports port 80          # http
 acl Safe_ports port 21          # ftp
 acl Safe_ports port 443         # https
 acl Safe_ports port 70          # gopher
 acl Safe_ports port 210         # wais
 acl Safe_ports port 1025-65535  # unregistered ports
 acl Safe_ports port 280         # http-mgmt
 acl Safe_ports port 488         # gss-http
 acl Safe_ports port 591         # filemaker
 acl Safe_ports port 777         # multiling http

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 # Then your bit...
 http_access allow whitelist

 http_access deny all


Amos

More information about the squid-users mailing list