[squid-users] derive HTTP/HTTPS upload traffic to a secondary interface.
Josep Borrell
jborrell at central.aplitec.com
Tue Feb 24 15:09:18 UTC 2015
Hi,
After some digging I realized that this setup works fine for HTTP traffic but not for HTTPS. I'm using ssl_bump in intercept mode.
Is possible that for HTTPS traffic I can't split the upload / download ?
answers are welcome !!
Thanks
Josep
-----Mensaje original-----
De: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] En nombre de Josep Borrell
Enviado el: viernes, 20 de febrero de 2015 16:51
Para: squid-users at lists.squid-cache.org
Asunto: Re: [squid-users] derive HTTP/HTTPS upload traffic to a secondary interface.
Hi Amos,
I tried your suggestion and even if the acl is matched the outgoing IP is not changed.
How to know why ?
Working with squid 3.5.1.
Original IP 192.168.111.10 must be changed for 192.168.111.20
Thanks
Josep
Squid.conf:
debug_options ALL,1 33,2 28,9 11,3
#HTTPS (SSL) trafic interception options sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1
acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
acl step1 at_step SSLBump1
acl step2 at_step SSLBump2
acl step3 at_step SSLBump3
ssl_bump peek step1 all
ssl_bump splice step2 disable-ssl-bump
ssl_bump stare step2 all
ssl_bump splice step3 disable-ssl-bump
ssl_bump bump step3 all
acl UPLOAD method PUT
acl UPLOAD method POST
tcp_outgoing_address 192.168.111.20 UPLOAD
http_access allow all
http_port 3128
http_port 8080 intercept
https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem
forward_max_tries 25
cache_mem 2 GB
maximum_object_size_in_memory 25 MB
maximum_object_size 1 GB
visible_hostname squid-v2
workers 3
coredump_dir /var/spool/squid3
cache_replacement_policy heap LFUDA
cache_dir rock /var/spool/squid3/cache1 4000 max-size=500 cache_dir aufs /var/spool/squid3/cache2 10000 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 80% 10080
# FortiGate interface of wccp
wccp2_router 192.168.111.1
# wccp version 2 configuration
wccp2_service standard 90
# tunneling method GRE for forward traffic wccp2_forwarding_method gre # tunneling method GRE for return traffic wccp2_return_method gre # which interface to use for WCCP (0.0.0.0 determines the interface from routing) wccp2_address 0.0.0.0
Debug sample:
----------
2015/02/20 16:27:22.879| Checklist.cc(68) preCheck: 0x7fe877ccc7c8 checking slow rules
2015/02/20 16:27:22.879| Acl.cc(138) matches: checking http_access
2015/02/20 16:27:22.879| Acl.cc(138) matches: checking http_access#1
2015/02/20 16:27:22.879| Acl.cc(138) matches: checking all
2015/02/20 16:27:22.879| Ip.cc(107) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 192.168.1.100:1887/[::] ([::]:1887) vs [::]-[::]/[::]
2015/02/20 16:27:22.879| Ip.cc(538) match: aclIpMatchIp: '192.168.1.100:1887' found
2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: all = 1
2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: http_access#1 = 1
2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: http_access = 1
2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fe877ccc7c8 answer ALLOWED for match
2015/02/20 16:27:22.880| Checklist.cc(161) checkCallback: ACLChecklist::checkCallback: 0x7fe877ccc7c8 answer=ALLOWED
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(68) preCheck: 0x7fff7a21e540 checking fast ACLs
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking tcp_outgoing_address 192.168.111.20
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking (tcp_outgoing_address 192.168.111.20 line)
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking UPLOAD
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: UPLOAD = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: (tcp_outgoing_address 192.168.111.20 line) = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: tcp_outgoing_address 192.168.111.20 = 1
2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fff7a21e540 answer ALLOWED for match
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(68) preCheck: 0x7fff7a21e460 checking fast ACLs
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking tcp_outgoing_address 192.168.111.20
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking (tcp_outgoing_address 192.168.111.20 line)
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking UPLOAD
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: UPLOAD = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: (tcp_outgoing_address 192.168.111.20 line) = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: tcp_outgoing_address 192.168.111.20 = 1
2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fff7a21e460 answer ALLOWED for match
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21e460
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e460
2015/02/20 16:27:22.880| http.cc(2261) httpStart: POST https://drive.google.com/stat
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fe877ccc7c8
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fe877ccc7c8
2015/02/20 16:27:22| Error sending to ICMPv6 packet to [2a00:1450:4003:805::200e]. ERR: (101) Network is unreachable
2015/02/20 16:27:22.880| Client.cc(232) startRequestBodyFlow: expecting request body from [0<=274<=274 274+1773 pipe0x7fe87814d198 cons0x7fe87814e688]
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21f390
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21f390
2015/02/20 16:27:22.881| http.cc(2217) sendRequest: HTTP Server local=192.168.111.10:53172 remote=216.58.211.238:443 FD 23 flags=1
2015/02/20 16:27:22.881| http.cc(2218) sendRequest: HTTP Server REQUEST:
---------
POST /stat HTTP/1.1
Host: drive.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-control: no-cache
X-Same-Domain: explorer
X-Json-Requested: true
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Referer: https://drive.google.com/?authuser=0
Content-Length: 274
Cookie: NID=67=Gm7vcswCbOO55hZsjfaz-pTurlVu7ExNrsoWfJDDcTg8rumGt-xCQD6RezS9pYZypbeHEAfm1bcWQwc82QCvsL6rL9lDcDeEtjaPKdHT0C885UB6wiWl9TY_nTI4d38_9ccpMqC5Q5jnGzRntaOaIjm_nfhe; SID=DQAAAPwAAABdqFewpHnz9c-jo5Z0nyI7av_uC-pbzCxPtnThJe_3zg4ska6$
Pragma: no-cache
Via: 1.1 squid-v2 (squid/3.5.1)
X-Forwarded-For: 192.168.1.100
Cache-Control: no-cache
Connection: keep-alive
----------
-----Mensaje original-----
De: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] En nombre de Amos Jeffries Enviado el: viernes, 06 de febrero de 2015 10:13
Para: squid-users at lists.squid-cache.org
Asunto: Re: [squid-users] derive HTTP/HTTPS upload traffic to a secondary interface.
On 6/02/2015 8:59 p.m., Josep Borrell wrote:
> Hi,
>
> I have a squid box with two interfaces. One ADSL 20/1Mb and one SHDSL 4/4Mb.
> It is a school and they are working with Google Apps for Education.
> They do a lot of uploading and when using the ADSL, it collapses promptly.
> Is possible to derive only HTTP/HTTPS upload traffic to the SHDSL and continue surfing with the ADSL ?
In a roundabout way.
If you look at the OSI model of networking Squid is layers 4-7, and those interfaces are part of layer 1-2. There is a whole disconnect layer 3 in between (the TCP/IP layer).
What you can do in Squid is set one of the tcp_outgoing_address, tcp_outgoing_tos, tcp_outgoing_mark directives to label the TCP traffic out of Squid. The systems routing rules need to take that detail from TCP and decide which interface to use.
> Maybe using one acl with methods POST and UPLOAD and some routing magic ?
Somethign like this..
squid.conf:
acl PUTPOST method PUT POST
tcp_outgoing_address 192.0.2.1 PUTPOST
Where 192.0.2.1 is the IP address the system uses to send out SHDSDL.
You may need both an IPv4 and IPv6 outgoing address set using PUTPOST acl.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list