[squid-users] squid "internal?" loop - with no firewall nat going on..?
Klavs Klavsen
kl at vsen.dk
Thu Mar 12 14:53:22 UTC 2015
I think I found it..
trying to run ssl_crtd myself to issue a cert it says:
Error while parsing the crtd request: Broken signing certificate!
shouldn't that end up in squid logs as well?
Klavs Klavsen wrote on 03/12/2015 03:48 PM:
> I just found the config, stating that ssl-bump is only supported in
> intercept mode.. that invalides accel :)
>
> I setup a client on same LAN as squid, and told it to use squid box as
> default gw. for traffic to public addresses..
>
> intercept on port 80 works fine.
>
> on https however I get an SSL connect error.
>
> This is my config related to that:
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s
> /etc/ssl/certs/cache/ -M 4MB
> sslcrtd_children 8 startup=1 idle=1
> https_port 3130 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/squid/ca.private cert=/etc/squid/ca.cert
> sslproxy_flags DONT_VERIFY_PEER
> always_direct allow all
> http_port 3129 intercept
> shutdown_lifetime 3
> sslproxy_cert_error allow all
> ssl_bump server-first all
>
> I'm running squid-3.4.9. (I can easily upgrade to newer if that will
> help any :) - on centos 7.0.
>
> What debug options should/could I set to hopefully enlighten me? squid
> logs nothing in cache.log or access.log except:
> 1426171540.277 0 10.43.18.168 TAG_NONE/400 4047 NONE
> error:invalid-request - HIER_NONE/- text/html
>
>
> Amos Jeffries wrote on 03/12/2015 02:27 PM:
>> On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
>>> I'd rather not have to route everything (incl. normal ingoing web
>>> traffic) through the squid box.. and the firewalls are proprietary stuff
>>> - so can't install squid there :)
>>
>> You don't, port 80 TCP is all that *needs* it, and only for the traffic
>> from clients you want to go through Squid.
>>
>> If you are passing outgoing web traffic through Squid the responses
>> (incoming) have to come back through it.
>>
>> If you have external stuff making requests to internal servers, that can
>> be left alone in the same way Squid' outgoing traffic is.
>>
>> Are we talking more or less than 100Mbps of port 80 traffic here?
>>
>>
>>>
>>> It works fine in accel mode.. and I can limit what urls each client ip
>>> is able to access, and disable caching..
>>>
>>> Shouldn't accel mode, for this use case (curl access from websites - all
>>> using http/1.1 with host header) be good enough - or are there security
>>> issues I am not aware of?
>>
>> You guessed it. CVE-2009-0801 - the Host header is not trustworthy.
>> accel/reverse-proxy mode has no protection at all since the upstream
>> servers are expected to be explicitly configured or the allowed domains
>> restricted to those hosted by the CDN the proxy is part of.
>>
>> ... and the Host header is not always present, though that case has
>> declined a lot in the past few years.
>>
>>
>>>
>>> I realize I move the DNS lookup to the squid box - but that's actually
>>> what I want in this case.
>>
>> Actually you will need two DN lookups to be happening if you use accel.
>> Only the intercept mode with NAT lookups has ability to avoid the second
>> one by using ORIGINAL_DST.
>>
>> accel mode normaly avoids the second DNS lookup by having the upstream
>> servers explicitly configured. You dont want to do that manually for
>> every Internet server in existence so forcing a DNS lookup with
>> "always_direct allow all" is required.
>>
>>
>> Routings your friend, really :-)
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list