[squid-users] (113) Software caused connection abort

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 17 20:27:34 UTC 2015


On 18/11/2015 3:55 a.m., Patrick Flaherty wrote:
> Hello,
>
> Here is my squid config.
>
> -Patrick
>

With this configuration Squid is relaying CONNECT messages as-is. squid
has nothing to do with the crypto layer(s) inside the tunnel being
setup, it is just a blind relay for the data.

>From the packet trace I see a 200 status being sent by Squid to the
client. So as far as Squid is concerned the tunnel setup is successfully
completed.

 ==> Meaning those crypto problems are directly and only between the
client and the server software. Nothing to do with Squid.


> # Squid Proxy Configuration
>
> http_port     3128
>
> # acl and http_access to ("whitelist.txt")
> acl whitelist dstdomain  "c:/squid/etc/squid/whitelist.txt"
> http_access 	allow 	whitelist
>
> # network source of proxy traffic
> acl localnet  src        0.0.0.0/0.0.0.0

You have defined the *entire IPv4 Internet* as being your LAN.
This is terrible in several ways:

1) the ACL definition for that should correctly be:

   acl localnet src ipv4


2) it would allows almost unrestricted use of your proxy by any attacker
who can find it. (if it was actually working, see #4 below)


3) entire IPv4-space is not yours to own.

If the intention was to not service IPv6 cleints at all, use this

  http_port 0.0.0.0:3128

or this if you want to continue actively sending "Access Denied" for all
IPv6 clients:

  acl ipv4 src ipv4
  http_access deny !ipv4


>
> # acl directives for ports and protocols
> acl http      proto      http
> acl https     proto      https
> acl port_80   port       80
> acl sslports  port       443
> acl CONNECT   method     CONNECT
>
> # rules allowing proxy access
> http_access allow http    port_80  whitelist localnet
> http_access allow https   sslports whitelist localnet
>

4) You already did "allow whitelist" with no restrictions. These
controls with extra restrictions are doing nothing.


> # dns servers (Change dns_nameservers to client dns servers for
consistency and better performance)
> dns_nameservers 8.8.8.8 8.8.4.4

Why not setup a proper *working* recursive resolver within your network?
it will most probably be actually faster than sending your DNS traffic
to halfway around the world and back.

You can have that local resolver use 8.8.8.8/8.8.4.4 if they really are
faster than your own ISPs resolver. And divert the LAN clients port 53
traffic through it if your clients insist on using other resolvers.


>
> # cache web pages directory
> #cache_dir ufs C:/Squid/var/cache/squid 100 16 256
> cache_mem 64 MB
>
> # log file roll weekly
> logfile_rotate 7
>
> # access log rules
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

The basic log formats are now built-in. Please do not re-define them.
Squid-3 will ignore your config.

Amos


More information about the squid-users mailing list