[squid-users] (113) Software caused connection abort
Amos Jeffries
squid3 at treenet.co.nz
Tue Nov 17 20:27:34 UTC 2015
On 18/11/2015 3:55 a.m., Patrick Flaherty wrote:
> Hello,
>
> Here is my squid config.
>
> -Patrick
>
With this configuration Squid is relaying CONNECT messages as-is. squid
has nothing to do with the crypto layer(s) inside the tunnel being
setup, it is just a blind relay for the data.
>From the packet trace I see a 200 status being sent by Squid to the
client. So as far as Squid is concerned the tunnel setup is successfully
completed.
==> Meaning those crypto problems are directly and only between the
client and the server software. Nothing to do with Squid.
> # Squid Proxy Configuration
>
> http_port 3128
>
> # acl and http_access to ("whitelist.txt")
> acl whitelist dstdomain "c:/squid/etc/squid/whitelist.txt"
> http_access allow whitelist
>
> # network source of proxy traffic
> acl localnet src 0.0.0.0/0.0.0.0
You have defined the *entire IPv4 Internet* as being your LAN.
This is terrible in several ways:
1) the ACL definition for that should correctly be:
acl localnet src ipv4
2) it would allows almost unrestricted use of your proxy by any attacker
who can find it. (if it was actually working, see #4 below)
3) entire IPv4-space is not yours to own.
If the intention was to not service IPv6 cleints at all, use this
http_port 0.0.0.0:3128
or this if you want to continue actively sending "Access Denied" for all
IPv6 clients:
acl ipv4 src ipv4
http_access deny !ipv4
>
> # acl directives for ports and protocols
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl sslports port 443
> acl CONNECT method CONNECT
>
> # rules allowing proxy access
> http_access allow http port_80 whitelist localnet
> http_access allow https sslports whitelist localnet
>
4) You already did "allow whitelist" with no restrictions. These
controls with extra restrictions are doing nothing.
> # dns servers (Change dns_nameservers to client dns servers for
consistency and better performance)
> dns_nameservers 8.8.8.8 8.8.4.4
Why not setup a proper *working* recursive resolver within your network?
it will most probably be actually faster than sending your DNS traffic
to halfway around the world and back.
You can have that local resolver use 8.8.8.8/8.8.4.4 if they really are
faster than your own ISPs resolver. And divert the LAN clients port 53
traffic through it if your clients insist on using other resolvers.
>
> # cache web pages directory
> #cache_dir ufs C:/Squid/var/cache/squid 100 16 256
> cache_mem 64 MB
>
> # log file roll weekly
> logfile_rotate 7
>
> # access log rules
> logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
The basic log formats are now built-in. Please do not re-define them.
Squid-3 will ignore your config.
Amos
More information about the squid-users
mailing list