[squid-users] Secrecy and TCP Reset and Allow Direct
Amos Jeffries
squid3 at treenet.co.nz
Sat Dec 3 23:13:01 UTC 2016
On 4/12/2016 11:08 a.m., creditu wrote:
> I am trying to finalize an accelerator configuration in 3.1. The
> accelerator has cache disabled (we use an external service) with cache
> deny all. We have several public IPs that send requests to back end
> Apache servers using http. The accelerator will provide both http and
> https for a while. A few questions:
>
> Trying to get a A rating in Qualys site and the best I can get is A- due
> to forward secrecy not supported for a few browsers. I think this is
> due to Squid not being able to support ECDHE (which some of those
> browsers need). Just wanted to confirm that we're not missing
> something. Is there any alternate configuration that we may be able to
> do?
ECDHE is enabled when the https_port tls-dh= option is given a curve
name. This is supported in 3.5.13+.
>
> I have an ACL that I want to send a TCP reset if the url being requested
> matches a regx. It seems to work, but in testing the first time a
> browser request the url, the upper left corner of the browser has the
> word "reset" in it. Subsequent requests seem to work as expected and
> the client/browser gets the reset. In the cache log I see:
> errorpage.cc(293) errorTryLoadText:
> '/usr/share/squid/errors/en-us/TCP_RESET': (2) No such file or
> directory
> WARNING: Error Pages Missing Language: en-us
> errorpage.cc(293) errorTryLoadText:
> '/usr/share/squid/errors/en/TCP_RESET': (2) No such file or directory"
> "WARNING: Error Pages Missing Language: en
> I touched an empty file in the directories and the errors went away.
> Now after a squid restart I get "max-age=86400" in the upper left corner
> once then it goes away and works as expected (client gets reset). Just
> curious if this is expected? Here is the ACL:
>
> acl www_url url_regex -i [^:]+://www.example.com.*
> deny_info TCP_RESET www_url
You can omit the trailing ".*" , but yes that is correct.
The browser showing some text is odd. You can use "debug_options 11,2"
to get a cache.log trace of the HTTP message headers and see what is
going on there.
>
> Trying to understand if we should use the always direct directive with
> this configuration. As stated, we just want to send public requests to
> the backend servers. The current ACL for this is:
>
> acl apache dst 10.10.10.0/24
> always_direct allow apache
> always_direct deny all
This directives only purpose is to prevent cache_peer links being used
for the traffic which has an "allow" action.
Amos
More information about the squid-users
mailing list