[squid-users] Secrecy and TCP Reset and Allow Direct

Sat Dec 3 23:38:33 UTC 2016

On Sat, Dec 3, 2016, at 04:13 PM, Amos Jeffries wrote:
> On 4/12/2016 11:08 a.m., creditu wrote:
> > I am trying to finalize an accelerator configuration  in 3.1.  The
> > accelerator has cache disabled (we use an external service) with cache
> > deny all. We have several public IPs that send requests to back end
> > Apache servers using http.  The accelerator will provide both http and
> > https for a while.  A few questions:
> > 
> > Trying to get a A rating in Qualys site and the best I can get is A- due
> > to forward secrecy not supported for a few browsers.  I think this is
> > due to Squid not being able to support ECDHE (which some of those
> > browsers need).  Just wanted to confirm that we're not missing
> > something.  Is there any alternate configuration that we may be able to
> > do? 
> 
> ECDHE is enabled when the https_port tls-dh= option is given a curve
> name. This is supported in 3.5.13+.

Thanks and good to know.  We'll work on the upgrade once we can get the
3.1 online.

> 
> > 
> > I have an ACL that I want to send a TCP reset if the url being requested
> > matches a regx.  It seems to work, but in testing the first time a
> > browser request the url, the upper left corner of the browser has the
> > word "reset" in it.  Subsequent requests seem to work as expected and
> > the client/browser gets the reset.  In the cache log I see:   
> >  errorpage.cc(293) errorTryLoadText:
> >  '/usr/share/squid/errors/en-us/TCP_RESET': (2) No such file or
> >  directory
> > WARNING: Error Pages Missing Language: en-us
> > errorpage.cc(293) errorTryLoadText:
> > '/usr/share/squid/errors/en/TCP_RESET': (2) No such file or directory"
> > "WARNING: Error Pages Missing Language: en
> > I touched an empty file in the directories and the errors went away. 
> > Now after a squid restart I get "max-age=86400" in the upper left corner
> > once then it goes away and works as expected (client gets reset).  Just
> > curious if  this is expected?  Here is the ACL:
> > 
> > acl www_url url_regex -i [^:]+://www.example.com.*
> > deny_info TCP_RESET www_url
> 
> You can omit the trailing ".*" , but yes that is correct.
> 
> The browser showing some text is odd. You can use "debug_options 11,2"
> to get a cache.log trace of the HTTP message headers and see what is
> going on there.
> 

Okay, will give it a try.

> > 
> > Trying to understand if we should use the always direct directive with
> > this configuration.   As stated, we just want to send public requests to
> > the backend servers. The current ACL for this is:
> > 
> > acl apache dst 10.10.10.0/24
> > always_direct allow apache
> > always_direct deny all
> 
> This directives only purpose is to prevent cache_peer links being used
> for the traffic which has an "allow" action.
> 

Still a little confused if I need it.  Based on what you said I think I
don't, but it doesn't seem to hurt anything that I can tell.  My
cache_peer statements send to backend apache servers and we have
disabled all caching, for example:

acl www_site dstdomain www.example.com
cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
round-robin
cache_peer_access 10.10.10.1 allow www_site
cache_peer_access 10.10.10.1 deny all

cache_peer 10.10.10.2 parent 80 0 no-query no-digest originserver
round-robin
cache_peer_access 10.10..10.2 allow www_site
cache_peer_access 10.10.10.2 deny all

Thanks Again.  Appreciate the help.

> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users