[squid-users] SSL Virtual Hosting Problem

Alex Rousskov rousskov at measurement-factory.com
Tue Nov 28 14:24:18 UTC 2023 

On 2023-11-28 05:29, Mario Theodoridis wrote:
> Hello everyone,
> 
> i'm trying to use squid as a TLS virtual hosting proxy on a system with 
> a public IP in front of several internal systems running TLS web servers.
> 
> I would like to proxy the incoming connections to the appropriate 
> backend servers based on the hostname using SNI.
> 
> I'm using the following config to just try this with 1 backend to test 
> with and fail already
> 
> Here the config:
> 
> http_port 3128
> debug_options ALL,2
> pinger_enable off
> shutdown_lifetime 1 second
> https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
> acl tlspls ssl::server_name_regex -i test\.regify\.com
> cache_peer test.de.regify.com parent 443 0 proxy-only originserver 
> no-digest no-netdb-exchange name=test
> ssl_bump peek all
> ssl_bump splice all
> http_access allow all
> cache_peer_access test allow all


It sounds like you want all traffic to go to the configured cache_peer, 
but the above configuration has no rules specifying that request routing 
requirement. Try adding something like

     never_direct allow all
     always_direct deny all

FWIW, cache_peer_access gives permission to access a peer if that peer 
is being considered by request routing rules; it is not a requirement to 
consider a peer.


 > Also appreciated would be advise on where to find this documented.

While all squid.conf directives are documented, I am not aware of any 
high-quality web page dedicated to explaining overall request routing to 
Squid admins.


HTH,

Alex.



> Starting squid gives me the following:
> 
> 2023/11/28 11:13:21.919| 1,2| main.cc(1619) SquidMain: Doing post-config 
> initialization
> 2023/11/28 11:13:21.919| 1,2| main.cc(1621) SquidMain: running 
> RegisteredRunner::finalizeConfig
> 2023/11/28 11:13:21.919| Created PID file (/run/squid.pid)
> 2023/11/28 11:13:21.921| 1,2| main.cc(1453) StartUsingConfig: running 
> RegisteredRunner::claimMemoryNeeds
> 2023/11/28 11:13:21.921| 1,2| main.cc(1454) StartUsingConfig: running 
> RegisteredRunner::useConfig
> 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1619) SquidMain: Doing 
> post-config initialization
> 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1621) SquidMain: running 
> RegisteredRunner::finalizeConfig
> 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1453) StartUsingConfig: 
> running RegisteredRunner::claimMemoryNeeds
> 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1454) StartUsingConfig: 
> running RegisteredRunner::useConfig
> 2023/11/28 11:13:21.988 kid1| Current Directory is /
> 2023/11/28 11:13:21.988 kid1| Creating missing swap directories
> 2023/11/28 11:13:21.988 kid1| No cache_dir stores are configured.
> 2023/11/28 11:13:21.992| 1,2| main.cc(2051) watch_child: running 
> RegisteredRunner::finishShutdown
> 2023/11/28 11:13:21.992| Removing PID file (/run/squid.pid)
> 2023/11/28 11:13:22.063| 1,2| main.cc(1619) SquidMain: Doing post-config 
> initialization
> 2023/11/28 11:13:22.063| 1,2| main.cc(1621) SquidMain: running 
> RegisteredRunner::finalizeConfig
> 2023/11/28 11:13:22.063| Created PID file (/run/squid.pid)
> 2023/11/28 11:13:22.066| 1,2| main.cc(1453) StartUsingConfig: running 
> RegisteredRunner::claimMemoryNeeds
> 2023/11/28 11:13:22.066| 1,2| main.cc(1454) StartUsingConfig: running 
> RegisteredRunner::useConfig
> 2023/11/28 11:13:22.131 kid1| 1,2| main.cc(1619) SquidMain: Doing 
> post-config initialization
> 2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1621) SquidMain: running 
> RegisteredRunner::finalizeConfig
> 2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1453) StartUsingConfig: 
> running RegisteredRunner::claimMemoryNeeds
> 2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1454) StartUsingConfig: 
> running RegisteredRunner::useConfig
> 2023/11/28 11:13:22.132 kid1| Current Directory is /
> 2023/11/28 11:13:22.132 kid1| Starting Squid Cache version 4.13 for 
> x86_64-pc-linux-gnu...
> 2023/11/28 11:13:22.132 kid1| Service Name: squid
> 2023/11/28 11:13:22.132 kid1| Process ID 2863502
> 2023/11/28 11:13:22.132 kid1| Process Roles: worker
> 2023/11/28 11:13:22.132 kid1| With 1024 file descriptors available
> 2023/11/28 11:13:22.132 kid1| Initializing IP Cache...
> 2023/11/28 11:13:22.135 kid1| 78,2| dns_internal.cc(1570) Init: 
> idnsInit: attempt open DNS socket to: 0.0.0.0
> 2023/11/28 11:13:22.135 kid1| DNS Socket created at 0.0.0.0, FD 5
> 2023/11/28 11:13:22.135 kid1| Adding domain de.regify.com from 
> /etc/resolv.conf
> 2023/11/28 11:13:22.135 kid1| Adding nameserver 192.168.1.1 from 
> /etc/resolv.conf
> 2023/11/28 11:13:22.135 kid1| helperOpenServers: Starting 5/32 
> 'security_file_certgen' processes
> 2023/11/28 11:13:22.164 kid1| 46,2| Format.cc(71) parse: got definition 
> '%>a/%>A %un %>rm myip=%la myport=%lp'
> 2023/11/28 11:13:22.165 kid1| 46,2| Format.cc(71) parse: got definition 
> '%>a/%>A %un %>rm myip=%la myport=%lp'
> 2023/11/28 11:13:22.165 kid1| Logfile: opening log 
> daemon:/var/log/squid/access.log
> 2023/11/28 11:13:22.165 kid1| Logfile Daemon: opening log 
> /var/log/squid/access.log
> 2023/11/28 11:13:22.194 kid1| 71,2| store_digest.cc(96) 
> storeDigestCalcCap: have: 0, want 0 entries; limits: [1, 0]
> 2023/11/28 11:13:22.194 kid1| 70,2| CacheDigest.cc(46) init: capacity: 1 
> entries, bpe: ; size: 1 bytes
> 2023/11/28 11:13:22.194 kid1| Local cache digest enabled; 
> rebuild/rewrite every 3600/3600 sec
> 2023/11/28 11:13:22.194 kid1| Store logging disabled
> 2023/11/28 11:13:22.194 kid1| Swap maxSize 0 + 262144 KB, estimated 
> 20164 objects
> 2023/11/28 11:13:22.194 kid1| Target number of buckets: 1008
> 2023/11/28 11:13:22.194 kid1| Using 8192 Store buckets
> 2023/11/28 11:13:22.194 kid1| Max Mem  size: 262144 KB
> 2023/11/28 11:13:22.194 kid1| Max Swap size: 0 KB
> 2023/11/28 11:13:22.194 kid1| Using Least Load store dir selection
> 2023/11/28 11:13:22.194 kid1| Current Directory is /
> 2023/11/28 11:13:22.194 kid1| Finished loading MIME types and icons.
> 2023/11/28 11:13:22.332 kid1| 80,2| wccp.cc(113) wccpConnectionOpen: 
> WCCPv1 disabled.
> 2023/11/28 11:13:22.332 kid1| 80,2| wccp2.cc(959) wccp2ConnectionOpen: 
> WCCPv2 Disabled. No IPv4 Router(s) configured.
> 2023/11/28 11:13:22.332 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The 
> AsyncCall clientListenerConnectionOpened constructed, 
> this=0x5636c42036d0 [call18]
> 2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(92) ScheduleCall: 
> StartListening.cc(59) will call 
> clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 22 
> flags=9, err=0, HTTP Socket port=0x5636c4203730) [call18]
> 2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The 
> AsyncCall clientListenerConnectionOpened constructed, 
> this=0x5636c420ca50 [call20]
> 2023/11/28 11:13:22.337 kid1| 33,2| AsyncCall.cc(92) ScheduleCall: 
> StartListening.cc(59) will call 
> clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 23 
> flags=25, err=0, HTTPS Socket port=0x5636c420cab0) [call20]
> 2023/11/28 11:13:22.337 kid1| HTCP Disabled.
> 2023/11/28 11:13:22.337 kid1| Squid plugin modules loaded: 0
> 2023/11/28 11:13:22.337 kid1| Adaptation support is off.
> 2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: 
> Initialized 0 message adaptation services
> 2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: 
> Initialized 0 message adaptation service groups
> 2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: 
> Initialized 0 message adaptation access rules
> 2023/11/28 11:13:22.339 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: 
> entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] 
> FD 22 flags=9, err=0, HTTP Socket port=0x5636c4203730)
> 2023/11/28 11:13:22.339 kid1| 33,2| AsyncCall.cc(37) make: make call 
> clientListenerConnectionOpened [call18]
> 2023/11/28 11:13:22.339 kid1| Accepting HTTP Socket connections at 
> local=0.0.0.0:3128 remote=[::] FD 22 flags=9
> 2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: 
> leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 
> 22 flags=9, err=0, HTTP Socket port=0x5636c4203730)
> 2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: 
> entering clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 
> 23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0)
> 2023/11/28 11:13:22.346 kid1| 33,2| AsyncCall.cc(37) make: make call 
> clientListenerConnectionOpened [call20]
> 2023/11/28 11:13:22.346 kid1| Accepting TPROXY intercepted SSL bumped 
> HTTPS Socket connections at local=0.0.0.0:443 remote=[::] FD 23 flags=25
> 2023/11/28 11:13:22.352 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: 
> leaving clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 
> 23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0)
> 2023/11/28 11:13:22.352 kid1| Configuring Parent test.de.regify.com/443/0
> 2023/11/28 11:13:22.353 kid1| 15,2| neighbors.cc(1198) peerDNSConfigure: 
> --> IP address #0: 192.168.1.122
> 2023/11/28 11:13:22.368 kid1| 15,2| neighbors.cc(1272) 
> peerConnectSucceded: TCP connection to test.de.regify.com/443 succeeded
> 2023/11/28 11:13:23 kid1| storeLateRelease: released 0 objects
> 
> 
> Then when i call curl -k https://test.regify.com/
> 
> i get
> 
> The requested URL could not be retrieved
> 
> And the log has the following:
> 
> 
> 2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New 
> connection on FD 23
> 2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(312) acceptNext: 
> connection on local=0.0.0.0:443 remote=[::] FD 23 flags=25
> 2023/11/28 11:15:05.467 kid1| 17,2| QosConfig.cc(125) 
> getNfmarkFromConnection: QOS: Failed to retrieve connection mark: (-1) 
> (2) No such file or directory (Destination 192.168.1.132:443, source 
> 192.168.1.124:60690)
> 2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(2742) 
> httpsSslBumpAccessCheckDone: sslBump action peekneeded for 
> local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17
> 2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(3418) 
> fakeAConnectRequest: fake a CONNECT request to force connState to tunnel 
> for ssl-bump
> 2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751) 
> clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED; 
> last ACL checked: all
> 2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(729) 
> clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
> 2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751) 
> clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED; 
> last ACL checked: all
> 2023/11/28 11:15:05.483 kid1| 17,2| FwdState.cc(142) FwdState: 
> Forwarding client request local=192.168.1.132:443 
> remote=192.168.1.124:60690 FD 11 flags=17, url=192.168.1.132:443
> 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(316) 
> peerSelectDnsPaths: Found sources for '192.168.1.132:443'
> 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(317) 
> peerSelectDnsPaths:   always_direct = DENIED
> 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(318) 
> peerSelectDnsPaths:    never_direct = DENIED
> 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(324) 
> peerSelectDnsPaths:    ORIGINAL_DST = local=192.168.1.124 
> remote=192.168.1.132:443 flags=25
> 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(331) 
> peerSelectDnsPaths:        timedout = 0
> 2023/11/28 11:16:05.433 kid1| 4,2| errorpage.cc(1259) BuildContent: No 
> existing error page language negotiated for ERR_CONNECT_FAIL. Using 
> default error file.
> 2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable: 
> StoreEntry::checkCachable: NO: not cachable
> 2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable: 
> StoreEntry::checkCachable: NO: not cachable
> 2023/11/28 11:16:05.463 kid1| 83,2| client_side.cc(2675) 
> clientNegotiateSSL: New session 0x5636c4227330 on FD 11 
> (192.168.1.124:60690)
> 2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1306) 
> parseHttpRequest: HTTP Client local=192.168.1.132:443 
> remote=192.168.1.124:60690 FD 11 flags=17
> 2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1307) 
> parseHttpRequest: HTTP Client REQUEST:
> ---------
> GET / HTTP/1.1
> Host: test.regify.com
> User-Agent: curl/7.74.0
> Accept: */*
> 
> 
> ----------
> 2023/11/28 11:16:05.464 kid1| 88,2| client_side_reply.cc(2062) 
> processReplyAccessResult: The reply for GET https://test.regify.com/ is 
> ALLOWED, because it matched (access_log daemon:/var/log/squid/access.log 
> line)
> 2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(271) sendStartOfMessage: 
> HTTP Client local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 
> flags=17
> 2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(272) sendStartOfMessage: 
> HTTP Client REPLY:
> ---------
> HTTP/1.1 503 Service Unavailable
> Server: squid/4.13
> Mime-Version: 1.0
> Date: Tue, 28 Nov 2023 10:16:05 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 3487
> X-Squid-Error: ERR_CONNECT_FAIL 110
> Vary: Accept-Language
> Content-Language: en
> X-Cache: MISS from proxy
> X-Cache-Lookup: NONE from proxy:3128
> Via: 1.1 proxy (squid/4.13)
> Connection: close
> 
> 
> ----------
> 2023/11/28 11:16:05.464 kid1| 20,2| store.cc(985) checkCachable: 
> StoreEntry::checkCachable: NO: not cachable
> 2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(895) kick: 
> local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17 Connection 
> was closed
> 2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(586) swanSong: 
> local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17
> 2023/11/28 11:16:05.465 kid1| 20,2| store.cc(985) checkCachable: 
> StoreEntry::checkCachable: NO: not cachable
> 
> I've been reading the squid docs and other internet resources, but am 
> failing to figure out why this is not working.
> 
> Any clue sticks would be appreciated.
> 
> Also appreciated would be advise on where to find this documented.
> 
>

More information about the squid-users mailing list