[squid-users] Squid with PV6 Tunnel Broker

Jonathan Lee jonathanlee571 at gmail.com
Wed Jul 31 06:05:37 UTC 2024


The error it shows when I activate IPv6 only mode not dual stack is

Error: no forward proxy ports configured 

Squid terminated
Sent from my iPhone

> On Jul 30, 2024, at 20:16, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 30/07/24 08:47, Jonathan Lee wrote:
>> I did not know that I had the option set to disable Squid ICMP pinger
> 
> pinger helper is not releted.
> 
> 
> What I meant was that you need to ensure ICMPv6 protocol is enabled and working on your network. That is usually a firewall issue.
> 
> If it is blocked, the IPv6 packet fragmentation mechanism (required for tunnels) will not work and result in behaviour like you are seeing.
> Similarly if MTU is set too large for the tunnel maximum packet size.
> 
> 
>> I enabled ping helper I show a good socket for my IPV6 interface address but every IPV6 only device shows NONE_NONE/409 on the Squid Access Table
> 
> 409 generated by Squid is a failed security check.
> <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>
> 
> 
>> I get the same result. How would I change MTU on Squid isn’t that set to auto discover with the HTTP port directive?
> 
> Yes, that is dneone using ICMPv6 and teh primary reason why Squid needs that protocol working.
> 
>> I also forgot to mention the IPV6 only device works when I have it set to not use the proxy.
> 
> The list of ports you show below has Squid accepting direct (forward proxy) connections with an IPv4-only port 3128.
> 
> 
> I really do recommend using the port-only configuration style. At least until you get the proxy working properly. Squid sockets are dual-stack and accept both protocols by default. That will help you sort out the scope of what each port number is doing and avoid copy-paste mistakes like this.
> 
> 
>> Thanks again for the reply. It does work from IPV4 to IPV6 requests but never for IPV6 to IPV6 addresses or pure IPV6. I can disable the proxy and the system works for IPV6 to IPV6 only.
> 
> 
>> Here is my configuration I am testing..
>> # This file is automatically generated by pfSense
>> # Do not edit manually !
>> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>> http_port [REDACTED:192::]:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>> https_port [REDACTED:192::]:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
> 
> 
>> tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
>> tls_outgoing_options capath=/usr/local/share/certs/
>> tls_outgoing_options options=NO_SSLv3
>> tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>> sslcrtd_children 10
> 
> 
>> # Allow local network(s) on interface(s)
>> acl localnet src  192.168.1.0/27 REDACTED:192::/64
> 
>> acl block_hours time 00:30-05:00
>> ssl_bump terminate all block_hours
>> http_access deny all block_hours
>> acl getmethod method GET
> 
> 
>> tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET
>> #SINGLE_DH_USE,SINGLE_ECDH_USE
>> acl HttpAccess dstdomain '/usr/local/pkg/http.access'
>> acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate'
> 
> 
>> refresh_pattern -i ^http.*squid.internal.* 43200 100% 79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth
> 
>> # Updates: Windows
>> refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200  refresh-ims
>> refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200  refresh-ims
>> refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200  refresh-ims
>> refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
>> refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
>> refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
>> refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200
>> refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf) 259200 100% 259200
>> refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200
>> refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200
>> #windows update NEW UPDATE 0.04
>> refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600
>> refresh_pattern ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf) 4320 100% 43200
>> refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
>> refresh_pattern -i .update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
>> refresh_pattern -i .windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
>> refresh_pattern -i .download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
>> refresh_pattern -i .ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
>>     
> 
> You might want to look through these patterns in future and remove the impossible-to-match ones and duplicates.
> 
>> acl https_login url_regex -i ^https.*(login|Login).*
>> cache deny https_login
>> acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
>> cache deny donotcache
>> cache allow all
> 
> 
>> # Setup some default acls
>> # ACLs all, manager, localhost, and to_localhost are predefined.
>> acl allsrc src all
>> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535
>> acl sslports port 443 563 8080 5223 2197
>> acl purge method PURGE
>> acl connect method CONNECT
>> # Define protocols used for redirects
>> acl HTTP proto HTTP
>> acl HTTPS proto HTTPS
>> # SslBump Peek and Splice
>> # http://wiki.squid-cache.org/Features/SslPeekAndSplice
>> # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>> # Match against the current step during ssl_bump evaluation [fast]
>> # Never matches and should not be used outside the ssl_bump context.
>> #
>> # At each SslBump step, Squid evaluates ssl_bump directives to find
>> # the next bumping action (e.g., peek or splice). Valid SslBump step
>> # values and the corresponding ssl_bump evaluation moments are:
>> #   SslBump1: After getting TCP-level and HTTP CONNECT info.
>> #   SslBump2: After getting TLS Client Hello info.
>> #   SslBump3: After getting TLS Server Hello info.
>> # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
>> # they can be used there for custom configuration.
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> acl banned_hosts src '/var/squid/acl/banned_hosts.acl'
>> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
>> acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow purge localhost
>> http_access deny purge
>> http_access deny !safeports
>> http_access deny CONNECT !sslports
>> # Always allow localhost connections
>> http_access allow localhost
>> quick_abort_min 0 KB
>> quick_abort_max 0 KB
>> quick_abort_pct 95
>> request_body_max_size 0 KB
>> delay_pools 1
>> delay_class 1 2
>> delay_parameters 1 -1/-1 -1/-1
>> delay_initial_bucket_level 100
>> delay_access 1 allow allsrc
>> # Reverse Proxy settings
>> deny_info TCP_RESET allsrc
>> # Package Integration
>> url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
>> url_rewrite_bypass off
>> url_rewrite_children 32 startup=8 idle=4 concurrency=0
>> # Custom options before auth
>> #host_verify_strict on
>> # These hosts are banned
>> http_access deny banned_hosts
>> # Always allow access to whitelist domains
>> http_access allow whitelist
>> # Block access to blacklist domains
>> http_access deny blacklist
>> # List of domains allowed to logging in to Google services
>> request_header_access X-GoogApps-Allowed-Domains deny all
>> request_header_add X-GoogApps-Allowed-Domains consumer_accounts
>> # Set YouTube safesearch restriction
>> acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
>> request_header_access YouTube-Restrict deny all
>> request_header_add YouTube-Restrict none youtubedst
>> acl sglog url_regex -i sgr=ACCESSDENIED
>> http_access deny sglog
>> # Custom SSL/MITM options before auth
>> cachemgr_passwd disable offline_toggle reconfigure shutdown
>> cachemgr_passwd REDACTED all
>> eui_lookup on
>> acl no_miss url_regex -i gateway.facebook.com/ws/realtime?
>> acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat
>> acl CONNECT method CONNECT
>> acl wuCONNECT dstdomain www.update.microsoft.com
>> acl wuCONNECT dstdomain sls.microsoft.com
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow CONNECT wuCONNECT localhost
>> http_access allow windowsupdate localnet
>> http_access allow windowsupdate localhost
>> http_access allow HttpAccess localnet
>> http_access allow HttpAccess localhost
>> http_access deny manager
>> acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken'
>> acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
>> sslproxy_cert_error deny all
>> acl splice_only src 192.168.1.8 #Tasha iPhone
>> acl splice_only src 192.168.1.10 #Jon iPhone
>> acl splice_only src REDACTEDIPV6:6383:14b3 #Jon iPhone
>> acl splice_only src 192.168.1.11 #Amazon Fire
>> acl splice_only src 192.168.1.15 #Tasha HP
>> acl splice_only src 192.168.1.16 #iPad
>> acl splice_only src REDACTEDIPV6f:8589:3922 #iPad
>> acl splice_only_mac arp REDACTEDMAC
>> acl splice_only_mac arp REDACTEDMAC
>> acl splice_only_mac arp REDACTEDMAC
>> acl splice_only_mac arp REDACTEDMAC
>> acl splice_only_mac arp REDACTEDMAC
>> acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump'
>> acl NoBumpDNS dstdomain '/usr/local/pkg/dns.nobump'
> 
>> acl active_use annotate_client active=true
>> acl bump_only src 192.168.1.3 #webtv
>> acl bump_only src 192.168.1.4 #toshiba
>> acl bump_only src 192.168.1.5 #imac
>> acl bump_only src REDACTEDIPV6:720b:5bdd #imac
>> acl bump_only src 192.168.1.9 #macbook
>> acl bump_only src 192.168.1.13 #dell
>> acl bump_only_mac arp REDACTEDMAC
>> acl bump_only_mac arp REDACTEDMAC
>> acl bump_only_mac arp REDACTEDMAC
>> acl bump_only_mac arp REDACTEDMAC
>> acl bump_only_mac arp REDACTEDMAC
>> ssl_bump peek step1
>> miss_access deny no_miss active_use
>> ssl_bump splice https_login active_use
>> ssl_bump splice splice_only_mac splice_only active_use
>> ssl_bump splice NoBumpDNS active_use
>> ssl_bump splice NoSSLIntercept active_use #tested without MAC match
> 
>> ssl_bump bump bump_only active_use
> 
> 
>> # Setup allowed ACLs
>> # Allow local network(s) on interface(s)
>> http_access allow localnet
>> # Default block all to be sure
>> http_access deny allsrc
> 


More information about the squid-users mailing list