[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Dragos Pacher dragosrp at proton.me
Tue Mar 5 09:59:21 UTC 2024


Please see my replies in between the lines below.

On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 5/03/24 08:03, Dragos Pacher wrote:
> 
> > Hello,
> > 
> > I am a Squid beginner and we would like to use Squid inside our
> > organization only as a HTTPS traffic inspection/logging tool for some
> > 3rd party apps that we bought,
> > something close to what a "MITM proxy" is called but we will not do
> > that, instead we use a self signed certificate and the 3rd party app
> > owners know this. Everything is
> > 100% completely legal. (Ps: I am the IT lead).
> 
> 
> FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in
> security terminology, "proxy" means "intermediary" in networking
> terminology.
> So that term just means "intermediary intermediary", yeah.
> 

I did not coined this term, I was referring to this: https://mitmproxy.org,
I guess it entered IT popular culture somehow..

> 
> 
> Any serious HTTPS inspection/logging by Squid needs some form of
> SSL-Bump configuration and those 3rd-party Apps MUST be configured with
> trust for the self-signed root CA you are using.
> 
> 
> Without that nothing Squid (or any other proxy) does will allow traffic
> inspection beyond the initial TLS handshake.
> 

I specified in my first email I did this already, maybe I was not so clear but
my self-signed certificate is working with the 3rd party apps.

> 
> 
> Assuming that you have checked that detail, on to your issue ...
> 
> > We will be using Squid only internally, no outside access. Here is my
> > issue with the current knowledge of Squid: POC running well on 3 servers
> > but on the 4th I get no IPv6
> > sockets:
> > ubuntu at A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 10.10.0.16:3128 0.0.0.0:*
> > LISTEN 2891391/(squid-1)
> 
> 
> 
> Your problem is the https(s)_port "port" configuration parameter.
> 
> 
> This Squid is configured to listen like:
> 
> http_port 10.10.0.16:3128
> 
> or
> 
> http_port example.com:3128
> 
> (when example.com has only address 10.10.0.16)
> 
> 
> The "http_port" receives port 80 syntax traffic, it may also be
> "https_port" which receives port 443 syntax traffic.
> 
> > and on the other 3 I have IPv6:
> > ubuntu at A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED
> > 997651/(squid-1)
> > tcp6 0 0 :::3128 :::*
> > LISTEN 997651/(squid-1)
> 
> 
> 
> These Squid are configured to listen like:
> 
> http_port 3128
> 
> 
> Ensure that the machine/server the 4th Squid is running on has its
> http(s)_port line matching the other three machines port value.
> 
> At this point do not care about the "mode" or options later in the line.
> Your issue is solely the "port" parameter.
> 

So far it seems I was missing [::] in my http_port in the problem server, because of automatic deployment
something went wrong and I assumed my Squid configuration is all the same all over the place. I fixed this but the issue is still there,
please see: this is inside a docker container on a healthy server:
# netstat -patun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:41421        0.0.0.0:*               LISTEN      1574/dockerd
tcp        0      1 172.18.0.10:46950       10.10.0.16:3128         SYN_SENT    307601/node
udp        0      0 127.0.0.11:57486        0.0.0.0:*                           1574/dockerd

and same netstat on the unhealthy server, still inside docker:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:38339        0.0.0.0:*               LISTEN      273025/dockerd
tcp        0      0 172.18.0.4:50666        10.10.0.11:3128         ESTABLISHED 494253/node
tcp6       0      0 :::8080                 :::*                    LISTEN      494253/node
tcp6       0      0 127.0.0.1:8080          127.0.0.1:46168         TIME_WAIT   -
tcp6       0      0 127.0.0.1:8080          127.0.0.1:44480         TIME_WAIT   -
udp        0      0 127.0.0.11:56639        0.0.0.0:*                           273025/dockerd

and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue container with the SYN sent only

root at A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv
tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr 0,nop,wscale 11], length 0
09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x48f3), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708120778 ecr 0,nop,wscale 11], length 0
09:56:21.852827 IP (tos 0x0, ttl 64, id 40650, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x4504), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708121785 ecr 0,nop,wscale 11], length 0
09:56:23.868762 IP (tos 0x0, ttl 64, id 40651, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x3d24), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708123801 ecr 0,nop,wscale 11], length 0
09:56:27.996768 IP (tos 0x0, ttl 64, id 40652, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x2d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708127929 ecr 0,nop,wscale 11], length 0
09:56:36.188758 IP (tos 0x0, ttl 64, id 40653, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708136121 ecr 0,nop,wscale 11], length 0
09:56:52.316463 IP (tos 0x0, ttl 64, id 40654, offset 0, flags [DF], proto TCP (6), length 60)
    172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0xce03), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708152249 ecr 0,nop,wscale 11], length 0

7 packets captured
7 packets received by filter


Why the SYN sent only state? Any ideas?

Thank you,

Dragos

> 
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list