Eliezer, I'm running Debian 6 with a 3.6.9 kernel, Shorewall is v4.5.9.3 and Squid 3.2.3 (I had some troubles to compile 3.2.4) Indeed, "just these to 100Mbit connection" is what I need :) //////////////////////////////////////// squid.conf //////////////////////////////////////////////////// acl swe src 10.0.0.0/16 http_access allow swe acl vlan20 src 10.4.10.0/23 acl vlan30 src 10.4.20.0/24 acl vlan10 src 10.4.0.0/24 acl vlan11 src 10.4.2.0/24 acl airpad_test src 10.59.255.112/28 acl ouest-express src 10.42.7.0/24 acl vpn src 10.5.200.0/24 acl dmz src 172.16.4.0/24 acl to_localnet dst 10.4.0.0/16 10.5.0.0/16 192.168.0.0/16 172.16.5.0/24 10.100.0.0/16 172.16.100.0/24 acl to_localdomain dstdomain .xxxxxx.com .xxxxx.local .xxxxxx.fr .xxxxx.fr .xxxxx.dev acl to_th2 dst 87.98.197.128/27 acl to_th2 dst 158.255.72.0/21 acl to_hq0_ext dst 46.218.147.88/29 acl whitelist_name dstdomain .kernel.org .debian.org acl chat dstdomain talk.google.com acl XMPP_Ports port 5222 acl SSL_ports port 443 acl SSH_ports port 8022 acl FTP_ports port 21 # ftp acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 9418 # git acl Safe_ports port 443 # https acl Safe_ports port 8080 # acl Safe_ports port 8443 # acl CONNECT method CONNECT acl images url_regex \.(png|jpg|gif)$ acl numeric_url url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.:]*$ acl FTP proto FTP auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users.pwd auth_param basic children 5 auth_param basic realm HQ0ROUTER01 proxy-caching web server auth_param basic credentialsttl 2 hours acl auth proxy_auth REQUIRED http_access allow localhost http_access allow manager localhost http_access deny manager no_cache deny to_localdomain ### AIRPAD TEST ### http_access allow airpad_test auth to_th2 http_access allow airpad_test auth CONNECT SSH_ports to_th2 http_access allow airpad_test auth to_localdomain http_access allow airpad_test auth CONNECT SSH_ports to_localdomain always_direct allow airpad_test http_access deny airpad_test ################### ### OUEST-EXPRESS ### http_access allow ouest-express to_th2 http_access allow ouest-express CONNECT SSH_ports to_th2 http_access allow ouest-express to_localdomain http_access allow ouest-express CONNECT SSH_ports to_localdomain always_direct allow ouest-express http_access deny ouest-express ################### #http_access allow local_ports http_access allow to_localdomain http_access allow to_localnet http_access allow to_th2 #http_access deny local_ports http_access allow to_hq0_ext http_access allow CONNECT XMPP_Ports chat # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access allow CONNECT FTP_ports http_access deny CONNECT !SSL_ports http_access deny numeric_url #http_access deny to_localhost #http_access allow localhost http_access allow vlan30 http_access allow vlan20 http_access allow vlan10 http_access allow vlan11 http_access allow vpn http_access allow dmz whitelist_name # And finally deny all other access to this proxy http_access deny all ### TCP MARK to USE FIBER CONNECTION ### acl fibre dstdomain .microsoft.com .microsoft.fr .windowsupdate.com acl fibre dstdomain .blackberry.com .nokia.com .htc.com .hockeyapp.net acl fibre dstdomain .jboss.com .php.net .perl.org .eclipse.org acl fibre dstdomain .xerox.com .hp.com .dell.com .gandi.net acl fibre dstdomain .chronopost.fr acl fibre dstdomain .paypal.fr .paypal.com acl fibre dstdomain .ipadsl.net .speedtest.net acl fibre dstdomain .google.fr .google.com .googleapis.com .googlecode.com .googlesyndication.com acl fibre dstdomain .googleusercontent.com .gstatic.com .doubleclick.net .google-analytics.com acl fibre dstdomain .proxad.net .kernel.org .debian.org .sourceforge.net .github.com acl fibre dstdomain .stackoverflow.com .imgur.com acl fibre dstdomain .twitter.com acl fibre dstdomain .airtag.com .airtag.info .at-infra.net .rtmairtag.com tcp_outgoing_mark 0x01 fibre tcp_outgoing_mark 0x01 vlan10 ######################################## # Squid normally listens to port 3128 http_port 8080 transparent http_port 3128 forwarded_for off # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? cache_mem 2548 MB maximum_object_size_in_memory 1024 KB memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /var/cache/squid 81920 32 512 minimum_object_size 0 KB maximum_object_size 1024 MB # Leave coredumps in the first cache dir coredump_dir /var/cache logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none #useragent_log /var/log/squid/useragents.log cache_mgr xxxxxxxxxxx@xxxxxxxxx visible_hostname hq0xxxxxxx01.xxxxx.local append_domain .xxxxx.local #ignore_expect_100 on [DEPRECATED] # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 error_directory /usr/share/errors/fr /////////////////////////////////////////////////////////////////////////////////// Thanks -----Message d'origine----- De : Eliezer Croitoru [mailto:eliezer@xxxxxxxxxxxx] Envoyé : mardi 11 décembre 2012 20:43 À : Sébastien WENSKE Cc : squid-users@xxxxxxxxxxxxxxx Objet : Re: RE : [squid-users] tcp_outgoing_mark + https Hey Sébastien, What linux and what squid version? It's different if your logic is "all to 100Mbit connection" to "just these to 100Mbit connection". If you can share your squid.conf and remove the sensitive data it will maybe give us more info. Regards, Eliezer On 12/11/2012 7:47 PM, Sébastien WENSKE wrote: > Hi Eliezer, > > I'm not using SSL-Bump, I have a 100Mbit/s fiber connection and an SDSL 4Mbit/s. > By default, all traffic goes through the SDSL except traffic to our production and VPN site-to-site. > > Squid running on the same box where I use shorewall to route marked packets and is directly connected to internet. > > Now, I want to mark packets with squid regarding dstdomain ACLs in order to "route" them on the 100Mb/s link. > It works as expected with http but not for https (CONNECT) > > Best Regard, > Sebastien > > ________________________________________ > De : Eliezer Croitoru [eliezer@xxxxxxxxxxxx] Date d'envoi : mardi 11 > décembre 2012 17:37 À : squid-users@xxxxxxxxxxxxxxx Objet : Re: > tcp_outgoing_mark + https > > Hey Sebastien, > > Are you using ssl-bump at all? or just plain CONNECT requests? > Else then the problem If you can explain more about the situation or > the goal in more the just ROUTE web traffic over WAN connections. > Do you have preference for specific routes? maybe you just want to > load-balance? > > Maybe your approach is not in the right direction anyway? > > Regards, > Eliezer > > On 12/11/2012 4:00 PM, Sébastien WENSKE wrote: >> Hi List, >> >> I'm trying the "tcp_outgoing_mark" feature with dstdomain acls in >> order to "route" web traffic on several WAN links, but I noticed >> that it doesn't works with https requests. >> >> Does someone know how to achieve this? >> >> Many Thanks. >> Sebastien >> > > -- > Eliezer Croitoru > https://www1.ngtech.co.il > sip:ngtech@xxxxxxxxxxxx > IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il > -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngtech@xxxxxxxxxxxx IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
