Em Sexta, Junho de 7 de 2013 09:18 WEST, "Nuno Fernandes" <npf-mlists@xxxxxxxxxxx> escreveu: > > Em Sexta, Junho de 7 de 2013 08:19 WEST, Amos Jeffries <squid3@xxxxxxxxxxxxx> escreveu: > > > > 10.10.10.254 is the squid box. 3126 is the ssl intercept port. > > > > > > # grep 3126 /etc/sysconfig/iptables > > > [0:0] -A PREROUTING -i vlan10 -s 10.10.10.4 -p tcp -m tcp --dport 443 -j REDIRECT --to-port 3126 > > > > > > Only my ip address is forwarded to 3126... Here is the sslbump part of the conf. > > > > > > https_port 3126 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/etproxy/ssl/myCA.pem > > > > Funny story ... > > > > *if* Squid were actually being "transparent proxy" here the outgoing > > details on these connections would be "source 10.10.10.4:random-port, > > destination some-IP:443". And your rule would loop that connection back > > into Squid. > > > > Unluckily for you "transparent" is currently an alias for "intercept" > > and the Squid outgoing IP should not be 10.10.10.4. So the same > > behaviour is being caused by something else more difficult to determin. > > > Ok.. changed to intercept. Thanks for the heads up. > > > > > > acl sslsniff src 10.10.10.4 > > > acl sslbumpbypass dst "/etc/etproxy/whitelist.https" > > > acl broken_sites dstdomain .twitter.com > > > acl broken_sites dstdomain .facebook.com > > > always_direct allow sslsniff > > > ssl_bump none sslbumpbypass > > > ssl_bump none broken_sites > > > ssl_bump server-first all > > > sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/etproxy/ssl/ssl_db -M 4MB > > > sslcrtd_children 5 > > > > For starters check your configuration for the directive "via off" and > > *remove* it. If it does not exist, please report that fact. > > It does not: > > # grep via /etc/etproxy/* -Ri > # > > (/etc/etproxy is where my conf files are). > > > When that is done the broken requests should be rejected with a > > forwarding loop error message and not DoS the machine while you are > > testing for the source of the loop. > > I don't have any via directive so it seems that i hit some kind of issue. squid configure parameters are: > > Squid Cache: Version 3.3.5 > configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_gr ou > p,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'PKG_CONFIG_PATH=/usr/lib/pkgco nf > ig:/usr/share/pkgconfig' --enable-ltdl-convenience After reading http://www.squid-cache.org/Versions/v3/3.3/cfgman/via.html i saw that "Requires: --enable-http-violations". In my configure i don't seem to find that flag. Nevertheless checking my cache.log i do see: Via: 1.1 etfw.eurotux.com (squid) Thanks, Nuno Fernandes
