Hi, After some digging I realized that this setup works fine for HTTP traffic but not for HTTPS. I'm using ssl_bump in intercept mode. Is possible that for HTTPS traffic I can't split the upload / download ? answers are welcome !! Thanks Josep -----Mensaje original----- De: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] En nombre de Josep Borrell Enviado el: viernes, 20 de febrero de 2015 16:51 Para: squid-users@xxxxxxxxxxxxxxxxxxxxx Asunto: Re: derive HTTP/HTTPS upload traffic to a secondary interface. Hi Amos, I tried your suggestion and even if the acl is matched the outgoing IP is not changed. How to know why ? Working with squid 3.5.1. Original IP 192.168.111.10 must be changed for 192.168.111.20 Thanks Josep Squid.conf: debug_options ALL,1 33,2 28,9 11,3 #HTTPS (SSL) trafic interception options sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1 acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl" acl step1 at_step SSLBump1 acl step2 at_step SSLBump2 acl step3 at_step SSLBump3 ssl_bump peek step1 all ssl_bump splice step2 disable-ssl-bump ssl_bump stare step2 all ssl_bump splice step3 disable-ssl-bump ssl_bump bump step3 all acl UPLOAD method PUT acl UPLOAD method POST tcp_outgoing_address 192.168.111.20 UPLOAD http_access allow all http_port 3128 http_port 8080 intercept https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem forward_max_tries 25 cache_mem 2 GB maximum_object_size_in_memory 25 MB maximum_object_size 1 GB visible_hostname squid-v2 workers 3 coredump_dir /var/spool/squid3 cache_replacement_policy heap LFUDA cache_dir rock /var/spool/squid3/cache1 4000 max-size=500 cache_dir aufs /var/spool/squid3/cache2 10000 16 256 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 80% 10080 # FortiGate interface of wccp wccp2_router 192.168.111.1 # wccp version 2 configuration wccp2_service standard 90 # tunneling method GRE for forward traffic wccp2_forwarding_method gre # tunneling method GRE for return traffic wccp2_return_method gre # which interface to use for WCCP (0.0.0.0 determines the interface from routing) wccp2_address 0.0.0.0 Debug sample: ---------- 2015/02/20 16:27:22.879| Checklist.cc(68) preCheck: 0x7fe877ccc7c8 checking slow rules 2015/02/20 16:27:22.879| Acl.cc(138) matches: checking http_access 2015/02/20 16:27:22.879| Acl.cc(138) matches: checking http_access#1 2015/02/20 16:27:22.879| Acl.cc(138) matches: checking all 2015/02/20 16:27:22.879| Ip.cc(107) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 192.168.1.100:1887/[::] ([::]:1887) vs [::]-[::]/[::] 2015/02/20 16:27:22.879| Ip.cc(538) match: aclIpMatchIp: '192.168.1.100:1887' found 2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: all = 1 2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: http_access#1 = 1 2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: http_access = 1 2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fe877ccc7c8 answer ALLOWED for match 2015/02/20 16:27:22.880| Checklist.cc(161) checkCallback: ACLChecklist::checkCallback: 0x7fe877ccc7c8 answer=ALLOWED 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21ee80 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21ee80 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21ee80 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21ee80 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21e540 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e540 2015/02/20 16:27:22.880| Checklist.cc(68) preCheck: 0x7fff7a21e540 checking fast ACLs 2015/02/20 16:27:22.880| Acl.cc(138) matches: checking tcp_outgoing_address 192.168.111.20 2015/02/20 16:27:22.880| Acl.cc(138) matches: checking (tcp_outgoing_address 192.168.111.20 line) 2015/02/20 16:27:22.880| Acl.cc(138) matches: checking UPLOAD 2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: UPLOAD = 1 2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: (tcp_outgoing_address 192.168.111.20 line) = 1 2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: tcp_outgoing_address 192.168.111.20 = 1 2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fff7a21e540 answer ALLOWED for match 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21e540 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e540 2015/02/20 16:27:22.880| Checklist.cc(68) preCheck: 0x7fff7a21e460 checking fast ACLs 2015/02/20 16:27:22.880| Acl.cc(138) matches: checking tcp_outgoing_address 192.168.111.20 2015/02/20 16:27:22.880| Acl.cc(138) matches: checking (tcp_outgoing_address 192.168.111.20 line) 2015/02/20 16:27:22.880| Acl.cc(138) matches: checking UPLOAD 2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: UPLOAD = 1 2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: (tcp_outgoing_address 192.168.111.20 line) = 1 2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: tcp_outgoing_address 192.168.111.20 = 1 2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fff7a21e460 answer ALLOWED for match 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21e460 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e460 2015/02/20 16:27:22.880| http.cc(2261) httpStart: POST https://drive.google.com/stat 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fe877ccc7c8 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fe877ccc7c8 2015/02/20 16:27:22| Error sending to ICMPv6 packet to [2a00:1450:4003:805::200e]. ERR: (101) Network is unreachable 2015/02/20 16:27:22.880| Client.cc(232) startRequestBodyFlow: expecting request body from [0<=274<=274 274+1773 pipe0x7fe87814d198 cons0x7fe87814e688] 2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff7a21f390 2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21f390 2015/02/20 16:27:22.881| http.cc(2217) sendRequest: HTTP Server local=192.168.111.10:53172 remote=216.58.211.238:443 FD 23 flags=1 2015/02/20 16:27:22.881| http.cc(2218) sendRequest: HTTP Server REQUEST: --------- POST /stat HTTP/1.1 Host: drive.google.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-control: no-cache X-Same-Domain: explorer X-Json-Requested: true Content-Type: application/x-www-form-urlencoded;charset=utf-8 Referer: https://drive.google.com/?authuser=0 Content-Length: 274 Cookie: NID=67=Gm7vcswCbOO55hZsjfaz-pTurlVu7ExNrsoWfJDDcTg8rumGt-xCQD6RezS9pYZypbeHEAfm1bcWQwc82QCvsL6rL9lDcDeEtjaPKdHT0C885UB6wiWl9TY_nTI4d38_9ccpMqC5Q5jnGzRntaOaIjm_nfhe; SID=DQAAAPwAAABdqFewpHnz9c-jo5Z0nyI7av_uC-pbzCxPtnThJe_3zg4ska6$ Pragma: no-cache Via: 1.1 squid-v2 (squid/3.5.1) X-Forwarded-For: 192.168.1.100 Cache-Control: no-cache Connection: keep-alive ---------- -----Mensaje original----- De: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] En nombre de Amos Jeffries Enviado el: viernes, 06 de febrero de 2015 10:13 Para: squid-users@xxxxxxxxxxxxxxxxxxxxx Asunto: Re: derive HTTP/HTTPS upload traffic to a secondary interface. On 6/02/2015 8:59 p.m., Josep Borrell wrote: > Hi, > > I have a squid box with two interfaces. One ADSL 20/1Mb and one SHDSL 4/4Mb. > It is a school and they are working with Google Apps for Education. > They do a lot of uploading and when using the ADSL, it collapses promptly. > Is possible to derive only HTTP/HTTPS upload traffic to the SHDSL and continue surfing with the ADSL ? In a roundabout way. If you look at the OSI model of networking Squid is layers 4-7, and those interfaces are part of layer 1-2. There is a whole disconnect layer 3 in between (the TCP/IP layer). What you can do in Squid is set one of the tcp_outgoing_address, tcp_outgoing_tos, tcp_outgoing_mark directives to label the TCP traffic out of Squid. The systems routing rules need to take that detail from TCP and decide which interface to use. > Maybe using one acl with methods POST and UPLOAD and some routing magic ? Somethign like this.. squid.conf: acl PUTPOST method PUT POST tcp_outgoing_address 192.0.2.1 PUTPOST Where 192.0.2.1 is the IP address the system uses to send out SHDSDL. You may need both an IPv4 and IPv6 outgoing address set using PUTPOST acl. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
