Hi Alex & Amos, Thanks for your replies, sorry for my poor English, I will add more information. #1 1. Configure Squid to automatically generate origin server certificates (signed by a configured CA X) and send them to browsers/clients that go to those origin servers. This is my situation. #2 If I configure squid like the following: https_port 443 ... https_port 180.97.33.107:443 ... https_port 180.97.33.108:443 ... when I reconfigure squid, no errors come out, but when I check the tcp port listening using "netstat -tln", the line2 and line3 with specific IP do not work:
#3 If I configure squid like: https_port 180.97.33.107:443 ... https_port 180.97.33.108:443 https_port 443 when I use “squid –k reconfigure” to reconfigure squid, no error message. But when I check the tcp ports listening:
#4 I also tried to specific a different port for IP 0.0.0.0, like this: https_port 180.97.33.107:443 ... https_port 180.97.33.108:443 https_port 4433 #here specify a different port from above and it works.
https_port 0.0.0.0:443 https_port 1.1.1.1:443 I was just curious that the above two types of rules cannot exist together, whichever you put the first in squid.conf, it will overwrite the second one. Using a different port for wildcard, it is a good solution in this case, it is just that ,if I could use the same tcp port for IP-0.0.0.0, it will be easier for my situation. In my case, the destination server IP and root CA are dynamically send to me by anther configure server, so I choose to use default https port 443 to receive all https traffic. If I have to use different ports for IP-0.0.0.0, I think I have to write one iptables rule for one https server IP, in normal case this is ok, in my case I have to do it dynamically, in another way of saying, whenever I receive a configure rule, I have to write an iptables rule for it. Anyway, that is my problem, thank you guys! Heming Hou -----邮件原件----- On 20/10/18 6:04 AM, Alex Rousskov wrote: > On 10/19/2018 01:10 AM, houheming wrote: >> https_port 443 ... >> https_port 180.97.33.107:443 ... >> https_port 180.97.33.108:443 ... > > I am not sure, but perhaps the first https_port line (the one without an > explicit IP address) should come _last_ so that Squid can listen on the > addresses that remain after 180.97.33.107 and 180.97.33.108 are taken by > the other two ports? I think that is what was meant by "If I switch line1 with line2 and line3 ..., then only line2 and line3 will get its chance to work, line1 will not work. " The problem is that TCP does not permit any IP:port combination to have two simultaneous listening sockets with different parameters. These configuration lines differ in both address and protocol they are receiving. houheming: you have to use different ports to receive the traffic into Squid. Since you are using TPROXY there is no requirement for the proxy listening port to be 443. Squid can listen on any port you want. This problem should disappear if you set the wildcard port to another number and update the TPROXY rule which is sending traffic to it. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
