Hi everyone,
I had the following issue with Squid in Transparent Mode (and SSL
Interception in mode splice). It is working as expected, however after
multiple long-running (talking about several seconds) anti-virus
ecap-Processes have finished, I *sometimes* get the following in the
log:
2022/02/23 14:56:40.668 kid1| 5,2| src/comm/TcpAcceptor.cc(224)
doAccept: New connection on FD 21
2022/02/23 14:56:40.668 kid1| 5,2| src/comm/TcpAcceptor.cc(312)
acceptNext: connection on local=[::]:2412 remote=[::] FD 21 flags=41
2022/02/23 14:56:40.668 kid1| 89,5| src/ip/Intercept.cc(405) Lookup:
address BEGIN: me/client= 192.168.180.1:2412, destination/me=
192.168.180.10:48582
2022/02/23 14:56:40.668 kid1| ERROR: NF getsockopt(ORIGINAL_DST)
failed on local=192.168.180.1:2412 remote=192.168.180.10:48582 FD 37
flags=33: (2) No such file or directory
2022/02/23 14:56:40.669 kid1| 89,9| src/ip/Intercept.cc(151)
NetfilterInterception: address: local=192.168.180.1:2412
remote=192.168.180.10:48582 FD 37 flags=33
2022/02/23 14:56:40.669 kid1| ERROR: NAT/TPROXY lookup failed to
locate original IPs on local=192.168.180.1:2412
remote=192.168.180.10:48582 FD 37 flags=33
2022/02/23 14:56:40.669 kid1| 5,5| src/comm/TcpAcceptor.cc(287)
acceptOne: non-recoverable error: FD 21, [::] [ job2] handler
Subscription: 0x55edac3d08d0*1
Sometimes, this only appears on on of the two interception ports,
sometimes on both. After that, the squid worker does not poll the
intercept listen port any longer, i.e. stops working. The firewall is
configured to drop incoming packets to port 2411/2412 according to
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect.
iptables-save
*raw
:PREROUTING ACCEPT [68778:58967535]
:OUTPUT ACCEPT [109753:87606960]
-A PREROUTING -p tcp -m tcp --dport 2411 -j NFLOG --nflog-prefix
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2411 -j DROP
-A PREROUTING -p tcp -m tcp --dport 2412 -j NFLOG --nflog-prefix
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2412 -j DROP
...
*nat
*nat
:PREROUTING ACCEPT [247:23967]
:INPUT ACCEPT [102:8035]
:OUTPUT ACCEPT [781:59761]
:POSTROUTING ACCEPT [781:59761]
-A PREROUTING -s 192.168.180.10/32 -i eth2 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 2411
-A PREROUTING -s 192.168.180.10/32 -i eth2 -p tcp -m tcp --dport 443
-j REDIRECT --to-ports 2412
...
-A POSTROUTING -s 192.168.180.10/32 -o eth0 -j MASQUERADE
ip6tables-save
*raw
:PREROUTING ACCEPT [48:3865]
:OUTPUT ACCEPT [9:697]
-A PREROUTING -p tcp -m tcp --dport 2411 -j NFLOG --nflog-prefix
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2411 -j DROP
-A PREROUTING -p tcp -m tcp --dport 2412 -j NFLOG --nflog-prefix
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2412 -j DROP
I confirmed that the rules are working by sending some requests to the
ports manually. So, I really do not understand from where these
packets arrive at the squid. Any pointers or ideas on what I am
missing or what to check (e.g., debugging sections) would be highly
appreciated. Looking at the code I only see a rather straightforward
path from accept to getsockopt.
Squid intercept config:
http_port 2411 connection-auth=off intercept
https_port 2412 connection-auth=off ssl-bump capath=/etc/ssl/certs
generate-host-certificates=on tls-default-ca=off
cert=/etc/ssl/proxy_interception.pem intercept
Test setup looks like this:
client 192.168.180.10 --- 192.168.180.1@eth2 <router running squid>
192.168.175.1@eth1 --- 192.168.175.10 destination
curl
http://192.168.175.10/linux-headers-5.4.0-100_5.4.0-100.113_all.deb -o
test.deb
Kind regards,
Andreas
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users