On 2023-11-28 05:29, Mario Theodoridis wrote:
Hello everyone,
i'm trying to use squid as a TLS virtual hosting proxy on a system with
a public IP in front of several internal systems running TLS web servers.
I would like to proxy the incoming connections to the appropriate
backend servers based on the hostname using SNI.
I'm using the following config to just try this with 1 backend to test
with and fail already
Here the config:
http_port 3128
debug_options ALL,2
pinger_enable off
shutdown_lifetime 1 second
https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
acl tlspls ssl::server_name_regex -i test\.regify\.com
cache_peer test.de.regify.com parent 443 0 proxy-only originserver
no-digest no-netdb-exchange name=test
ssl_bump peek all
ssl_bump splice all
http_access allow all
cache_peer_access test allow all
It sounds like you want all traffic to go to the configured cache_peer,
but the above configuration has no rules specifying that request routing
requirement. Try adding something like
never_direct allow all
always_direct deny all
FWIW, cache_peer_access gives permission to access a peer if that peer
is being considered by request routing rules; it is not a requirement to
consider a peer.
> Also appreciated would be advise on where to find this documented.
While all squid.conf directives are documented, I am not aware of any
high-quality web page dedicated to explaining overall request routing to
Squid admins.
HTH,
Alex.
Starting squid gives me the following:
2023/11/28 11:13:21.919| 1,2| main.cc(1619) SquidMain: Doing post-config
initialization
2023/11/28 11:13:21.919| 1,2| main.cc(1621) SquidMain: running
RegisteredRunner::finalizeConfig
2023/11/28 11:13:21.919| Created PID file (/run/squid.pid)
2023/11/28 11:13:21.921| 1,2| main.cc(1453) StartUsingConfig: running
RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:21.921| 1,2| main.cc(1454) StartUsingConfig: running
RegisteredRunner::useConfig
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1619) SquidMain: Doing
post-config initialization
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1621) SquidMain: running
RegisteredRunner::finalizeConfig
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1453) StartUsingConfig:
running RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1454) StartUsingConfig:
running RegisteredRunner::useConfig
2023/11/28 11:13:21.988 kid1| Current Directory is /
2023/11/28 11:13:21.988 kid1| Creating missing swap directories
2023/11/28 11:13:21.988 kid1| No cache_dir stores are configured.
2023/11/28 11:13:21.992| 1,2| main.cc(2051) watch_child: running
RegisteredRunner::finishShutdown
2023/11/28 11:13:21.992| Removing PID file (/run/squid.pid)
2023/11/28 11:13:22.063| 1,2| main.cc(1619) SquidMain: Doing post-config
initialization
2023/11/28 11:13:22.063| 1,2| main.cc(1621) SquidMain: running
RegisteredRunner::finalizeConfig
2023/11/28 11:13:22.063| Created PID file (/run/squid.pid)
2023/11/28 11:13:22.066| 1,2| main.cc(1453) StartUsingConfig: running
RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:22.066| 1,2| main.cc(1454) StartUsingConfig: running
RegisteredRunner::useConfig
2023/11/28 11:13:22.131 kid1| 1,2| main.cc(1619) SquidMain: Doing
post-config initialization
2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1621) SquidMain: running
RegisteredRunner::finalizeConfig
2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1453) StartUsingConfig:
running RegisteredRunner::claimMemoryNeeds
2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1454) StartUsingConfig:
running RegisteredRunner::useConfig
2023/11/28 11:13:22.132 kid1| Current Directory is /
2023/11/28 11:13:22.132 kid1| Starting Squid Cache version 4.13 for
x86_64-pc-linux-gnu...
2023/11/28 11:13:22.132 kid1| Service Name: squid
2023/11/28 11:13:22.132 kid1| Process ID 2863502
2023/11/28 11:13:22.132 kid1| Process Roles: worker
2023/11/28 11:13:22.132 kid1| With 1024 file descriptors available
2023/11/28 11:13:22.132 kid1| Initializing IP Cache...
2023/11/28 11:13:22.135 kid1| 78,2| dns_internal.cc(1570) Init:
idnsInit: attempt open DNS socket to: 0.0.0.0
2023/11/28 11:13:22.135 kid1| DNS Socket created at 0.0.0.0, FD 5
2023/11/28 11:13:22.135 kid1| Adding domain de.regify.com from
/etc/resolv.conf
2023/11/28 11:13:22.135 kid1| Adding nameserver 192.168.1.1 from
/etc/resolv.conf
2023/11/28 11:13:22.135 kid1| helperOpenServers: Starting 5/32
'security_file_certgen' processes
2023/11/28 11:13:22.164 kid1| 46,2| Format.cc(71) parse: got definition
'%>a/%>A %un %>rm myip=%la myport=%lp'
2023/11/28 11:13:22.165 kid1| 46,2| Format.cc(71) parse: got definition
'%>a/%>A %un %>rm myip=%la myport=%lp'
2023/11/28 11:13:22.165 kid1| Logfile: opening log
daemon:/var/log/squid/access.log
2023/11/28 11:13:22.165 kid1| Logfile Daemon: opening log
/var/log/squid/access.log
2023/11/28 11:13:22.194 kid1| 71,2| store_digest.cc(96)
storeDigestCalcCap: have: 0, want 0 entries; limits: [1, 0]
2023/11/28 11:13:22.194 kid1| 70,2| CacheDigest.cc(46) init: capacity: 1
entries, bpe: ; size: 1 bytes
2023/11/28 11:13:22.194 kid1| Local cache digest enabled;
rebuild/rewrite every 3600/3600 sec
2023/11/28 11:13:22.194 kid1| Store logging disabled
2023/11/28 11:13:22.194 kid1| Swap maxSize 0 + 262144 KB, estimated
20164 objects
2023/11/28 11:13:22.194 kid1| Target number of buckets: 1008
2023/11/28 11:13:22.194 kid1| Using 8192 Store buckets
2023/11/28 11:13:22.194 kid1| Max Mem size: 262144 KB
2023/11/28 11:13:22.194 kid1| Max Swap size: 0 KB
2023/11/28 11:13:22.194 kid1| Using Least Load store dir selection
2023/11/28 11:13:22.194 kid1| Current Directory is /
2023/11/28 11:13:22.194 kid1| Finished loading MIME types and icons.
2023/11/28 11:13:22.332 kid1| 80,2| wccp.cc(113) wccpConnectionOpen:
WCCPv1 disabled.
2023/11/28 11:13:22.332 kid1| 80,2| wccp2.cc(959) wccp2ConnectionOpen:
WCCPv2 Disabled. No IPv4 Router(s) configured.
2023/11/28 11:13:22.332 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The
AsyncCall clientListenerConnectionOpened constructed,
this=0x5636c42036d0 [call18]
2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(92) ScheduleCall:
StartListening.cc(59) will call
clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 22
flags=9, err=0, HTTP Socket port=0x5636c4203730) [call18]
2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The
AsyncCall clientListenerConnectionOpened constructed,
this=0x5636c420ca50 [call20]
2023/11/28 11:13:22.337 kid1| 33,2| AsyncCall.cc(92) ScheduleCall:
StartListening.cc(59) will call
clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 23
flags=25, err=0, HTTPS Socket port=0x5636c420cab0) [call20]
2023/11/28 11:13:22.337 kid1| HTCP Disabled.
2023/11/28 11:13:22.337 kid1| Squid plugin modules loaded: 0
2023/11/28 11:13:22.337 kid1| Adaptation support is off.
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach:
Initialized 0 message adaptation services
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach:
Initialized 0 message adaptation service groups
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach:
Initialized 0 message adaptation access rules
2023/11/28 11:13:22.339 kid1| 33,2| AsyncCallQueue.cc(55) fireNext:
entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::]
FD 22 flags=9, err=0, HTTP Socket port=0x5636c4203730)
2023/11/28 11:13:22.339 kid1| 33,2| AsyncCall.cc(37) make: make call
clientListenerConnectionOpened [call18]
2023/11/28 11:13:22.339 kid1| Accepting HTTP Socket connections at
local=0.0.0.0:3128 remote=[::] FD 22 flags=9
2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(57) fireNext:
leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD
22 flags=9, err=0, HTTP Socket port=0x5636c4203730)
2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(55) fireNext:
entering clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD
23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0)
2023/11/28 11:13:22.346 kid1| 33,2| AsyncCall.cc(37) make: make call
clientListenerConnectionOpened [call20]
2023/11/28 11:13:22.346 kid1| Accepting TPROXY intercepted SSL bumped
HTTPS Socket connections at local=0.0.0.0:443 remote=[::] FD 23 flags=25
2023/11/28 11:13:22.352 kid1| 33,2| AsyncCallQueue.cc(57) fireNext:
leaving clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD
23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0)
2023/11/28 11:13:22.352 kid1| Configuring Parent test.de.regify.com/443/0
2023/11/28 11:13:22.353 kid1| 15,2| neighbors.cc(1198) peerDNSConfigure:
--> IP address #0: 192.168.1.122
2023/11/28 11:13:22.368 kid1| 15,2| neighbors.cc(1272)
peerConnectSucceded: TCP connection to test.de.regify.com/443 succeeded
2023/11/28 11:13:23 kid1| storeLateRelease: released 0 objects
Then when i call curl -k https://test.regify.com/
i get
The requested URL could not be retrieved
And the log has the following:
2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New
connection on FD 23
2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(312) acceptNext:
connection on local=0.0.0.0:443 remote=[::] FD 23 flags=25
2023/11/28 11:15:05.467 kid1| 17,2| QosConfig.cc(125)
getNfmarkFromConnection: QOS: Failed to retrieve connection mark: (-1)
(2) No such file or directory (Destination 192.168.1.132:443, source
192.168.1.124:60690)
2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(2742)
httpsSslBumpAccessCheckDone: sslBump action peekneeded for
local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17
2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(3418)
fakeAConnectRequest: fake a CONNECT request to force connState to tunnel
for ssl-bump
2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751)
clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED;
last ACL checked: all
2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(729)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751)
clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED;
last ACL checked: all
2023/11/28 11:15:05.483 kid1| 17,2| FwdState.cc(142) FwdState:
Forwarding client request local=192.168.1.132:443
remote=192.168.1.124:60690 FD 11 flags=17, url=192.168.1.132:443
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(316)
peerSelectDnsPaths: Found sources for '192.168.1.132:443'
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(317)
peerSelectDnsPaths: always_direct = DENIED
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(318)
peerSelectDnsPaths: never_direct = DENIED
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(324)
peerSelectDnsPaths: ORIGINAL_DST = local=192.168.1.124
remote=192.168.1.132:443 flags=25
2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(331)
peerSelectDnsPaths: timedout = 0
2023/11/28 11:16:05.433 kid1| 4,2| errorpage.cc(1259) BuildContent: No
existing error page language negotiated for ERR_CONNECT_FAIL. Using
default error file.
2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/11/28 11:16:05.463 kid1| 83,2| client_side.cc(2675)
clientNegotiateSSL: New session 0x5636c4227330 on FD 11
(192.168.1.124:60690)
2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1306)
parseHttpRequest: HTTP Client local=192.168.1.132:443
remote=192.168.1.124:60690 FD 11 flags=17
2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1307)
parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: test.regify.com
User-Agent: curl/7.74.0
Accept: */*
----------
2023/11/28 11:16:05.464 kid1| 88,2| client_side_reply.cc(2062)
processReplyAccessResult: The reply for GET https://test.regify.com/ is
ALLOWED, because it matched (access_log daemon:/var/log/squid/access.log
line)
2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(271) sendStartOfMessage:
HTTP Client local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11
flags=17
2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(272) sendStartOfMessage:
HTTP Client REPLY:
---------
HTTP/1.1 503 Service Unavailable
Server: squid/4.13
Mime-Version: 1.0
Date: Tue, 28 Nov 2023 10:16:05 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3487
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from proxy
X-Cache-Lookup: NONE from proxy:3128
Via: 1.1 proxy (squid/4.13)
Connection: close
----------
2023/11/28 11:16:05.464 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(895) kick:
local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17 Connection
was closed
2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(586) swanSong:
local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17
2023/11/28 11:16:05.465 kid1| 20,2| store.cc(985) checkCachable:
StoreEntry::checkCachable: NO: not cachable
I've been reading the squid docs and other internet resources, but am
failing to figure out why this is not working.
Any clue sticks would be appreciated.
Also appreciated would be advise on where to find this documented.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users