Hello,
I am a Squid beginner and we would like to use Squid inside our organization only as a HTTPS traffic inspection/logging tool for some 3rd party apps that we bought,
something close to what a "MITM proxy" is called but we will not do that, instead we use a self signed certificate and the 3rd party app owners know this. Everything is
100% completely legal. (Ps: I am the IT lead).
We will be using Squid only internally, no outside access. Here is my issue with the current knowledge of Squid: POC running well on 3 servers but on the 4th I get no IPv6
sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1)
tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1)
and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED 997651/(squid-1)
tcp6 0 0 :::3128 :::* LISTEN 997651/(squid-1)
tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428 ESTABLISHED 997651/(squid-1)
This creates a problem for us since the apps I monitor are not starting since their start routine is IPV6 only and then they switch to IPv4/IPV6, but the start is IPV6 alone.
Therefore my questions are as follows:
- How can I make it listen on both IPV6/IPV4 like on the other servers?
- Any configuration improvement suggestions?
Please find all details here:
So far I did a POC on 4 servers, here is the full config, nothing sophisticated since this is where my Squid knowledge took me so far. Running Squid 6.7 with some basic options
on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
squid -v
Squid Cache: Version 6.7
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--enable-ssl-crtd' '--with-openssl'and here is the syslog of Squid start:
Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID file (/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 3094665 started
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set Current Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating missing swap directories
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No cache_dir stores are configured.
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 3094665 exited with status 0
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID file (/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids
Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 3094668 started
Mar 4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094668]: Set Current Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094668]: Starting Squid Cache version 6.7 for x86_64-pc-linux-gnu...
Mar 4 16:09:28 A2-3 squid[3094668]: Service Name: squid
Mar 4 16:09:28 A2-3 squid[3094668]: Process ID 3094668
Mar 4 16:09:28 A2-3 squid[3094668]: Process Roles: worker
Mar 4 16:09:28 A2-3 squid[3094668]: With 1000000 file descriptors available
Mar 4 16:09:28 A2-3 squid[3094668]: Initializing IP Cache...
Mar 4 16:09:28 A2-3 squid[3094668]: DNS IPv6 socket created at [::], FD 9
Mar 4 16:09:28 A2-3 squid[3094668]: DNS IPv4 socket created at 0.0.0.0, FD 10
Mar 4 16:09:28 A2-3 squid[3094668]: Adding nameserver 127.0.0.53 from /etc/resolv.conf
Mar 4 16:09:28 A2-3 squid[3094668]: Adding domain . from /etc/resolv.conf
Mar 4 16:09:28 A2-3 squid[3094668]: helperOpenServers: Starting 5/5 'security_file_certgen' processes
Mar 4 16:09:28 A2-3 squid[3094668]: Logfile: opening log stdio:/var/log/squid/success.log
Mar 4 16:09:28 A2-3 squid[3094668]: Logfile: opening log stdio:/var/log/squid/failure.log
Mar 4 16:09:28 A2-3 squid[3094668]: Logfile: opening log daemon:/var/log/squid/access.log
Mar 4 16:09:28 A2-3 squid[3094668]: Logfile Daemon: opening log /var/log/squid/access.log
Mar 4 16:09:28 A2-3 squid[3094668]: Store logging disabled
Mar 4 16:09:28 A2-3 squid[3094668]: Swap maxSize 0 + 262144 KB, estimated 20164 objects
Mar 4 16:09:28 A2-3 squid[3094668]: Target number of buckets: 1008
Mar 4 16:09:28 A2-3 squid[3094668]: Using 8192 Store buckets
Mar 4 16:09:28 A2-3 squid[3094668]: Max Mem size: 262144 KB
Mar 4 16:09:28 A2-3 squid[3094668]: Max Swap size: 0 KB
Mar 4 16:09:28 A2-3 squid[3094668]: Using Least Load store dir selection
Mar 4 16:09:28 A2-3 squid[3094668]: Set Current Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094668]: Finished loading MIME types and icons.
Mar 4 16:09:28 A2-3 squid[3094668]: HTCP Disabled.
Mar 4 16:09:28 A2-3 squid[3094668]: Squid plugin modules loaded: 0
Mar 4 16:09:28 A2-3 squid[3094668]: Adaptation support is off.
Mar 4 16:09:28 A2-3 squid[3094668]: Accepting SSL bumped HTTP Socket connections at conn13 local=10.10.0.16:3128 remote=[::] FD 25 flags=9#012 listening port: 10.10.0.16:3128
Mar 4 16:09:28 A2-3 systemd[1]: Started Squid Web Proxy Server.
Mar 4 16:09:29 A2-3 squid[3094668]: storeLateRelease: released 0 objects
-- full config --
acl SSL_ports port 443
acl SSL_ports port 443
http_access allow localhost
http_access allow localnet
http_access allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
http_upgrade_request_protocols websocket allow all
ssl_bump peek step1 all
ssl_bump splice broken_sites
ssl_bump stare step2 all
ssl_bump bump step3 all
acl CONNECT method CONNECT
acl success_hier hier_code HIER_DIRECT
acl failure_hier hier_code HIER_NONE
acl failure all-of CONNECT failure_hier
acl failure all-of !CONNECT failure_codes
acl success all-of CONNECT success_hier
acl success all-of !CONNECT success_codes
access_log stdio:/var/log/squid/success.log logformat=squid success
access_log stdio:/var/log/squid/failure.log logformat=squid failure
cache deny all
http_port [::]:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB tls-cert=/etc/squid/myCA.pem tls-key=/etc/squid/myCA1.pem
strip_query_terms off
logformat timereadable %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log daemon:/var/log/squid/access.log timereadable
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
-- end of config
Thank you,
Dragos
Sent with Proton Mail secure email.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
