Please see my replies in between the lines below. On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 5/03/24 08:03, Dragos Pacher wrote: > > > Hello, > > > > I am a Squid beginner and we would like to use Squid inside our > > organization only as a HTTPS traffic inspection/logging tool for some > > 3rd party apps that we bought, > > something close to what a "MITM proxy" is called but we will not do > > that, instead we use a self signed certificate and the 3rd party app > > owners know this. Everything is > > 100% completely legal. (Ps: I am the IT lead). > > > FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in > security terminology, "proxy" means "intermediary" in networking > terminology. > So that term just means "intermediary intermediary", yeah. > I did not coined this term, I was referring to this: https://mitmproxy.org, I guess it entered IT popular culture somehow.. > > > Any serious HTTPS inspection/logging by Squid needs some form of > SSL-Bump configuration and those 3rd-party Apps MUST be configured with > trust for the self-signed root CA you are using. > > > Without that nothing Squid (or any other proxy) does will allow traffic > inspection beyond the initial TLS handshake. > I specified in my first email I did this already, maybe I was not so clear but my self-signed certificate is working with the 3rd party apps. > > > Assuming that you have checked that detail, on to your issue ... > > > We will be using Squid only internally, no outside access. Here is my > > issue with the current knowledge of Squid: POC running well on 3 servers > > but on the 4th I get no IPv6 > > sockets: > > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp > > tcp 0 0 10.10.0.16:3128 0.0.0.0:* > > LISTEN 2891391/(squid-1) > > > > Your problem is the https(s)_port "port" configuration parameter. > > > This Squid is configured to listen like: > > http_port 10.10.0.16:3128 > > or > > http_port example.com:3128 > > (when example.com has only address 10.10.0.16) > > > The "http_port" receives port 80 syntax traffic, it may also be > "https_port" which receives port 443 syntax traffic. > > > and on the other 3 I have IPv6: > > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED > > 997651/(squid-1) > > tcp6 0 0 :::3128 :::* > > LISTEN 997651/(squid-1) > > > > These Squid are configured to listen like: > > http_port 3128 > > > Ensure that the machine/server the 4th Squid is running on has its > http(s)_port line matching the other three machines port value. > > At this point do not care about the "mode" or options later in the line. > Your issue is solely the "port" parameter. > So far it seems I was missing [::] in my http_port in the problem server, because of automatic deployment something went wrong and I assumed my Squid configuration is all the same all over the place. I fixed this but the issue is still there, please see: this is inside a docker container on a healthy server: # netstat -patun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.11:41421 0.0.0.0:* LISTEN 1574/dockerd tcp 0 1 172.18.0.10:46950 10.10.0.16:3128 SYN_SENT 307601/node udp 0 0 127.0.0.11:57486 0.0.0.0:* 1574/dockerd and same netstat on the unhealthy server, still inside docker: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.11:38339 0.0.0.0:* LISTEN 273025/dockerd tcp 0 0 172.18.0.4:50666 10.10.0.11:3128 ESTABLISHED 494253/node tcp6 0 0 :::8080 :::* LISTEN 494253/node tcp6 0 0 127.0.0.1:8080 127.0.0.1:46168 TIME_WAIT - tcp6 0 0 127.0.0.1:8080 127.0.0.1:44480 TIME_WAIT - udp 0 0 127.0.0.11:56639 0.0.0.0:* 273025/dockerd and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue container with the SYN sent only root@A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot length 262144 bytes 09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr 0,nop,wscale 11], length 0 09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x48f3), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708120778 ecr 0,nop,wscale 11], length 0 09:56:21.852827 IP (tos 0x0, ttl 64, id 40650, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x4504), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708121785 ecr 0,nop,wscale 11], length 0 09:56:23.868762 IP (tos 0x0, ttl 64, id 40651, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x3d24), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708123801 ecr 0,nop,wscale 11], length 0 09:56:27.996768 IP (tos 0x0, ttl 64, id 40652, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x2d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708127929 ecr 0,nop,wscale 11], length 0 09:56:36.188758 IP (tos 0x0, ttl 64, id 40653, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708136121 ecr 0,nop,wscale 11], length 0 09:56:52.316463 IP (tos 0x0, ttl 64, id 40654, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0xce03), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708152249 ecr 0,nop,wscale 11], length 0 7 packets captured 7 packets received by filter Why the SYN sent only state? Any ideas? Thank you, Dragos > > Cheers > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
