So far it seems there are some issues with my docker networks on the host, thank you for your help, I will come later if this will not be the case. Kind regards, Dragos On Tuesday, March 5th, 2024 at 11:59 AM, Dragos Pacher <dragosrp@xxxxxxxxx> wrote: > Please see my replies in between the lines below. > > On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries squid3@xxxxxxxxxxxxx wrote: > > > On 5/03/24 08:03, Dragos Pacher wrote: > > > > > Hello, > > > > > > I am a Squid beginner and we would like to use Squid inside our > > > organization only as a HTTPS traffic inspection/logging tool for some > > > 3rd party apps that we bought, > > > something close to what a "MITM proxy" is called but we will not do > > > that, instead we use a self signed certificate and the 3rd party app > > > owners know this. Everything is > > > 100% completely legal. (Ps: I am the IT lead). > > > > FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in > > security terminology, "proxy" means "intermediary" in networking > > terminology. > > So that term just means "intermediary intermediary", yeah. > > > I did not coined this term, I was referring to this: https://mitmproxy.org, > I guess it entered IT popular culture somehow.. > > > Any serious HTTPS inspection/logging by Squid needs some form of > > SSL-Bump configuration and those 3rd-party Apps MUST be configured with > > trust for the self-signed root CA you are using. > > > > Without that nothing Squid (or any other proxy) does will allow traffic > > inspection beyond the initial TLS handshake. > > > I specified in my first email I did this already, maybe I was not so clear but > my self-signed certificate is working with the 3rd party apps. > > > Assuming that you have checked that detail, on to your issue ... > > > > > We will be using Squid only internally, no outside access. Here is my > > > issue with the current knowledge of Squid: POC running well on 3 servers > > > but on the 4th I get no IPv6 > > > sockets: > > > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp > > > tcp 0 0 10.10.0.16:3128 0.0.0.0:* > > > LISTEN 2891391/(squid-1) > > > > Your problem is the https(s)_port "port" configuration parameter. > > > > This Squid is configured to listen like: > > > > http_port 10.10.0.16:3128 > > > > or > > > > http_port example.com:3128 > > > > (when example.com has only address 10.10.0.16) > > > > The "http_port" receives port 80 syntax traffic, it may also be > > "https_port" which receives port 443 syntax traffic. > > > > > and on the other 3 I have IPv6: > > > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp > > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED > > > 997651/(squid-1) > > > tcp6 0 0 :::3128 :::* > > > LISTEN 997651/(squid-1) > > > > These Squid are configured to listen like: > > > > http_port 3128 > > > > Ensure that the machine/server the 4th Squid is running on has its > > http(s)_port line matching the other three machines port value. > > > > At this point do not care about the "mode" or options later in the line. > > Your issue is solely the "port" parameter. > > > So far it seems I was missing [::] in my http_port in the problem server, because of automatic deployment > something went wrong and I assumed my Squid configuration is all the same all over the place. I fixed this but the issue is still there, > please see: this is inside a docker container on a healthy server: > # netstat -patun > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.11:41421 0.0.0.0:* LISTEN 1574/dockerd > tcp 0 1 172.18.0.10:46950 10.10.0.16:3128 SYN_SENT 307601/node > udp 0 0 127.0.0.11:57486 0.0.0.0:* 1574/dockerd > > and same netstat on the unhealthy server, still inside docker: > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.11:38339 0.0.0.0:* LISTEN 273025/dockerd > tcp 0 0 172.18.0.4:50666 10.10.0.11:3128 ESTABLISHED 494253/node > tcp6 0 0 :::8080 :::* LISTEN 494253/node > tcp6 0 0 127.0.0.1:8080 127.0.0.1:46168 TIME_WAIT - > tcp6 0 0 127.0.0.1:8080 127.0.0.1:44480 TIME_WAIT - > udp 0 0 127.0.0.11:56639 0.0.0.0:* 273025/dockerd > > and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue container with the SYN sent only > > root@A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv > tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot length 262144 bytes > 09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr 0,nop,wscale 11], length 0 > > 09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x48f3), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708120778 ecr 0,nop,wscale 11], length 0 > > 09:56:21.852827 IP (tos 0x0, ttl 64, id 40650, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x4504), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708121785 ecr 0,nop,wscale 11], length 0 > > 09:56:23.868762 IP (tos 0x0, ttl 64, id 40651, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x3d24), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708123801 ecr 0,nop,wscale 11], length 0 > > 09:56:27.996768 IP (tos 0x0, ttl 64, id 40652, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x2d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708127929 ecr 0,nop,wscale 11], length 0 > > 09:56:36.188758 IP (tos 0x0, ttl 64, id 40653, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0d04), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708136121 ecr 0,nop,wscale 11], length 0 > > 09:56:52.316463 IP (tos 0x0, ttl 64, id 40654, offset 0, flags [DF], proto TCP (6), length 60) > 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0xce03), seq 2480704598, win 65535, options [mss 1460,sackOK,TS val 1708152249 ecr 0,nop,wscale 11], length 0 > > > 7 packets captured > 7 packets received by filter > > > Why the SYN sent only state? Any ideas? > > Thank you, > > Dragos > > > Cheers > > Amos > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
