RE: [squid-users] SSL accelerator- definitive answer?

From: David Gibson <dgibson@dont-contact.us>
Date: Thu, 31 Jul 2003 16:04:30 -0400

Henrik,

Thank you for your response- things are as I hoped. Now I'd like to ask for a little configuration assistance.

I have configured squid as an accelerator in virtual host mode, and things are working well with http (though I'm having some ntlm issues) and multiple web servers behind the single proxy. Squid is also binding to 443, but I get no return traffic when I initiate the connection (tcpdump confirms this). Can I use https with a virtual configuration? I tried in single host mode, but it still doesn't respond.

Thanx in advance.

Cheers,

David

Here is the pertinent info (names have been changed to protect the innocent):

#squid -v
Squid Cache: Version 2.5.STABLE3
configure options: --host=i386-redhat-linux --build=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT,multi-domain-NTLM --enable-digest-auth-helpers=password --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group

[root@cpaproxy root]# uname -a
Linux my host 2.4.20-6 #1 Thu Feb 27 10:06:59 EST 2003 i686 i686 i386 GNU/Linux

[root@cpaproxy root]# squid -N -d 9 -D
2003/07/31 15:52:52| Parsing Config File: Unknown authentication scheme 'ntlm'.
2003/07/31 15:52:52| Parsing Config File: Unknown authentication scheme 'ntlm'.
2003/07/31 15:52:52| Parsing Config File: Unknown authentication scheme 'ntlm'.
2003/07/31 15:52:52| Parsing Config File: Unknown authentication scheme 'ntlm'.
2003/07/31 15:52:52| Starting Squid Cache version 2.5.STABLE3 for i386-redhat-linux-gnu...
2003/07/31 15:52:52| Process ID 15349
2003/07/31 15:52:52| With 1024 file descriptors available
2003/07/31 15:52:52| DNS Socket created at 0.0.0.0, port 32798, FD 4
2003/07/31 15:52:52| Adding nameserver ns1 from /etc/resolv.conf
2003/07/31 15:52:52| Adding nameserver ns2 from /etc/resolv.conf
2003/07/31 15:52:52| helperOpenServers: Starting 10 'redirector.pl' processes
2003/07/31 15:52:52| Unlinkd pipe opened on FD 19
2003/07/31 15:52:52| Swap maxSize 102400 KB, estimated 7876 objects
2003/07/31 15:52:52| Target number of buckets: 393
2003/07/31 15:52:52| Using 8192 Store buckets
2003/07/31 15:52:52| Max Mem size: 16384 KB
2003/07/31 15:52:52| Max Swap size: 102400 KB
2003/07/31 15:52:52| Rebuilding storage in /var/cache (CLEAN)
2003/07/31 15:52:52| Using Least Load store dir selection
2003/07/31 15:52:52| Set Current Directory to /var/spool/squid
2003/07/31 15:52:52| Loaded Icons.
2003/07/31 15:52:52| Accepting HTTP connections at 0.0.0.0, port 80, FD 20.
2003/07/31 15:52:52| Initialising SSL.
2003/07/31 15:52:52| Using certificate in /dir/ca-cert
2003/07/31 15:52:52| Using private key in /dir/key.pem
2003/07/31 15:52:52| Accepting HTTPS connections at [eth0 address], port 443, FD 21.
2003/07/31 15:52:52| Initialising SSL.
2003/07/31 15:52:52| Using certificate in /dir/ca-cert
2003/07/31 15:52:52| Using private key in /dir/key.pem
2003/07/31 15:52:52| Accepting HTTPS connections at [eth0:1 address], port 443, FD 22.
2003/07/31 15:52:52| Accepting SNMP messages on port 3401, FD 23.
2003/07/31 15:52:52| WCCP Disabled.
2003/07/31 15:52:52| Ready to serve requests.
2003/07/31 15:52:52| Done scanning /var/cache swaplog (0 entries)
2003/07/31 15:52:52| xrename: renaming /var/cache/swap.state.new to /var/cache/swap.state
2003/07/31 15:52:52| Finished rebuilding storage from disk.
2003/07/31 15:52:52| 0 Entries scanned
2003/07/31 15:52:52| 0 Invalid entries.
2003/07/31 15:52:52| 0 With invalid flags.
2003/07/31 15:52:52| 0 Objects loaded.
2003/07/31 15:52:52| 0 Objects expired.
2003/07/31 15:52:52| 0 Objects cancelled.
2003/07/31 15:52:52| 0 Duplicate URLs purged.
2003/07/31 15:52:52| 0 Swapfile clashes avoided.
2003/07/31 15:52:52| Took 0.3 seconds ( 0.0 objects/sec).
2003/07/31 15:52:52| Beginning Validation Procedure
2003/07/31 15:52:52| Completed Validation Procedure
2003/07/31 15:52:52| Validated 0 Entries
2003/07/31 15:52:52| store_swap_size = 0k
2003/07/31 15:52:53| storeLateRelease: released 0 objects

]# tcpdump -nvi eth0 "ip && ! port 22"
tcpdump: listening on eth0
15:54:20.407059 client.1844 > [eth0 address].https: S [tcp sum ok] 2084840445:2084840445(0) win 8192 <mss 1380,nop,nop,sackOK> (DF) (ttl 127, id 64052, len 48)
15:54:23.338934 client.1844 > [eth0 address].https: S [tcp sum ok] 2084840445:2084840445(0) win 8192 <mss 1380,nop,nop,sackOK> (DF) (ttl 127, id 64564, len 48)
15:54:29.338568 client.1844 > [eth0 address].https: S [tcp sum ok] 2084840445:2084840445(0) win 8192 <mss 1380,nop,nop,sackOK> (DF) (ttl 127, id 64820, len 48)

lines from squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
redirect_program /dir/redirector.pl

httpd_accel_single_host off# TAG: https_port
https_port [eth0 address]:443 cert=/certdir/ca-cert key=/certdir/key.pem cipher=EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA::RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA
https_port [eth0:1 address]:443 cert=/certdir/ca-cert key=/certdir/key.pem cipher=EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA::RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA

cat /dir/redirector.pl
#!/usr/bin/perl
    $|=1;
    while (<>) {
        s@http://[eth0]@http://web1@;
        s@http://[eth0]@http://web2@;
        s@https://[eth0:1]@https://web1@; #tried with both http & https
        s@https://[eth0:1]@https://web2@; #tried with both http & https
        print;
        #`echo "it's working" > /tmp/test.txt` ;
    }

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Thu 7/31/2003 1:32 PM
To: David Gibson; squid-users@squid-cache.org
Cc:
Subject: Re: [squid-users] SSL accelerator- definitive answer?
On Thursday 31 July 2003 16.25, David Gibson wrote:

> 1) SSL all the way through from client, through proxy, to server,
> with no decryption between client & server. (Just a relay).

No.

Squid has no interest in providing this kind of service. A plain TCP
plug or NAT is what you want for this kind of service. There is no
good reason to involve Squid in this.

> 2) SSL from client to proxy, clear text from proxy to server.

Yes.

> 3) SSL from client to proxy, decrypt & re-encrypt to server
> (classic man-in-the middle, but gives opportunity to inspect
> traffic)

Yes, with Squid-3.0, or Squid-2.5+ssl update patch available from
http://devel.squid-cache.org/.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Thu Jul 31 2003 - 14:04:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:23 MST