Em Sexta, Junho de 7 de 2013 08:19 WEST, Amos Jeffries <squid3_at_treenet.co.nz> escreveu:
> > 10.10.10.254 is the squid box. 3126 is the ssl intercept port.
> >
> > # grep 3126 /etc/sysconfig/iptables
> > [0:0] -A PREROUTING -i vlan10 -s 10.10.10.4 -p tcp -m tcp --dport 443 -j REDIRECT --to-port 3126
> >
> > Only my ip address is forwarded to 3126... Here is the sslbump part of the conf.
> >
> > https_port 3126 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/etproxy/ssl/myCA.pem
>
> Funny story ...
>
> *if* Squid were actually being "transparent proxy" here the outgoing
> details on these connections would be "source 10.10.10.4:random-port,
> destination some-IP:443". And your rule would loop that connection back
> into Squid.
>
> Unluckily for you "transparent" is currently an alias for "intercept"
> and the Squid outgoing IP should not be 10.10.10.4. So the same
> behaviour is being caused by something else more difficult to determin.
Ok.. changed to intercept. Thanks for the heads up.
>
> > acl sslsniff src 10.10.10.4
> > acl sslbumpbypass dst "/etc/etproxy/whitelist.https"
> > acl broken_sites dstdomain .twitter.com
> > acl broken_sites dstdomain .facebook.com
> > always_direct allow sslsniff
> > ssl_bump none sslbumpbypass
> > ssl_bump none broken_sites
> > ssl_bump server-first all
> > sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/etproxy/ssl/ssl_db -M 4MB
> > sslcrtd_children 5
>
> For starters check your configuration for the directive "via off" and
> *remove* it. If it does not exist, please report that fact.
It does not:
# grep via /etc/etproxy/* -Ri
#
(/etc/etproxy is where my conf files are).
> When that is done the broken requests should be rejected with a
> forwarding loop error message and not DoS the machine while you are
> testing for the source of the loop.
I don't have any via directive so it seems that i hit some kind of issue. squid configure parameters are:
Squid Cache: Version 3.3.5
configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_grou
p,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'PKG_CONFIG_PATH=/usr/lib/pkgconf
ig:/usr/share/pkgconfig' --enable-ltdl-convenience
> To track that down you can configure "debug_options ALL,1 11,2". Which
> will dump the HTTP protocol headers and IP:port details for each HTTP
> message through the proxy. Look for the ssl-bumped messages outbound
> from Squid and see what IP:port details are on them and try to work back
> from there how those details came to be.
Currently i'm using debug_options ALL,2 4,1 20,1 33,1 41,1 47,1 64,1 65,1 66,1 69,1 71,1 88,1 90,1
but as it's a production server the log file is huge.
# ls -lah /var/log/squid/cache.log
-rw-r----- 1 squid squid 4.2G Jun 7 09:14 /var/log/squid/cache.log
Are those debug options enough or i should change to the one you advised and retry until the error happens again?
Thank you for any help,
Nuno Fernandes
Received on Fri Jun 07 2013 - 08:18:11 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 07 2013 - 12:00:06 MDT