subject:"\[squid\-users\] Missing IPv6 sockets in Squid 6.7 in some servers"

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-05 Thread Dragos Pacher

So far it seems there are some issues with my docker networks on the host, 
thank you for your help, I will come later if this will not be the case.

Kind regards,

Dragos

On Tuesday, March 5th, 2024 at 11:59 AM, Dragos Pacher  
wrote:

> Please see my replies in between the lines below.
> 
> On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries squ...@treenet.co.nz 
> wrote:
> 
> > On 5/03/24 08:03, Dragos Pacher wrote:
> > 
> > > Hello,
> > > 
> > > I am a Squid beginner and we would like to use Squid inside our
> > > organization only as a HTTPS traffic inspection/logging tool for some
> > > 3rd party apps that we bought,
> > > something close to what a "MITM proxy" is called but we will not do
> > > that, instead we use a self signed certificate and the 3rd party app
> > > owners know this. Everything is
> > > 100% completely legal. (Ps: I am the IT lead).
> > 
> > FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in
> > security terminology, "proxy" means "intermediary" in networking
> > terminology.
> > So that term just means "intermediary intermediary", yeah.
> 
> 
> I did not coined this term, I was referring to this: https://mitmproxy.org,
> I guess it entered IT popular culture somehow..
> 
> > Any serious HTTPS inspection/logging by Squid needs some form of
> > SSL-Bump configuration and those 3rd-party Apps MUST be configured with
> > trust for the self-signed root CA you are using.
> > 
> > Without that nothing Squid (or any other proxy) does will allow traffic
> > inspection beyond the initial TLS handshake.
> 
> 
> I specified in my first email I did this already, maybe I was not so clear but
> my self-signed certificate is working with the 3rd party apps.
> 
> > Assuming that you have checked that detail, on to your issue ...
> > 
> > > We will be using Squid only internally, no outside access. Here is my
> > > issue with the current knowledge of Squid: POC running well on 3 servers
> > > but on the 4th I get no IPv6
> > > sockets:
> > > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> > > tcp 0 0 10.10.0.16:3128 0.0.0.0:*
> > > LISTEN 2891391/(squid-1)
> > 
> > Your problem is the https(s)_port "port" configuration parameter.
> > 
> > This Squid is configured to listen like:
> > 
> > http_port 10.10.0.16:3128
> > 
> > or
> > 
> > http_port example.com:3128
> > 
> > (when example.com has only address 10.10.0.16)
> > 
> > The "http_port" receives port 80 syntax traffic, it may also be
> > "https_port" which receives port 443 syntax traffic.
> > 
> > > and on the other 3 I have IPv6:
> > > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED
> > > 997651/(squid-1)
> > > tcp6 0 0 :::3128 :::*
> > > LISTEN 997651/(squid-1)
> > 
> > These Squid are configured to listen like:
> > 
> > http_port 3128
> > 
> > Ensure that the machine/server the 4th Squid is running on has its
> > http(s)_port line matching the other three machines port value.
> > 
> > At this point do not care about the "mode" or options later in the line.
> > Your issue is solely the "port" parameter.
> 
> 
> So far it seems I was missing [::] in my http_port in the problem server, 
> because of automatic deployment
> something went wrong and I assumed my Squid configuration is all the same all 
> over the place. I fixed this but the issue is still there,
> please see: this is inside a docker container on a healthy server:
> # netstat -patun
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 127.0.0.11:41421 0.0.0.0:* LISTEN 1574/dockerd
> tcp 0 1 172.18.0.10:46950 10.10.0.16:3128 SYN_SENT 307601/node
> udp 0 0 127.0.0.11:57486 0.0.0.0:* 1574/dockerd
> 
> and same netstat on the unhealthy server, still inside docker:
> 
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 127.0.0.11:38339 0.0.0.0:* LISTEN 273025/dockerd
> tcp 0 0 172.18.0.4:50666 10.10.0.11:3128 ESTABLISHED 494253/node
> tcp6 0 0 :::8080 :::* LISTEN 494253/node
> tcp6 0 0 127.0.0.1:8080 127.0.0.1:46168 TIME_WAIT -
> tcp6 0 0 127.0.0.1:8080 127.0.0.1:44480 TIME_WAIT -
> udp 0 0 127.0.0.11:56639 0.0.0.0:* 273025/dockerd
> 
> and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue 
> container with the SYN sent only
> 
> root@A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv
> tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot 
> length 262144 bytes
> 09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto 
> TCP (6), length 60)
> 172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), 
> seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr 
> 0,nop,wscale 11], length 0
> 
> 09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto 
> TCP (6), length 60)
> 172.18.0.10.56272 >

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-05 Thread Dragos Pacher

Please see my replies in between the lines below.

On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries  
wrote:

> On 5/03/24 08:03, Dragos Pacher wrote:
> 
> > Hello,
> > 
> > I am a Squid beginner and we would like to use Squid inside our
> > organization only as a HTTPS traffic inspection/logging tool for some
> > 3rd party apps that we bought,
> > something close to what a "MITM proxy" is called but we will not do
> > that, instead we use a self signed certificate and the 3rd party app
> > owners know this. Everything is
> > 100% completely legal. (Ps: I am the IT lead).
> 
> 
> FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in
> security terminology, "proxy" means "intermediary" in networking
> terminology.
> So that term just means "intermediary intermediary", yeah.
> 

I did not coined this term, I was referring to this: https://mitmproxy.org,
I guess it entered IT popular culture somehow..

> 
> 
> Any serious HTTPS inspection/logging by Squid needs some form of
> SSL-Bump configuration and those 3rd-party Apps MUST be configured with
> trust for the self-signed root CA you are using.
> 
> 
> Without that nothing Squid (or any other proxy) does will allow traffic
> inspection beyond the initial TLS handshake.
> 

I specified in my first email I did this already, maybe I was not so clear but
my self-signed certificate is working with the 3rd party apps.

> 
> 
> Assuming that you have checked that detail, on to your issue ...
> 
> > We will be using Squid only internally, no outside access. Here is my
> > issue with the current knowledge of Squid: POC running well on 3 servers
> > but on the 4th I get no IPv6
> > sockets:
> > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 10.10.0.16:3128 0.0.0.0:*
> > LISTEN 2891391/(squid-1)
> 
> 
> 
> Your problem is the https(s)_port "port" configuration parameter.
> 
> 
> This Squid is configured to listen like:
> 
> http_port 10.10.0.16:3128
> 
> or
> 
> http_port example.com:3128
> 
> (when example.com has only address 10.10.0.16)
> 
> 
> The "http_port" receives port 80 syntax traffic, it may also be
> "https_port" which receives port 443 syntax traffic.
> 
> > and on the other 3 I have IPv6:
> > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED
> > 997651/(squid-1)
> > tcp6 0 0 :::3128 :::*
> > LISTEN 997651/(squid-1)
> 
> 
> 
> These Squid are configured to listen like:
> 
> http_port 3128
> 
> 
> Ensure that the machine/server the 4th Squid is running on has its
> http(s)_port line matching the other three machines port value.
> 
> At this point do not care about the "mode" or options later in the line.
> Your issue is solely the "port" parameter.
> 

So far it seems I was missing [::] in my http_port in the problem server, 
because of automatic deployment
something went wrong and I assumed my Squid configuration is all the same all 
over the place. I fixed this but the issue is still there,
please see: this is inside a docker container on a healthy server:
# netstat -patun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name
tcp0  0 127.0.0.11:414210.0.0.0:*   LISTEN  
1574/dockerd
tcp0  1 172.18.0.10:46950   10.10.0.16:3128 SYN_SENT
307601/node
udp0  0 127.0.0.11:574860.0.0.0:*   
1574/dockerd

and same netstat on the unhealthy server, still inside docker:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name
tcp0  0 127.0.0.11:383390.0.0.0:*   LISTEN  
273025/dockerd
tcp0  0 172.18.0.4:5066610.10.0.11:3128 ESTABLISHED 
494253/node
tcp6   0  0 :::8080 :::*LISTEN  
494253/node
tcp6   0  0 127.0.0.1:8080  127.0.0.1:46168 TIME_WAIT   
-
tcp6   0  0 127.0.0.1:8080  127.0.0.1:44480 TIME_WAIT   
-
udp0  0 127.0.0.11:566390.0.0.0:*   
273025/dockerd

and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue 
container with the SYN sent only

root@A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv
tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot 
length 262144 bytes
09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto TCP 
(6), length 60)
172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 
0x0dd4), seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 
ecr 0,nop,wscale 11], length 0
09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto TCP 
(6), length 60)
172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect ->

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Amos Jeffries


On 5/03/24 08:03, Dragos Pacher wrote:

Hello,

I am a Squid beginner and we would like to use Squid inside our 
organization only as a HTTPS traffic inspection/logging tool for some 
3rd party apps that we bought,
something close to what a "MITM proxy" is called but we will not do 
that, instead we use a self signed certificate and the 3rd party app 
owners know this. Everything is

100% completely legal. (Ps: I am the IT lead).



FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in 
security terminology, "proxy" means "intermediary" in networking 
terminology.

 So that term just means "intermediary intermediary", yeah.



Any serious HTTPS inspection/logging by Squid needs some form of 
SSL-Bump configuration and those 3rd-party Apps MUST be configured with 
trust for the self-signed root CA you are using.



Without that nothing Squid (or any other proxy) does will allow traffic 
inspection beyond the initial TLS handshake.




Assuming that you have checked that detail, on to your issue ...


We will be using Squid only internally, no outside access. Here is my 
issue with the current knowledge of Squid: POC running well on 3 servers 
but on the 4th I get no IPv6

sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 10.10.0.16:3128         0.0.0.0:*   
LISTEN      2891391/(squid-1)



Your problem is the https(s)_port "port" configuration parameter.


This Squid is configured to listen like:

  http_port 10.10.0.16:3128

or

  http_port example.com:3128

(when example.com has only address 10.10.0.16)


The "http_port" receives port 80 syntax traffic, it may also be
"https_port" which receives port 443 syntax traffic.




and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 x.x.x.x:52386    x.x.x.x:443     ESTABLISHED 
997651/(squid-1)
tcp6       0      0 :::3128                 :::*   
  LISTEN      997651/(squid-1)



These Squid are configured to listen like:

 http_port 3128


Ensure that the machine/server the 4th Squid is running on has its 
http(s)_port line matching the other three machines port value.


At this point do not care about the "mode" or options later in the line. 
Your issue is solely the "port" parameter.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Dragos Pacher

Thank you Alex,

Indeed something is listening on this port, but it looks to be Squid:
root@A2-3:/# nc -6 -l 3128
nc: Address already in use

root@A2-3:/# lsof -i:3128
COMMAND PID  USER   FD   TYPEDEVICE SIZE/OFF NODE NAME
squid   3480423 proxy   25u  IPv4 283726201  0t0  TCP A2-3:3128 (LISTEN)

but the socket is IPV4 only on the problem host:
root@A2-3:/# lsof -a -i4 -i6 -itcp | grep 3128
squid 3480423   proxy   25u  IPv4 283726201  0t0  TCP A2-3:3128 
(LISTEN)

compared to a 'healthy' server:
root@A2-2:~# lsof -a -i4 -i6 -itcp | grep 3128
squid  997651   proxy   12u  IPv6 254219302  0t0  TCP 
A2-2:3128->x.x.x.x:46816 (ESTABLISHED)
squid  997651   proxy   25u  IPv6 241163587  0t0  TCP *:3128 
(LISTEN)

As I know a IPV6 socket accepts both v4 and v6 connections but a V4 socket only 
V4 connections, and this looks to be the symptom. 

This is what I found in the cache.log:
2024/03/04 16:09:28 kid1| With 100 file descriptors available
2024/03/04 16:09:28 kid1| Initializing IP Cache...
2024/03/04 16:09:28 kid1| DNS IPv6 socket created at [::], FD 9
2024/03/04 16:09:28 kid1| DNS IPv4 socket created at 0.0.0.0, FD 10

so it looks like it creates the IPv6 socket but it's not working somehow:
root@A2-3:/# telnet ::1 3128
Trying ::1...
telnet: Unable to connect to remote host: Connection refused

Unfortunately nothing else relevant to me in the cache.log, I enabled 
debugging, to what email can I 
send the archive for you to look at it, please?

Thank you,

Dragos

Sent with Proton Mail secure email.

On Monday, March 4th, 2024 at 9:43 PM, Alex Rousskov 
 wrote:

> On 2024-03-04 14:03, Dragos Pacher wrote:
> 
> > POC running well on 3 servers but on the 4th I get no IPv6
> > sockets:
> > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 10.10.0.16:3128 0.0.0.0:*
> > LISTEN 2891391/(squid-1)
> 
> 
> Are there any other processes listening on IPv6 addresses on this
> problematic host?
> 
> Does something like "nc -6 -l 3128" listen on an IPv6 address on this
> problematic host?
> 
> If possible, please also check cache.log for messages mentioning IPv6
> and "BCP 177"; I know you shared syslog output, but I am a bit worried
> that syslog might be missing some relevant early debugging messages.
> 
> 
> If nothing helps, consider sharing a pointer to compressed Squid startup
> cache.log after adding "debug_options ALL,2 50,3" to your squid.conf. We
> do not need to see any transactions, just Squid startup steps. Still,
> this log may contain some sensitive details, so share privately if needed.
> 
> 
> Thank you,
> 
> Alex.
> 
> 
> > and on the other 3 I have IPv6:
> > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED
> > 997651/(squid-1)
> > tcp6 0 0 :::3128 :::*
> > LISTEN 997651/(squid-1)
> > tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428
> > ESTABLISHED 997651/(squid-1)
> 
> 
> 
> 
> 
> 
> > This creates a problem for us since the apps I monitor are not starting
> > since their start routine is IPV6 only and then they switch to
> > IPv4/IPV6, but the start is IPV6 alone.
> > 
> > Therefore my questions are as follows:
> > 
> > 1. How can I make it listen on both IPV6/IPV4 like on the other servers?
> > 2. Any configuration improvement suggestions?
> > 
> > Please find all details here:
> > So far I did a POC on 4 servers, here is the full config, nothing
> > sophisticated since this is where my Squid knowledge took me so far.
> > Running Squid 6.7 with some basic options
> > on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
> > squid -v
> > Squid Cache: Version 6.7
> > Service Name: squid
> > This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
> > '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
> > '--datadir=/share/squid' '--sysconfdir=/etc/squid'
> > '--with-default-user=proxy' '--with-logdir=/var/log/squid'
> > '--enable-ssl-crtd' '--with-openssl'
> > 
> > and here is the syslog of Squid start:
> > Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing
> > Configuration File: /etc/squid/squid.conf (depth 0)
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty
> > ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The
> > "Hs" formatting code is deprecated. Use the ">Hs" instead.
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID
> > file (/var/run/squid.pid)
> > Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
> > Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process
> > 3094665 started
> > Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1|
> > Processing Configuration File: /etc/squid/squid.conf (depth 0)
> > Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING:
> > empty

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Alex Rousskov


On 2024-03-04 14:03, Dragos Pacher wrote:


POC running well on 3 servers but on the 4th I get no IPv6
sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 10.10.0.16:3128         0.0.0.0:*   
LISTEN      2891391/(squid-1)


Are there any other processes listening on IPv6 addresses on this 
problematic host?


Does something like "nc -6 -l 3128" listen on an IPv6 address on this 
problematic host?


If possible, please also check cache.log for messages mentioning IPv6 
and "BCP 177"; I know you shared syslog output, but I am a bit worried 
that syslog might be missing some relevant early debugging messages.



If nothing helps, consider sharing a pointer to compressed Squid startup 
cache.log after adding "debug_options ALL,2 50,3" to your squid.conf. We 
do not need to see any transactions, just Squid startup steps. Still, 
this log may contain some sensitive details, so share privately if needed.



Thank you,

Alex.




and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 x.x.x.x:52386    x.x.x.x:443     ESTABLISHED 
997651/(squid-1)
tcp6       0      0 :::3128                 :::*   
  LISTEN      997651/(squid-1)
tcp6       0      0 10.10.0.12:3128         10.20.0.1:39428   
  ESTABLISHED 997651/(squid-1)






This creates a problem for us since the apps I monitor are not starting 
since their start routine is IPV6 only and then they switch to 
IPv4/IPV6, but the start is IPV6 alone.


Therefore my questions are as follows:

 1. How can I make it listen on both IPV6/IPV4 like on the other servers?
 2. Any configuration improvement suggestions?


Please find all details here:
So far I did a POC on 4 servers, here is the full config, nothing 
sophisticated since this is where my Squid knowledge took me so far. 
Running Squid 6.7 with some basic options

on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
squid -v
Squid Cache: Version 6.7
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: 
  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' 
'--datadir=/share/squid' '--sysconfdir=/etc/squid' 
'--with-default-user=proxy' '--with-logdir=/var/log/squid' 
'--enable-ssl-crtd' '--with-openssl'


and here is the syslog of Squid start:
Mar  4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing 
Configuration File: /etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty 
ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The 
"Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID 
file (/var/run/squid.pid)

Mar  4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
Mar  4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 
3094665 started
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| 
Processing Configuration File: /etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: 
empty ACL: acl broken_sites ssl::server_name 
"/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: 
The "Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set 
Current Directory to /var/cache/squid
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating 
missing swap directories
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No 
cache_dir stores are configured.
Mar  4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 
3094665 exited with status 0
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID 
file (/var/run/squid.pid)
Mar  4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl 
broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code 
is deprecated. Use the ">Hs" instead.

Mar  4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid)
Mar  4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids
Mar  4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 
3094668 started
Mar  4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl 
broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code 
is deprecated. Use the ">Hs" instead.
Mar  4 16:09:28 A2-3 squid[3094668]: Set Current Directory to 
/var/cache/squid
Mar  4 16:09:28 A2-3 squid[3094668]:

[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Dragos Pacher

Hello,

I am a Squid beginner and we would like to use Squid inside our organization 
only as a HTTPS traffic inspection/logging tool for some 3rd party apps that we 
bought,
something close to what a "MITM proxy" is called but we will not do that, 
instead we use a self signed certificate and the 3rd party app owners know 
this. Everything is
100% completely legal. (Ps: I am the IT lead).

We will be using Squid only internally, no outside access. Here is my issue 
with the current knowledge of Squid: POC running well on 3 servers but on the 
4th I get no IPv6
sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1)

and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED 997651/(squid-1)
tcp6 0 0 :::3128 :::* LISTEN 997651/(squid-1)
tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428 ESTABLISHED 997651/(squid-1)

This creates a problem for us since the apps I monitor are not starting since 
their start routine is IPV6 only and then they switch to IPv4/IPV6, but the 
start is IPV6 alone.

Therefore my questions are as follows:

- How can I make it listen on both IPV6/IPV4 like on the other servers?
- Any configuration improvement suggestions?

Please find all details here:
So far I did a POC on 4 servers, here is the full config, nothing sophisticated 
since this is where my Squid knowledge took me so far. Running Squid 6.7 with 
some basic options
on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
squid -v
Squid Cache: Version 6.7
Service Name: squidThis binary uses OpenSSL 3.0.2 15 Mar 2022. configure 
options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' 
'--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' 
'--with-logdir=/var/log/squid' '--enable-ssl-crtd' '--with-openssl'

and here is the syslog of Squid start:
Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing 
Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty ACL: 
acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The "Hs" 
formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID file 
(/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 3094665 
started
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Processing 
Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: empty 
ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: The "Hs" 
formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set Current 
Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating missing 
swap directories
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No cache_dir 
stores are configured.
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 3094665 
exited with status 0
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID file 
(/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl broken_sites 
ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code is 
deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids
Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 3094668 
started
Mar 4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl broken_sites 
ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code is 
deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094668]: Set Current Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094668]: Starting Squid Cache version 6.7 for 
x86_64-pc-linux-gnu...
Mar 4 16:09:28 A2-3 squid[3094668]: Service Name: squid
Mar 4 16:09:28 A2-3 squid[3094668]: Process ID 3094668
Mar 4 16:09:28 A2-3 squid[3094668]: Process Roles: worker
Mar 4 16:09:28 A2-3 squid[3094668]: With 100 file descriptors available
Mar 4 16:09:28 A2-3 squid[3094668]: Initializing IP Cache...
Mar 4 16:09:28 A2-3 squid[3094668]: DNS IPv6 socket created at [::], FD

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

6 matches

Site Navigation

Mail list logo

Footer information