Re: [squid-users] squid-5.4 blocking on ipv6 outage

[Eliezer Croitoru]

Hey,

 

Bugs to the rescue

+1

 

Eliezer

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users  On Behalf Of 
Jason Haar
Sent: Monday, February 21, 2022 03:44
To: Squid Users 
Subject: [squid-users] squid-5.4 blocking on ipv6 outage

 

Hi there

 

I've noticed that the Internet ipv6 is not quite as reliable as ipv4, in that 
squid reports it cannot connect to web servers with an ipv6 error when the web 
server is still available over ipv4.

 

eg right now one of our Internet-based web apps (which has 2 ipv6 and 2 ipv4 IP 
addresses mapped to it's DNS name) is not responding over ipv6 for some reason 
(I dunno - not involved myself) - but is working fine over ipv4. Squid-5.4 is 
erroring out - saying that it cannot connect to the first ipv6 address with a 
"no route to host" error. But if I use good-ol' telnet to the DNS name, telnet 
shows it trying-and-failing against both ipv6 addresses and then succeeds 
against the ipv4. ie it works and squid doesn't. BTW the same squid server is 
currently fine with ipv6 clients talking to it and it talking over ipv6 to 
Internet hosts like google.com   - ie this is an ipv6 outage 
on one Internet host where it's ipv4 is still working.

 

This doesn't seem like a negative_dns_ttl setting issue, it seems like squid 
just tries one address on a multiple-IP DNS record and stops trying? I even got 
tcpdump up and can see that when I do a "shift-reload" on the webpage, squid 
only sends a few SYN packets to the same non-working IPv6 address - it doesn't 
even try the other 3 IPs?

 

I also checked squidcachemgr.cgi and the DNS record isn't even cached in "FQDN 
Cache Stats and Contents", which I guess is consistent with it's opinion that 
it's not working.


 

Any ideas what's going on there? thanks!

 

-- 

Cheers

 

Jason Haar

Information Security Manager, Trimble Navigation Ltd.

Phone: +1 408 481 8171

PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid-5.4 blocking on ipv6 outage

[Jason Haar]

Hi there

I've noticed that the Internet ipv6 is not quite as reliable as ipv4, in
that squid reports it cannot connect to web servers with an ipv6 error when
the web server is still available over ipv4.

eg right now one of our Internet-based web apps (which has 2 ipv6 and 2
ipv4 IP addresses mapped to it's DNS name) is not responding over ipv6 for
some reason (I dunno - not involved myself) - but is working fine over
ipv4. Squid-5.4 is erroring out - saying that it cannot connect to the
first ipv6 address with a "no route to host" error. But if I use good-ol'
telnet to the DNS name, telnet shows it trying-and-failing against both
ipv6 addresses and then succeeds against the ipv4. ie it works and squid
doesn't. BTW the same squid server is currently fine with ipv6 clients
talking to it and it talking over ipv6 to Internet hosts like google.com -
ie this is an ipv6 outage on one Internet host where it's ipv4 is still
working.

This doesn't seem like a negative_dns_ttl setting issue, it seems like
squid just tries one address on a multiple-IP DNS record and stops trying?
I even got tcpdump up and can see that when I do a "shift-reload" on the
webpage, squid only sends a few SYN packets to the same non-working IPv6
address - it doesn't even try the other 3 IPs?

I also checked squidcachemgr.cgi and the DNS record isn't even cached in
"FQDN Cache Stats and Contents", which I guess is consistent with it's
opinion that it's not working.

Any ideas what's going on there? thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice certain SNIs which served by the same IP

[Eliezer Croitoru]

Hey Ben,

 

I have seen your email however didn’t had enough time to respond.

I and others need some free time…

I am more then willing to test this issue in my local test environment.

I can test it on Oracle Enterprise Linux 8 with the latest 4.x version.

We can simplify things by creating a very specific environment without any 
unknowns.

You will need to provide the full details of the testing setup and the content 
of:

acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
acl NoSSLInterceptRegexp ssl::server_name_regex -i 
"/usr/local/squid/etc/url-no-bump-regexp"



In my environment it works as expected without any issues while I am not user 
ssl::server_name_regex

The docs clearly state:

acl aclname ssl::server_name_regex [-i] \.foo\.com ...

  # regex matches server name obtained from various sources [fast]

 

 

So you should try to use:

acl aclname ssl::server_name [option] .foo.com ...
  # matches server name obtained from various sources [fast]

 

Instead as a starter point.

 

I understand you need some help but I and others have other obligations in life 
so it would happen from time to time

that someone is not free to try and help you.

 

All The Bests,

Eliezer

 

*   If someone would have provided me with enough food and other living 
expenses I might have been free enough to help you.

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users  On Behalf Of Ben 
Goz
Sent: Thursday, February 17, 2022 14:47
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Splice certain SNIs which served by the same IP

 

By the help of God.

Any insights?

 

Thanks,

Ben

 

‫בתאריך יום ב׳, 14 בפבר׳ 2022 ב-15:49 מאת ‪Ben Goz‏ <‪ 
 ben.go...@gmail.com‏>:

By the help of God.

 

Hi,

Ny squid version is 4.15, using it on tproxy configuration.

 

I'm using ssl bump to intercept https connection, but I want to splice several 
domains.

I have a problem that when I'm splicing some google domains eg. youtube.com 
  then

gmail.com   domain also spliced.

 

I know that it is very common for google servers to host multiple domains on 
single server.

And I suspect that when I'm splicing for example youtube.com 
  it'll also splices google.com  .

 

 Here are my squid configurations for the ssl bump:

 

https_port  ssl-bump tproxy generate-host-certificates=on options=ALL 
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
dhparams=/usr/local/squid/etc/dhparam.pem sslflags=NO_DEFAULT_CA

acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name  "/usr/local/squid/etc/url-no-bump"
acl NoSSLInterceptRegexp ssl::server_name_regex -i 
"/usr/local/squid/etc/url-no-bump-regexp"
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump splice NoSSLIntercept
ssl_bump splice NoSSLInterceptRegexp
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users