[squid-users] How to combine two proxies into one?
Hi, Here are the conf files for two proxies. The first is a reverse proxy (proxied on server1 and server2) and the second is a forward proxy. Is there a way to combine the two into one (supporting both 3129 and 3128)? Thanks. $ grep -v '^#' squid.conf|grep -v '^$' acl localnet src 10.0.0.0/8# RFC1918 possible internal network acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl localnet src 192.168.0.0/16# RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3129 cache_peer server1 parent 3128 0 round-robin no-query cache_peer server2 parent 3128 0 round-robin no-query forwarded_fordelete coredump_dir /usr/local/var/cache/squid refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern .020%4320 $ grep -v '^#' squid.conf|grep -v '^$' acl localnet src 172.16.0.0/12# RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow all http_port 3128 coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern .020%4320 forwarded_for delete -- Regards, Peng ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid4 with ssl-bump single_dh_use unknown
Crypto part of the configure log: checking for nettle_md5_init in -lnettle... yes checking nettle/md5.h usability... yes checking nettle/md5.h presence... yes checking for nettle/md5.h... yes checking nettle/base64.h usability... yes checking nettle/base64.h presence... yes checking for nettle/base64.h... yes checking for Nettle 3.4 API compatibility... no configure: Using Nettle cryptographic library: yes checking for crypt in -lcrypt... yes checking for MD5Init in -lmd5... no checking for LIBGNUTLS... yes checking gnutls/gnutls.h usability... yes checking gnutls/gnutls.h presence... yes checking for gnutls/gnutls.h... yes checking gnutls/x509.h usability... yes checking gnutls/x509.h presence... yes checking for gnutls/x509.h... yes configure: GnuTLS library support: auto -lgnutls checking openssl/bio.h usability... yes checking openssl/bio.h presence... yes checking for openssl/bio.h... yes checking openssl/crypto.h usability... yes checking openssl/crypto.h presence... yes checking for openssl/crypto.h... yes checking openssl/err.h usability... yes checking openssl/err.h presence... yes checking for openssl/err.h... yes checking openssl/md5.h usability... yes checking openssl/md5.h presence... yes checking for openssl/md5.h... yes checking openssl/opensslv.h usability... yes checking openssl/opensslv.h presence... yes checking for openssl/opensslv.h... yes checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking openssl/x509v3.h usability... yes checking openssl/x509v3.h presence... yes checking for openssl/x509v3.h... yes checking openssl/engine.h usability... yes checking openssl/engine.h presence... yes checking for openssl/engine.h... yes checking openssl/txt_db.h usability... yes checking openssl/txt_db.h presence... yes checking for openssl/txt_db.h... yes checking for LIBOPENSSL... yes checking for EVP_PKEY_get0_RSA in -lcrypto... yes checking for BIO_meth_new in -lcrypto... yes checking for BIO_get_init in -lcrypto... yes checking for ASN1_STRING_get0_data in -lcrypto... yes checking for X509_STORE_CTX_get0_cert in -lcrypto... yes checking for X509_VERIFY_PARAM_get_depth in -lcrypto... yes checking for X509_STORE_CTX_get0_untrusted in -lcrypto... yes checking for X509_STORE_CTX_set0_untrusted in -lcrypto... yes checking for X509_up_ref in -lcrypto... yes checking for X509_CRL_up_ref in -lcrypto... yes checking for DH_up_ref in -lcrypto... yes checking for X509_get0_signature in -lcrypto... yes checking for SSL_CIPHER_find in -lssl... yes checking for SSL_CTX_set_tmp_rsa_callback in -lssl... no checking for SSL_SESSION_get_id in -lssl... yes checking for TLS_method in -lssl... yes checking for TLS_client_method in -lssl... yes checking for TLS_server_method in -lssl... yes checking for SSL_CTX_get0_certificate in -lssl... yes checking whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'"... yes checking whether SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'"... yes checking whether SSL_CTX_sess_set_get_cb() callback accepts a const ID argument"... yes checking "whether X509_get0_signature() accepts const parameters"... yes checking whether the TXT_DB use OPENSSL_PSTRING data member... yes checking whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used... no checking whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros should used... yes checking whether hello message can be overwritten in SSL struct... no configure: OpenSSL library support: yes -lssl -lcrypto On Wed, Feb 14, 2018 at 2:02 PM, Peter Viskupwrote: > Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not > known. > Older build of squid 3.5.21 on Debian 8 doesn't report it. > According the documentation [1] it should be known and supported. > > [1] http://www.squid-cache.org/Doc/config/http_port/ > > Is it a bug? > > Peter > > $ /usr/sbin/squid -v > Squid Cache: Version 4.0.23 > Service Name: squid > Squid built with SSLBump > > This binary uses OpenSSL 1.1.0f 25 May 2017. For legal restrictions > on distribution see https://www.openssl.org/source/license.html > > configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' > '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' > '--infodir=${prefix}/share/info' '--sysconfdir=/etc' > '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' > '--disable-maintainer-mode' '--disable-dependency-tracking' > '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 > -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong > -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 > -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian > linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' > '--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid' > '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' >
[squid-users] Squid4 with ssl-bump single_dh_use unknown
Build of squid 4.0.23 on current Debian 9 report the single_dh_use as not known. Older build of squid 3.5.21 on Debian 8 doesn't report it. According the documentation [1] it should be known and supported. [1] http://www.squid-cache.org/Doc/config/http_port/ Is it a bug? Peter $ /usr/sbin/squid -v Squid Cache: Version 4.0.23 Service Name: squid Squid built with SSLBump This binary uses OpenSSL 1.1.0f 25 May 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--enable-build-info=Debian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--runstatedir=/var/run/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--disable-loadable-modules' '--enable-storeio=aufs,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-external-acl-helpers=file_userip,session,SQL_session,time_quota,unix_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--disable-esi' '--enable-icmp' '--enable-zph-qos' '--disable-ecap' '--disable-translation' '--disable-ident-lookups' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-security-cert-generators=file' '--enable-ssl-crtd' '--with-openssl' '--without-mit-krb5' '--without-heimdal-krb5' '--disable-wccp' '--disable-wccpv2' '--disable-ipv6' '--enable-build-info=Squid built with SSLBump' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.0.23=. -fstack-protector-strong -Wformat -Werror=format-security' $ /usr/sbin/squid -k parse -d 9 -n test 2018/02/14 13:33:41| Startup: Initializing Authentication Schemes ... 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'basic' 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'digest' 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'negotiate' 2018/02/14 13:33:41| Startup: Initialized Authentication Scheme 'ntlm' 2018/02/14 13:33:41| Startup: Initialized Authentication. 2018/02/14 13:33:41| WARNING: BCP 177 violation. IPv6 transport forced OFF by build parameters. 2018/02/14 13:33:41| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2018/02/14 13:33:41| Processing: acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) 2018/02/14 13:33:41| Processing: acl SSL_ports port 443 990 2018/02/14 13:33:41| Processing: acl Safe_ports port 80 # http 2018/02/14 13:33:41| Processing: acl Safe_ports port 21 # ftp 2018/02/14 13:33:41| Processing: acl Safe_ports port 443# https 2018/02/14 13:33:41| Processing: acl Safe_ports port 70 # gopher 2018/02/14 13:33:41| Processing: acl Safe_ports port 210# wais 2018/02/14 13:33:41| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2018/02/14 13:33:41| Processing: acl Safe_ports port 280 # http-mgmt 2018/02/14 13:33:41| Processing: acl Safe_ports port 488 # gss-http 2018/02/14 13:33:41| Processing: acl Safe_ports port 591 # filemaker 2018/02/14 13:33:41| Processing: acl Safe_ports port 777 # multiling http 2018/02/14 13:33:41| Processing: acl Safe_ports port 990# ftps 2018/02/14 13:33:41| Processing: acl CONNECT method CONNECT 2018/02/14 13:33:41| Processing: acl purge method PURGE 2018/02/14 13:33:41| Processing: http_access deny !Safe_ports 2018/02/14 13:33:41| Processing: http_access deny CONNECT !SSL_ports 2018/02/14 13:33:41| Processing: http_access allow localhost manager 2018/02/14 13:33:41| Processing: http_access deny manager 2018/02/14 13:33:41| Processing: http_access allow localhost purge 2018/02/14 13:33:41| Processing: http_access deny purge 2018/02/14 13:33:41| Processing: http_access allow localhost 2018/02/14 13:33:41| Processing: http_access deny all 2018/02/14 13:33:41| Processing: include /etc/squid/conf.d/test-http_port.conf 2018/02/14 13:33:41| Processing Configuration File: