Hi Amos,

I tried your suggestion and even if the acl is matched the outgoing IP is not 
How to know why ?
Working with squid 3.5.1. 
Original IP must be changed for




debug_options ALL,1 33,2 28,9 11,3

#HTTPS (SSL) trafic interception options
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1

acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
acl step1 at_step SSLBump1
acl step2 at_step SSLBump2
acl step3 at_step SSLBump3

ssl_bump peek step1 all
ssl_bump splice step2 disable-ssl-bump
ssl_bump stare step2 all
ssl_bump splice step3 disable-ssl-bump
ssl_bump bump step3 all

acl UPLOAD method PUT
acl UPLOAD method POST
tcp_outgoing_address UPLOAD

http_access allow all

http_port 3128
http_port 8080 intercept
https_port 8081 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem

forward_max_tries 25
cache_mem 2 GB
maximum_object_size_in_memory 25 MB
maximum_object_size 1 GB

visible_hostname squid-v2

workers 3

coredump_dir /var/spool/squid3
cache_replacement_policy heap LFUDA
cache_dir rock /var/spool/squid3/cache1 4000 max-size=500
cache_dir aufs /var/spool/squid3/cache2 10000 16 256

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 80% 10080

# FortiGate interface of wccp
# wccp version 2 configuration
wccp2_service standard 90
# tunneling method GRE for forward traffic
wccp2_forwarding_method gre
# tunneling method GRE for return traffic
wccp2_return_method gre
# which interface to use for WCCP ( determines the interface from 

Debug sample:
2015/02/20 16:27:22.879| Checklist.cc(68) preCheck: 0x7fe877ccc7c8 checking 
slow rules
2015/02/20 16:27:22.879| Acl.cc(138) matches: checking http_access
2015/02/20 16:27:22.879| Acl.cc(138) matches: checking http_access#1
2015/02/20 16:27:22.879| Acl.cc(138) matches: checking all
2015/02/20 16:27:22.879| Ip.cc(107) aclIpAddrNetworkCompare: 
aclIpAddrNetworkCompare: compare:[::] ([::]:1887)  vs 
2015/02/20 16:27:22.879| Ip.cc(538) match: aclIpMatchIp: '' 
2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: all = 1
2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: http_access#1 = 1
2015/02/20 16:27:22.879| Acl.cc(158) matches: checked: http_access = 1
2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fe877ccc7c8 answer 
ALLOWED for match
2015/02/20 16:27:22.880| Checklist.cc(161) checkCallback: 
ACLChecklist::checkCallback: 0x7fe877ccc7c8 answer=ALLOWED
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21ee80
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(68) preCheck: 0x7fff7a21e540 checking 
fast ACLs
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking tcp_outgoing_address
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking (tcp_outgoing_address line)
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking UPLOAD
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: UPLOAD = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: (tcp_outgoing_address line) = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: tcp_outgoing_address = 1
2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fff7a21e540 answer 
ALLOWED for match
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e540
2015/02/20 16:27:22.880| Checklist.cc(68) preCheck: 0x7fff7a21e460 checking 
fast ACLs
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking tcp_outgoing_address
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking (tcp_outgoing_address line)
2015/02/20 16:27:22.880| Acl.cc(138) matches: checking UPLOAD
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: UPLOAD = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: (tcp_outgoing_address line) = 1
2015/02/20 16:27:22.880| Acl.cc(158) matches: checked: tcp_outgoing_address = 1
2015/02/20 16:27:22.880| Checklist.cc(61) markFinished: 0x7fff7a21e460 answer 
ALLOWED for match
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fff7a21e460
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21e460
2015/02/20 16:27:22.880| http.cc(2261) httpStart: POST 
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fe877ccc7c8
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fe877ccc7c8
2015/02/20 16:27:22| Error sending to ICMPv6 packet to 
[2a00:1450:4003:805::200e]. ERR: (101) Network is unreachable
2015/02/20 16:27:22.880| Client.cc(232) startRequestBodyFlow: expecting request 
body from  [0<=274<=274 274+1773 pipe0x7fe87814d198 cons0x7fe87814e688]
2015/02/20 16:27:22.880| FilledChecklist.cc(66) ~ACLFilledChecklist: 
ACLFilledChecklist destroyed 0x7fff7a21f390
2015/02/20 16:27:22.880| Checklist.cc(195) ~ACLChecklist: 
ACLChecklist::~ACLChecklist: destroyed 0x7fff7a21f390
2015/02/20 16:27:22.881| http.cc(2217) sendRequest: HTTP Server 
local= remote= FD 23 flags=1
2015/02/20 16:27:22.881| http.cc(2218) sendRequest: HTTP Server REQUEST:
POST /stat HTTP/1.1
Host: drive.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-control: no-cache
X-Same-Domain: explorer
X-Json-Requested: true
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Referer: https://drive.google.com/?authuser=0
Content-Length: 274
Pragma: no-cache
Via: 1.1 squid-v2 (squid/3.5.1)
Cache-Control: no-cache
Connection: keep-alive


-----Mensaje original-----
De: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] En nombre de 
Amos Jeffries
Enviado el: viernes, 06 de febrero de 2015 10:13
Para: squid-users@lists.squid-cache.org
Asunto: Re: [squid-users] derive HTTP/HTTPS upload traffic to a secondary 

On 6/02/2015 8:59 p.m., Josep Borrell wrote:
> Hi,
> I have a squid box with two interfaces. One ADSL 20/1Mb and one SHDSL 4/4Mb.
> It is a school and they are working with Google Apps for Education.
> They do a lot of uploading and when using the ADSL, it collapses promptly.
> Is possible to derive only HTTP/HTTPS upload traffic to the SHDSL and 
> continue surfing with the ADSL ?

In a roundabout way.

If you look at the OSI model of networking Squid is layers 4-7, and those 
interfaces are part of layer 1-2. There is a whole disconnect layer 3 in 
between (the TCP/IP layer).

What you can do in Squid is set one of the tcp_outgoing_address, 
tcp_outgoing_tos, tcp_outgoing_mark directives to label the TCP traffic out of 
Squid. The systems routing rules need to take that detail from TCP and decide 
which interface to use.

> Maybe using one acl with methods POST and UPLOAD and some routing magic ?

Somethign like this..

 acl PUTPOST method PUT POST
 tcp_outgoing_address PUTPOST

Where is the IP address the system uses to send out SHDSDL.
You may need both an IPv4 and IPv6 outgoing address set using PUTPOST acl.


squid-users mailing list
squid-users mailing list

Reply via email to