Sorry that test was on the 5.8 version I am using that boot environment right now. All others were on 6.6 does 6.6 support no IP port combo? Sent from my iPhone
> On Jul 12, 2024, at 09:16, Jonathan Lee <jonathanlee...@gmail.com> wrote: > > tested with removal of IP and port failed If I leave port I get this > > 2024/07/12 09:15:17| Processing: http_port :3128 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=20MB > cert=/usr/local/etc/squid/serverkey.pem > cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ > cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > tls-dh=prime256v1:/etc/dh-parameters.2048 > options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE > 2024/07/12 09:15:17| FATAL: http_port: failed to resolve Host/IP: > 2024/07/12 09:15:17| Not currently OK to rewrite swap log. > 2024/07/12 09:15:17| storeDirWriteCleanLogs: Operation aborted. > 2024/07/12 09:15:17| FATAL: Bungled /usr/local/etc/squid/squid.conf line 6: > http_port :3128 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem > cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ > cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > tls-dh=prime256v1:/etc/dh-parameters.2048 > options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE > 2024/07/12 09:15:17| Squid Cache (Version 5.8): Terminated abnormally. > >> On Jul 12, 2024, at 09:09, Jonathan Lee <jonathanlee...@gmail.com> wrote: >> >> Thanks I fixed the firewall rules, I am trying tproxy and it seems to help >> with speed right now. >> Sent from my iPhone >> >>> On Jul 12, 2024, at 04:57, Amos Jeffries <squ...@treenet.co.nz> wrote: >>> >>> On 12/07/24 11:50, Jonathan Lee wrote: >>>>> I recommend changing your main port to this: >>>>> >>>>> http_port 3128 ssl-bump .... >>>> This is set to this when it processes >>>> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on >>>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem >>>> cafile=/usr/local/share/certs/ca-root-nss.crt >>>> capath=/usr/local/share/certs/ >>>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS >>>> tls-dh=prime256v1:/etc/dh-parameters.2048 >>>> options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE >>> >>> The key thing here was the removal of the IP address. So that Squid >>> received both the 192.168.*.* and the 127.0.0.* traffic without needing >>> separate http_port lines. >>> >>> >>> >>>>> and receiving the intercepted traffic on: >>>>> >>>>> http_port 3129 intercept ssl-bump … >>>> Do you mean https? >>> >>> Sorry. I missed that you had an https_port using 3129 already. >>> >>> >>> >>>> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on >>>> dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem >>>> cafile=/usr/local/share/certs/ca-root-nss.crt >>>> capath=/usr/local/share/certs/ >>>> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS >>>> tls-dh=prime256v1:/etc/dh-parameters.2048 >>>> options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE >>>> Https uses that port 3129 >>>> What should I adapt >>>> http_port >>>> https_port? >>> >>> Both. >>> >>> FYI, there are two issues: >>> >>> 1) listening on IP 127.0.0.1. Inside the OS there are different devices for >>> localhost (lo) and WAN (eg. eth0). NAT is problematic already without >>> introducing any tricky behaviours from bridging those "private" (lo) and >>> "public" WAN devices. >>> >>> The simplest solution is just not to put any IP address on the squid.conf >>> *port line(s) with intercept options. The OS will select one appropriate >>> for whatever device and tell Squid on a per-connection basis. >>> >>> The more difficult way is to put one of the machines "global" (WAN or LAN) >>> IP addresses. In your case 192.168.1.1. With most connections being from >>> the LAN that minimizes the possible problems. >>> >>> >>> 2) listening on a well-known proxy port 3128 for intercepted traffic. >>> >>> There is malware in existence that scans for at least port 3128 (likely >>> 1080, 8080 etc common proxy ports) being used by proxies like yours and >>> abuses them. As a result at least one popular antivirus network scanner >>> (from Trend) does the same scan to detect insecure proxies. >>> >>> The worst thing about this situation is that the NAT very effectively hides >>> the malware. So it is extremely hard to see whether it is happening to you. >>> >>> >>> I am not sure what UI you are using to show those firewall rules in your >>> other email. However the one that had ALLOW for the port range 3128-3129 >>> worries me. AFAIK that should only be for 3128 and a separate rule >>> somewhere else to drop the intercepted port 3129 traffic pre-NAT. >>> >>> >>> HTH >>> Amos >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> https://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
