RE: [squid-users] Re: RE : [squid-users] tcp_outgoing_mark + https

From: Sébastien WENSKE <sebastien_at_wenske.fr>
Date: Wed, 12 Dec 2012 07:44:07 +0000

Eliezer,

I'm running Debian 6 with a 3.6.9 kernel, Shorewall is v4.5.9.3 and Squid 3.2.3 (I had some troubles to compile 3.2.4)

Indeed, "just these to 100Mbit connection" is what I need :)

        
//////////////////////////////////////// squid.conf ////////////////////////////////////////////////////
acl swe src 10.0.0.0/16
http_access allow swe

acl vlan20 src 10.4.10.0/23
acl vlan30 src 10.4.20.0/24
acl vlan10 src 10.4.0.0/24
acl vlan11 src 10.4.2.0/24
acl airpad_test src 10.59.255.112/28
acl ouest-express src 10.42.7.0/24
acl vpn src 10.5.200.0/24
acl dmz src 172.16.4.0/24

acl to_localnet dst 10.4.0.0/16 10.5.0.0/16 192.168.0.0/16 172.16.5.0/24 10.100.0.0/16 172.16.100.0/24
acl to_localdomain dstdomain .xxxxxx.com .xxxxx.local .xxxxxx.fr .xxxxx.fr .xxxxx.dev
acl to_th2 dst 87.98.197.128/27
acl to_th2 dst 158.255.72.0/21
acl to_hq0_ext dst 46.218.147.88/29

acl whitelist_name dstdomain .kernel.org .debian.org
acl chat dstdomain talk.google.com

acl XMPP_Ports port 5222
acl SSL_ports port 443
acl SSH_ports port 8022
acl FTP_ports port 21 # ftp
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 9418 # git
acl Safe_ports port 443 # https
acl Safe_ports port 8080 #
acl Safe_ports port 8443 #
acl CONNECT method CONNECT

acl images url_regex \.(png|jpg|gif)$
acl numeric_url url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.:]*$

acl FTP proto FTP

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users.pwd
auth_param basic children 5
auth_param basic realm HQ0ROUTER01 proxy-caching web server
auth_param basic credentialsttl 2 hours
acl auth proxy_auth REQUIRED

http_access allow localhost
http_access allow manager localhost
http_access deny manager

no_cache deny to_localdomain

### AIRPAD TEST ###
http_access allow airpad_test auth to_th2
http_access allow airpad_test auth CONNECT SSH_ports to_th2
http_access allow airpad_test auth to_localdomain
http_access allow airpad_test auth CONNECT SSH_ports to_localdomain
always_direct allow airpad_test
http_access deny airpad_test
###################

### OUEST-EXPRESS ###
http_access allow ouest-express to_th2
http_access allow ouest-express CONNECT SSH_ports to_th2
http_access allow ouest-express to_localdomain
http_access allow ouest-express CONNECT SSH_ports to_localdomain
always_direct allow ouest-express
http_access deny ouest-express
###################

#http_access allow local_ports
http_access allow to_localdomain
http_access allow to_localnet
http_access allow to_th2
#http_access deny local_ports

http_access allow to_hq0_ext

http_access allow CONNECT XMPP_Ports chat

# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access allow CONNECT FTP_ports
http_access deny CONNECT !SSL_ports

http_access deny numeric_url
#http_access deny to_localhost

#http_access allow localhost
http_access allow vlan30
http_access allow vlan20
http_access allow vlan10
http_access allow vlan11
http_access allow vpn
http_access allow dmz whitelist_name

# And finally deny all other access to this proxy
http_access deny all

### TCP MARK to USE FIBER CONNECTION ###
acl fibre dstdomain .microsoft.com .microsoft.fr .windowsupdate.com
acl fibre dstdomain .blackberry.com .nokia.com .htc.com .hockeyapp.net
acl fibre dstdomain .jboss.com .php.net .perl.org .eclipse.org
acl fibre dstdomain .xerox.com .hp.com .dell.com .gandi.net
acl fibre dstdomain .chronopost.fr
acl fibre dstdomain .paypal.fr .paypal.com
acl fibre dstdomain .ipadsl.net .speedtest.net
acl fibre dstdomain .google.fr .google.com .googleapis.com .googlecode.com .googlesyndication.com
acl fibre dstdomain .googleusercontent.com .gstatic.com .doubleclick.net .google-analytics.com
acl fibre dstdomain .proxad.net .kernel.org .debian.org .sourceforge.net .github.com
acl fibre dstdomain .stackoverflow.com .imgur.com
acl fibre dstdomain .twitter.com
acl fibre dstdomain .airtag.com .airtag.info .at-infra.net .rtmairtag.com

tcp_outgoing_mark 0x01 fibre
tcp_outgoing_mark 0x01 vlan10

########################################

# Squid normally listens to port 3128
http_port 8080 transparent
http_port 3128

forwarded_for off

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

cache_mem 2548 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy lru

cache_replacement_policy lru
cache_dir ufs /var/cache/squid 81920 32 512
minimum_object_size 0 KB
maximum_object_size 1024 MB

# Leave coredumps in the first cache dir
coredump_dir /var/cache

logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
#useragent_log /var/log/squid/useragents.log

cache_mgr xxxxxxxxxxx_at_xxxxxxxxx

visible_hostname hq0xxxxxxx01.xxxxx.local
append_domain .xxxxx.local

#ignore_expect_100 on [DEPRECATED]

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

error_directory /usr/share/errors/fr
///////////////////////////////////////////////////////////////////////////////////

Thanks

-----Message d'origine-----
De : Eliezer Croitoru [mailto:eliezer_at_ngtech.co.il]
Envoyé : mardi 11 décembre 2012 20:43
À : Sébastien WENSKE
Cc : squid-users_at_squid-cache.org
Objet : [squid-users] Re: RE : [squid-users] tcp_outgoing_mark + https

Hey Sébastien,

What linux and what squid version?
It's different if your logic is "all to 100Mbit connection" to "just these to 100Mbit connection".
If you can share your squid.conf and remove the sensitive data it will maybe give us more info.

Regards,
Eliezer

On 12/11/2012 7:47 PM, Sébastien WENSKE wrote:
> Hi Eliezer,
>
> I'm not using SSL-Bump, I have a 100Mbit/s fiber connection and an SDSL 4Mbit/s.
> By default, all traffic goes through the SDSL except traffic to our production and VPN site-to-site.
>
> Squid running on the same box where I use shorewall to route marked packets and is directly connected to internet.
>
> Now, I want to mark packets with squid regarding dstdomain ACLs in order to "route" them on the 100Mb/s link.
> It works as expected with http but not for https (CONNECT)
>
> Best Regard,
> Sebastien
>
> ________________________________________
> De : Eliezer Croitoru [eliezer_at_ngtech.co.il] Date d'envoi : mardi 11
> décembre 2012 17:37 À : squid-users_at_squid-cache.org Objet : Re:
> [squid-users] tcp_outgoing_mark + https
>
> Hey Sebastien,
>
> Are you using ssl-bump at all? or just plain CONNECT requests?
> Else then the problem If you can explain more about the situation or
> the goal in more the just ROUTE web traffic over WAN connections.
> Do you have preference for specific routes? maybe you just want to
> load-balance?
>
> Maybe your approach is not in the right direction anyway?
>
> Regards,
> Eliezer
>
> On 12/11/2012 4:00 PM, Sébastien WENSKE wrote:
>> Hi List,
>>
>> I'm trying the "tcp_outgoing_mark" feature with dstdomain acls in
>> order to "route" web traffic on several WAN links, but I noticed
>> that it doesn't works with https requests.
>>
>> Does someone know how to achieve this?
>>
>> Many Thanks.
>> Sebastien
>>
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> sip:ngtech_at_sip2sip.info
> IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
>

--
Eliezer Croitoru
https://www1.ngtech.co.il
sip:ngtech_at_sip2sip.info
IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
Received on Wed Dec 12 2012 - 07:46:35 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 12 2012 - 12:00:04 MST