[lug] Squid question, IPv6 followup

duboulder blug-mail at duboulder.com
Thu Nov 29 17:43:13 MST 2018 

Hm, I have firefox configured to use the same ip/port for both http & https proxies. I think
you need to configure your clients to use the same settings for https as for http.

If you want to know why, this is what I understand about https proxying from writing a specialized http proxy in go:

For https:// URLs and TLS connections, the browser connects to the proxy configured for HTTPs using plain http.
The request type is CONNECT instead of GET/HEAD/POST and includes the target host without a port number.
The proxy then connects to the target using plain TCP and port 443. Once that succeeds, the proxy sends a
200 OK response to the browser and after that it just relays TLS protocol bytes between the target and the browser.
After the TLS handshake, the bytes are encrypted and the proxy doesn't even know what requests are being
made over the encrypted channel.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, November 29, 2018 1:28 PM, Bear Giles <bgiles at coyotesong.com> wrote:

> Two questions/updates.
>
> SQUID
>
> I've set up squid, set up the proxy in chrome(ium), and when I check the squid logs I see plenty of connections. However the browser is timing out.
>
> The squid.conf file has
>
> acl localnet src 192.168.1.0/24
> acl localnet src fc00::/7
> acl localnet src fe80::/8
>
> http_access allow localnet
>
> The logs have
>
> 1543522496.906  60191 192.168.1.3 TCP_TUNNEL/200 39 CONNECT accounts.google.com:443 - HIER_DIRECT/172.217.10.109 -
> 1543522496.906  60474 192.168.1.3 TCP_TUNNEL/200 39 CONNECT www.gstatic.com:443 - HIER_DIRECT/172.217.10.99 -
> 1543522499.907  60925 192.168.1.3 TCP_TUNNEL/200 39 CONNECT mail.google.com:443 - HIER_DIRECT/172.217.10.101 -
> 1543522502.531  59850 192.168.1.3 TCP_TUNNEL/200 39 CONNECT mail.google.com:443 - HIER_DIRECT/172.217.10.101 -
>
> so I'm definitely specifying the correct src ipaddr. It's using CONNECT for the https addresses, and the response code is 200. I don't understand why the browser isn't picking it up.
>
> One odd thing is that I'm still seeing hits on the access log even though I've turned off the proxy.
>
> Ideas?
>
> COMCAST + IPv6
>
> I turned on IPv6 on my router and started seeing IPv6 addresses in ipconfig but I'm not sure I'm seeing global IPv6 addresses. It may be hit-and-miss, e.g., at the moment I think I have a 6-to-4 address (2002::) but at other times I've only seen FD00:: and FE80::.
>
> 2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
>     link/ether 48:4d:7e:f4:59:39 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.3/24 brd 192.168.1.255 scope global enp0s31f6
>        valid_lft forever preferred_lft forever
>     inet 10.0.0.3/24 brd 10.0.0.255 scope global enp0s31f6:0
>        valid_lft forever preferred_lft forever
>     inet6 2002:49e5:a81d:e472:4a4d:7eff:fef4:5939/64 scope global dynamic mngtmpaddr
>        valid_lft 1914sec preferred_lft 1314sec
>     inet6 fe80::4a4d:7eff:fef4:5939/64 scope link
>        valid_lft forever preferred_lft forever
>
> My router lets me specify IPv4 DNS servers but not IPv6 servers so I'll be switching to a DHCP server on one of my NUCs (or even one of the RPi). Maybe I'll get a different result with it. I can get the upstream DHCP server (Comcast) from my router... I can't think of any reason why a DHCP server sitting on an IPv4 address couldn't provide IPv6 info.... and can definitely imagine a huge headache if I called Comcast support and asked for the IPv6 address of the appropriate DHCP server.
>
> Bear
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20181130/629494e9/attachment.html>

More information about the LUG mailing list