Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - DOM_EUWest

Pages1
#1
24.1, 24.4 Legacy Series / Re: squid -k parse Requiring client certificates. Segmentation fault (core dumped)
February 08, 2024, 10:38:33 AM
I have the same problem. With 24.1.1
On 23.7.10 all works fine


Code Select
root@firewall:/usr/local/etc/squid # squid -k parse
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/02/08 10:36:31| Processing: http_port 10.10.2.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.30.2.254:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.50.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.51.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB
2024/02/08 10:36:31| Processing: sslcrtd_children 5
2024/02/08 10:36:31| Processing: tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
2024/02/08 10:36:31| Processing: acl bump_step1 at_step SslBump1
2024/02/08 10:36:31| Processing: acl bump_step2 at_step SslBump2
2024/02/08 10:36:31| Processing: acl bump_step3 at_step SslBump3
2024/02/08 10:36:31| Processing: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step1 all
2024/02/08 10:36:31| Processing: ssl_bump splice all
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step2 all
2024/02/08 10:36:31| Processing: ssl_bump splice bump_step3 all
2024/02/08 10:36:31| Processing: ssl_bump bump
2024/02/08 10:36:31| Processing: sslproxy_cert_error deny all
2024/02/08 10:36:31| Processing: acl ftp proto FTP
2024/02/08 10:36:31| Processing: http_access allow ftp
2024/02/08 10:36:31| Processing: acl localnet src 10.10.2.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.30.2.254/32 # Possible internal network (aliases)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.50.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.51.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2024/02/08 10:36:31| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2024/02/08 10:36:31| Processing: acl whiteList url_regex windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl remoteblacklist_UT1 dstdomain "/usr/local/etc/squid/acl/UT1"
2024/02/08 10:36:31| Processing: acl SSL_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 80 # http
2024/02/08 10:36:31| Processing: acl Safe_ports port 21 # ftp
2024/02/08 10:36:31| Processing: acl Safe_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 70 # gopher
2024/02/08 10:36:31| Processing: acl Safe_ports port 210 # wais
2024/02/08 10:36:31| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2024/02/08 10:36:31| Processing: acl Safe_ports port 280 # http-mgmt
2024/02/08 10:36:31| Processing: acl Safe_ports port 488 # gss-http
2024/02/08 10:36:31| Processing: acl Safe_ports port 591 # filemaker
2024/02/08 10:36:31| Processing: acl Safe_ports port 777 # multiling http
2024/02/08 10:36:31| Processing: acl CONNECT method CONNECT
2024/02/08 10:36:31| Processing: icap_enable off
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/pre-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_peer 10.10.253.10 parent 3128 0 no-query default
2024/02/08 10:36:31| Processing: acl ExcludePPDomains dstdomain .lan .wlan .purner.eu
2024/02/08 10:36:31| Processing: acl ExcludePPIPs dst 10.10.2.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 10.10.31.0/24 10.10.40.0/24 10.10.50.0/24 10.10.51.0/24 10.10.60.0/24 10.10.61.0/24 10.10.70.0/24 10.10.71.0/24 10.10.200.0/24 10.10.201.0/24 10.10.254.0/24 172.30.30.0/24 10.2.0.1 10.96.0.1 10.98.0.1 172.30.100.0/24 10.10.253.0/24
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPDomains
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPIPs
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 allow all
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPDomains
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPIPs
2024/02/08 10:36:31| Processing: never_direct allow all
2024/02/08 10:36:31| Processing: http_access allow whiteList
2024/02/08 10:36:31| Processing: http_access deny remoteblacklist_UT1
2024/02/08 10:36:31| Processing: http_access deny !Safe_ports
2024/02/08 10:36:31| Processing: http_access deny CONNECT !SSL_ports
2024/02/08 10:36:31| Processing: http_access allow localhost manager
2024/02/08 10:36:31| Processing: http_access deny manager
2024/02/08 10:36:31| Processing: http_access deny to_localhost
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: http_access allow localnet
2024/02/08 10:36:31| Processing: http_access allow localhost
2024/02/08 10:36:31| Processing: http_access deny all
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/post-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_mem 256 MB
2024/02/08 10:36:31| Processing: coredump_dir /var/squid/cache
2024/02/08 10:36:31| Processing: refresh_pattern ^ftp:          1440    20%     10080
2024/02/08 10:36:31| Processing: refresh_pattern ^gopher:       1440    0%      1440
2024/02/08 10:36:31| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2024/02/08 10:36:31| Processing: refresh_pattern .              0       20%     4320
2024/02/08 10:36:31| Processing: access_log stdio:/var/log/squid/access.log squid
2024/02/08 10:36:31| Processing: cache_store_log none
2024/02/08 10:36:31| Processing: httpd_suppress_version_string on
2024/02/08 10:36:31| Processing: uri_whitespace strip
2024/02/08 10:36:31| Processing: forwarded_for on
2024/02/08 10:36:31| Processing: logfile_rotate 0
2024/02/08 10:36:31| Processing: cache_mgr proxy@purner.eu
2024/02/08 10:36:31| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/08 10:36:31| Requiring client certificates.
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
Segmentation fault (core dumped)


Code Select
root@firewall:/usr/local/etc/squid # netstat -an | grep 3128 | wc -l
       4


Code Select
root@firewall:/usr/local/etc/squid # pkg info | grep squid
os-squid-1.0                   Squid is a caching proxy for the web
squid-6.6                      HTTP Caching Proxy
squid-langpack-7.0.0.20230225  Language-specific error documents for Squid web cache
#2
Tutorials and FAQs / Re: Tutorial 2023/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
December 18, 2023, 02:16:06 PM
Ok :-)

Now it works.

Changed the LAN MTU from 9000 to 4076 was the hack. Now all works fine
#3
Tutorials and FAQs / Re: Tutorial 2023/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
December 17, 2023, 03:18:22 PM
Thank you for these detailed instructions.

It has made my life much easier.


However, I have the problem that Plex is not accessible, neither internally nor externally.


The Plex log shows me the error....


CERT: incomplete TLS handshake from xxx.xxx.xxx:28422: stream truncated

HA Log..
Informational   haproxy   xx.x.xx.xxx:21734 [18/Dec/2023:02:33:09.222] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure


The certificate is new and was requested via ACME with the exact same settings.


I am at a bit of a loss.

MTU WAN: 1500 auto
MTU LAN 9000 with 10G LAGG interface

Code Select
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    8
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 0.0.0.0:80)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_657ed45319efa3.43352536 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_657ed45319efa3.43352536

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657ed88b10e6c1.81075400.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/657ed57bcfd057.79414853.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    timeout connect 30s
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Plex_DMZ_backend ()
backend Plex_DMZ_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    timeout connect 30s
    http-reuse safe
    server Plex_Server_DMZ 10.10.20.11:32400 ssl verify none resolve-prefer ipv4



# statistics are DISABLED





10.10.2.1 is the LAN IP

When i set the DNS to the Real Server ( 10.10.20.11) and go to https://plex.mydomain.eu:32400 , all work fine.
Pages1