Squid configuration in 2024

Configuring Squid in 2024 should be easy, but with over 20 years worth of posts describing problems and solutions and the ongoing evolution of squid means it can be difficult to work out what configuration option you need and how to configure it. Especially for SSL

SSL support for squid made some serious strides in versions 3 and 4 and has settled down after that, yet it can be unclear the correct configuration to use with many posts from that transition period of versions 3 to 4

For example, there are so many posts about configuring SSLBump or Peek and Slice, that you can become easily confused. All that sort of external configuration is now taken care of internally by modern versions of squid, and the most configuration you may need to do is to generate host certificates

In this example, the (internal) parent listens on port 443 and will redirect any port 80 traffic to 443. The squid server is inside a Kubernetes statefulset that redirects port 80 traffic to the pod on port 3128, and 443 to 3129 since the pod does not run as root, so cannot listen on privileged ports

acl localnet src 10.0.0.0/8
cache_peer parent.example.com parent 443 0 no-query default ssl name=myAccel no-digest tls-cert=/etc/squid/certs/tls.crt tls-key=/etc/squid/certs/tls.key
cache_peer_access myAccel allow localnet
cache_peer_access myAccel deny all
http_port 3128 accel defaultsite=parent.example.com no-vhost
https_port 3129 accel defaultsite=parent.example.com no-vhost generate-host-certificates=on tls-cert=/etc/squid/certs/tls.crt tls-key=/etc/squid/certs/tls.key
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 20MB
sslproxy_cert_error allow all

The only other interesting configuration is the squid server is part of a Load Balanced Domain Name / DNS Traffic Control service and so a certificate is created with Kubernetes certificate manager and the commonName set to the FQDN of the LBDN.

TIL - load testing or benchmarking client limits

 Was load testing a puppet forge implementation today and was hitting some odd errors when I ran each load test immediately after the previous one finished. The errors would not happen if I waited a few (maybe 5 minutes) between tests.

This was odd behaviour but digging through google with the client error of Failed to open TCP connection to (Cannot assign request, I landed on this stack overflow entry (https://stackoverflow.com/a/31877033/14784297) which implied the error mostly came from a lack of ephemeral ports (correct) and more interestingly that after a TCP connection is closed, the connection is still up in a TIME_WAIT state for about 2 minutes:

The reason of this problem is that for opening a TCP connection, the operating system allocates an ephemeral port (for the source port). It binds the socket to the allocated port. After the TCP connection is closed, the connection is left in TIME_WAIT state, typically for 2 minutes, due to historical reasons

Count the number of open connections:

netstat -naptu | grep -c TIME_WAIT

 Reminder - VS Code - simultaneous edits  (aka Multiple selections / multi cursor)

TL;DR shift command L 

I always see VS code highlighting the same key words while editing, but forget how to use that highlighting for simultaneous edits. So I resort to find and replace

The documentation for multiple selections states

VS Code supports multiple cursors for fast simultaneous edits

 But to me, it's really unclear how you then start editing the selected words. On a mac - it is shift command L (⇧⌘L)

 Unifi 7.2.94 on MacOS Error When Saving Settings

After finally getting around to patching my mac mini, everything came up except for the Unifi network application. So, I downloaded the latest version and it failed to start up, so I uninstalled and reinstalled the application (Unifi 7.2.94 on MacOS Catalina 10.15.7) from https://www.ui.com/download-software/

After restoring from a backup, I tried to make the backups run weekly, and got an error message when trying to save settings

An error occurred when applying changes to System settings. This action could not be completed. Please ensure you've entered all information correctly.

Removed, reinstalled application and Java

Java install instructions from https://community.ui.com/questions/Shell-script-for-adding-Java-RE-path-to-local-UniFi-controller-on-macOS/adb1194c-cca4-4a50-8e79-cf805fdd70b3 but Java temurin8 is no longer available so used openjdk@8

$ brew install openjdk@8
$ sudo ln -s /Library/Java/JavaVirtualMachines/openjdk-8.jdk/ /Applications/UniFi.app/Contents/PlugIns/ 
$ sudo /usr/libexec/PlistBuddy -c "Add :JVMRuntime string 'openjdk-8.jdk'" /Applications/UniFi.app/Contents/Info.plist

That didn't help, but the genius in this Ubiquiti Unifi forum link - https://community.ui.com/questions/Cannot-change-save-system-settings-Unifi-Network-on-cloudkey-gen-2-pro/916daacb-39cc-4ecf-a09a-c07fee7cc23d was a cloud key error, but the solution was the same:

Switch back to Legacy Interface (Settings > System > Legacy System > Enable), make any change, then switch back to new Interface (Settings > User Interface > New User Interface > Apply Changes)

Thanks to Corey Quinn for motivating me to publish this just in case anyone else out there has this same problem - https://www.lastweekinaws.com/blog/the-harrowing-search-for-the-elusive-technical-answer/

 Reminder - Low Latency Linux Kernel Boot Options

Terrible name for the web site https://make-linux-fast-again.com/

noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off

Covers many kernel versions as noted in Hacker News article - https://news.ycombinator.com/item?id=25668990

Today I learned - Dell Server Warranty Lookups

In the past, Dell made it hard to access their API for warranty lookups. Even the signup process at https://developer.dell.com/ to get a key was dire - once, they said having 1000 servers wasn't enough to justify API access!

This gist has a working example if you have an API key - https://gist.github.com/teroka/0720274b87b77fe7171f (as well as takes of woe) dealing with the webiste

I also found out that this set of URLs is the one company and it sort of should have a paid option, but doesn't, so I don't understand how it works. I assume they have a Dell API key, or they screen scrpae:

• http://www.updatewarranty.com
• http://www.lookupwarranty.com

$ /usr/bin/curl -s --max-time 30 -H "Referer: http://www.lookupwarranty.com/" 'http://www.lookupwarranty.com/updatewarranty/server/lookup?serviceTag=STAGXXX&modelNumber=&mfg=&email=&platform=Website&key' | jq .

{

  "serviceTag": "HT9K6R3",

  "mfg": "Dell",

  "expires": 1234567890,

  "shipped": 1234567890,

  "outOfWarranty": null,

  "error": null,

  "url": "http://www.dell.com/support/my-support/us/en/19/product-support/servicetag/STAGXXX"

}

Today I Learned - Power On Linux Server at a Particular Time

So today I learned that it is possible to set an alarm in the future for the motherboard to wake up and a poweroff - and the ability has been around for years (since around 2000)!

This article - https://www.linux.com/training-tutorials/wake-linux-rtc-alarm-clock/ - gives a great demonstration on how to set real time clock wakeup by playing with /sys/class/rtc/rtc0/wakealarm. Some good pointers on cleaning out any BIOS based wake ups as well

This article - https://www.maketecheasier.com/alarm-automatically-power-on-linux/ - introduces the command line tool rtcwake which is a little more user friendly