Squid 3.2.5 – tcp_outgoing_mark ignored for tunnelled CONNECT requests

squid-cacheLast month, I decided to apply a network policy in order to point the web traffic on differents links based on the domain url.After compiling the last version of Squid (3.2.5), I made my dstdomain ACLs and tested some sites. Great ! it works… until I check https browsing.

It seems there is missing code in tunnel.cc to handle the tcp_outgoing_mark directive in tunneling context. I opened the bug 3723 on bugs.squid-cache.org, but after a while, I took some time to manage this myself.

You will find a patch below which corrects this issue:

root@host:/usr/src/squid/squid-3.2.5/src# patch < tunnel.cc_3.2.5.patch

[wpdm_file id=11 title=”true” ]

One thought on “Squid 3.2.5 – tcp_outgoing_mark ignored for tunnelled CONNECT requests

  1. hi,
    i am using squid 3.5 on centos 7 , install using yum from epel repo.
    squid -v :
    Squid Cache: Version 3.5.20
    Service Name: squid
    configure options: ‘–build=x86_64-redhat-linux-gnu’ ‘–host=x86_64-redhat-linux-gnu’ ‘–program-prefix=’ ‘–prefix=/usr’ ‘–exec-prefix=/usr’ ‘–bindir=/usr/bin’ ‘–sbindir=/usr/sbin’ ‘–sysconfdir=/etc’ ‘–datadir=/usr/share’ ‘–includedir=/usr/include’ ‘–libdir=/usr/lib64’ ‘–libexecdir=/usr/libexec’ ‘–sharedstatedir=/var/lib’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–disable-strict-error-checking’ ‘–exec_prefix=/usr’ ‘–libexecdir=/usr/lib64/squid’ ‘–localstatedir=/var’ ‘–datadir=/usr/share/squid’ ‘–sysconfdir=/etc/squid’ ‘–with-logdir=$(localstatedir)/log/squid’ ‘–with-pidfile=$(localstatedir)/run/squid.pid’ ‘–disable-dependency-tracking’ ‘–enable-eui’ ‘–enable-follow-x-forwarded-for’ ‘–enable-auth’ ‘–enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam’ ‘–enable-auth-ntlm=smb_lm,fake’ ‘–enable-auth-digest=file,LDAP,eDirectory’ ‘–enable-auth-negotiate=kerberos’ ‘–enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group’ ‘–enable-cache-digests’ ‘–enable-cachemgr-hostname=localhost’ ‘–enable-delay-pools’ ‘–enable-epoll’ ‘–enable-ident-lookups’ ‘–enable-linux-netfilter’ ‘–enable-removal-policies=heap,lru’ ‘–enable-snmp’ ‘–enable-ssl-crtd’ ‘–enable-storeio=aufs,diskd,rock,ufs’ ‘–enable-wccpv2’ ‘–enable-esi’ ‘–enable-ecap’ ‘–with-aio’ ‘–with-default-user=squid’ ‘–with-dl’ ‘–with-openssl’ ‘–with-pthreads’ ‘–disable-arch-native’ ‘build_alias=x86_64-redhat-linux-gnu’ ‘host_alias=x86_64-redhat-linux-gnu’ ‘CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now’ ‘CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie’ ‘PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig’

    i have this problem now , and i can’t understand how to fix this problem for myself.
    i can’t tcp_outgoing_mark on ssl site , but on http site it is work ok .
    so how can i apply this patch or any config for my squid to work with https domain ?

    please help me.
    thank you in advanced !

Leave a Reply

Your email address will not be published. Required fields are marked *