Oddly never had this problem until today,
Cannot initiate the connection to debian.map.fastly.net:443 (2a04:4e42::644). - Cannot initiate the connection to deb.debian.org:443 (2a04:4e42::644). - connect (101: Network is unreachable)
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?Adding these to /etc/sysctl.conf will fix it
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1I’m still using Squid over SWP in GCP as a forward proxy because…well….it’s much cheaper. The only real shortcoming/limitation has been around logging and reporting – I don’t have a 3rd party logging setup like Splunk or ELK stack, so it basically comes down to tail -f in raw logfiles (though I did at least push them to a centralized bucket via a 1-minute cron job).
Sending 3rd party application logs to GCP StackDriver is a relatively simple process, I just couldn’t fine a specific example for Squid.
If not done so already, install Ops Agent:
cd /tmp
wget https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh
sudo bash ./add-google-cloud-ops-agent-repo.sh --also-install And make sure the Service Account for the VM has these Roles:
Next, I configured Squid to log in JSON format. This will allow searches based on log fields like special fields like Client IP address or URL, which is very useful. This was a 2-liner in squid.conf:
# Define Syntax for JSON Logging
logformat json { "client_ip": "%>a", "timestamp": "%{%FT%T%z}tg", "method": "%rm", "url": "%ru", "http_version": "HTTP/%rv", "response_code": %>Hs, "bytes": %<st, "user_agent": "%{User-Agent}>h", "status_code": "%Ss", "hier": "%Sh"}
# Log using JSON format
access_log /var/log/squid/access_json.log json
# Optional - disable /var/log/squid/access.log
access_log daemon:/dev/nullI chose a name ending in .log because the Debian package will automatically rotate all /var/log/squid/*.log files every day at 00:00:00 per /etc/logrotate.d/squid). I needed to ensure log rotation was occurring regularly to the disk didn’t get full.
To actually start sending the JSON logs to StackDriver add the following lines to the file
/etc/google-cloud-ops-agent/config.yaml
logging:
processors:
squid_json:
type: parse_json
receivers:
squid_cache:
type: files
include_paths: [/var/log/squid/cache.log]
squid:
type: files
include_paths: [/var/log/squid/access_json.log]
service:
pipelines:
squid:
receivers: [squid_cache]
squid_proxy:
receivers: [squid]
processors: [squid_json]
This will also send the /var/log/squid/cache.log file, just not in JSON format. This log file only logs startup/shutdown and errors, so a regular text format just showing the message body was fine.
Restart the agent:
systemctl restart google-cloud-ops-agentAnd the logs are now searchable
Because I’m too lazy to google every time…
sudo su
apt-get clean
apt-get autoremove --purge
journalctl --vacuum-size=100M
rm /var/log/*.gz
rm /var/log/*.1I think this may go down as the most valuable skill I’ve learned my entire career.
$ telnet smtp-relay.myisp.com 25
Trying 10.10.32.1...
Connected to smtp-relay.myisp.com.
Escape character is '^]'.
220 myisp.net ESMTP MAIL Service ready - Wed, 18 Oct 2023 16:44:08 GMT
helo localhost
250 myisp.net Hello [10.98.76.54], pleased to meet you
mail from: me@mydomain.com
250 2.1.0 me@mydomain.com... Sender ok
rcpt to: me@mydomain.com
250 2.1.5 me@mydomain.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
From: me@mydomain.com
To: me@mydomain.com
Subject: Test
Hello there
.
250 2.0.0 39IGi8N5006729 Message accepted for delivery
QUIT
221 2.0.0 myisp.net closing connection
Connection closed by foreign host.I upgraded my FreeBSD VM from 11 to 12 last weekend. Installing Google Cloud SDK was no problem; just use the FreeBSD package:
pkg install google-cloud-sdkBut for AWS CLI tools, there’s only a package for AWS CLI Tools version 1 . CLI Tools version 2 has been out for 3 years now, so we really don’t want to still be using v1.
Usually there’s a simple work-around: since AWS CLI tools is mostly Python scripts, you can install it via PIP. First, verify the version of Python installed, then install PIP3 for that version:
python -V
Python 3.11.13
pkg install py311-pipThen install AWS CLI Tools v2 via PIP:
pip install awscliv2But when we go to complete the install, we get this error:
awscliv2 --install
09:27:26 - awscliv2 - ERROR - FreeBSD amd64 is not supported, use docker version
This is because AWS CLI v2 does rely on a binary, and is only compiled for Linux. We can work around this by enabling Linux emulation.
First, add the following lines to /etc/rc.conf
linux_enable="YES"
Then either run this command, or simply reboot:
service linux startAlso install the CentOS 7 base from packages:
pkg install linux_base-c7Add an couple lines to the the following line near the bottom of /usr/local/lib/python3.9/site-packages/awscliv2/installers.py to allow it to support FreeBSD:
if os_platform == "FreeBSD" and arch == "amd64":
return install_linux_x86_64()
Now we can complete the install successfully:
# awscliv2 --install
21:53:29 - awscliv2 - INFO - Installing AWS CLI v2 for Linux
21:53:29 - awscliv2 - INFO - Downloading package from https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip to /tmp/tmpg6a6_kvx.zip
21:53:32 - awscliv2 - INFO - Extracting /tmp/tmpg6a6_kvx.zip to to /tmp/tmpzm5c3jho
21:53:38 - awscliv2 - INFO - Installing /tmp/tmpzm5c3jho/aws/install to /root/.awscliv2
21:53:48 - awscliv2 - INFO - Now awsv2 will use this installed version
21:53:48 - awscliv2 - INFO - Running now to check installation: awsv2 --version
aws-cli/2.30.3 Python/3.13.7 Linux/5.15.0 exe/x86_64.centos.7
Verify the binary and libraries are installed correctly:
ln -s /usr/local/bin/awscliv2 /usr/local/bin/aws
aws --version
aws-cli/2.11.10 Python/3.11.2 Linux/3.2.0 exe/x86_64.centos.7 prompt/offYou’ll probably want to include this directory in your path. Since I use TCSH, I do this by adding this line to ~/.cshrc:
set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin $HOME/bin $HOME/.awscliv2/v2/2.30.3/dist)You’re now ready to configure aws cli tools v2. Run this command:
aws configureOr, just manually setup the files ~/.aws/config and ~/.aws/credentials. Then try out a command.
aws s3 ls
Use the AWS_PROFILE and AWS_REGION environment variable to override the defaults configured in ~/.aws/config
The VMs were deployed via Terraform using instance templates, managed instance groups, and an internal TCP/UDP load balancer with a forwarding rule for port 3128. Debian 11 (Bullseye) was selected as the OS because it has a low memory footprint while still offering an nice pre-packaged version of Squid version 4.
The first problem is the older stackdriver agent isn’t compatible with Debian 11. So I had to install the newer one. I chose to just add these lines to my startup script, pulling the script directly from a bucket to avoid the requirement of Internet access:
gsutil cp gs://public-j5-org/add-google-cloud-ops-agent-repo.sh /tmp/
bash /tmp/add-google-cloud-ops-agent-repo.sh --also-installAfter re-deploying the VMs, I ssh’d in and verified the Ops agent was installed and running:
sudo systemctl status google-cloud-ops-agent"*"
google-cloud-ops-agent-opentelemetry-collector.service - Google Cloud Ops Agent - Metrics Agent
Loaded: loaded (/lib/systemd/system/google-cloud-ops-agent-opentelemetry-collector.service; static)
Active: active (running) since Fri 2023-02-10 22:18:17 UTC; 18min ago
Process: 4317 ExecStartPre=/opt/google-cloud-ops-agent/libexec/google_cloud_ops_agent_engine -service=otel -in /etc/google-cloud-ops-agent/config.yaml -logs ${LOGS_DIRECTORY} (code=exited, status=0/>
Main PID: 4350 (otelopscol)
Tasks: 7 (limit: 1989)
Memory: 45.7M
CPU: 1.160s
After waiting a couple minutes, I still didn’t see anything, so I downloaded and ran their diagnostic script:
gsutil cp gs://public-j5-org/diagnose-agents.sh /tmp/ && bash /tmp/diagnose-agents.sh
This was confusing because while it didn’t show any errors, the actual log was dumped to disk in a sub-directory of /var/tmp/google-agents/. and did indicate a problem in the agent-info.txt file:
API Check - Result: FAIL, Error code: LogApiPermissionErr, Failure:
Service account is missing the roles/logging.logWriter role., Solution: Add the roles/logging.logWriter role to the Google Cloud service account., Res
ource: https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/authorization#create-service-account
And this made sense, because in order for Ops Agent to function, it needs these two IAM roles enabled for the service account:
Here’s a Terraform snippet that will do that:
# Add required IAM permissions for Ops Agents
locals {
roles = ["logging.logWriter", "monitoring.metricWriter"]
}
resource "google_project_iam_member" "default" {
for_each = var.service_account_email != null ? toset(local.roles) : {}
project = var.project_id
member = "serviceAccount:${var.service_account_email}"
role = "roles/${each.value}"
}Within a few minutes of adding these, data started showing up in the graphs.
Verify we’re running the latest version of Debian
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
Become root
sudo suUpdate packages
apt update && apt upgrade -yInstall the Squid package that has openssl configured and enabled
apt install squid-opensslCreate a local CA, using a 4096-bit key and SHA-2 hashing. This one is good for the next 10 years
openssl req -new -newkey rsa:4096 -sha256 -days 3653 -nodes -x509 -keyout /etc/squid/CA.key -out /etc/squid/CA.crtCombine the key and cert in to a single file for convenience
cat CA.key CA.crt > CA.pemInitialize the directory used for minted certs and set permissions so squid owns it
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
chown -R proxy:proxy /var/spool/squid
Finally, configure Squid to use HTTPS
http_port 3128 ssl-bump cert=/etc/squid/CA.pem generate-host-certificates=on options=NO_SSLv3
ssl_bump bump allRestart Squid
service squid restartTest connections by configuring 3128. Note the certificate from the CA, good for 10 years:
export https_proxy=http://localhost:3128
curl -v --cacert CA.crt https://teapotme.com
* Uses proxy env variable https_proxy == 'http://localhost:3128'
* Trying ::1:3128...
* Connected to localhost (::1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to teapotme.com:443
> CONNECT teapotme.com:443 HTTP/1.1
> Host: teapotme.com:443
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: CA.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=teapotme.com
* start date: Nov 6 04:03:48 2022 GMT
* expire date: Nov 6 04:03:48 2032 GMT
* subjectAltName: host "teapotme.com" matched cert's "teapotme.com"
* issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd; CN=localhost
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: teapotme.com
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 418 I'm a teapot
< Server: nginx
< Date: Sun, 06 Nov 2022 04:08:13 GMT
< Content-Type: application/json
< Content-Length: 483
< X-Cache: MISS from test-1
< X-Cache-Lookup: MISS from test-1:3128
< Via: 1.1 test-1 (squid/4.13)
< Connection: keep-alive
<
{
"host": "teapotme.com",
"user-agent": "curl/7.74.0",
"x-forwarded-for": "::1, 35.233.234.155, 172.17.0.1",
"x-forwarded-proto": "https",
}
I created a new Ubuntu 22 VM a few weeks ago and noticed when trying a git pull or git push to a GCP Cloud Source Repo, I wasn’t having any luck when using SSH:
cd myrepo/
git pull
myusername@myorg.com@source.developers.google.com: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.The SSH key was a standard RSA with the public key uploaded to Cloud Source SSH Keys, so there was no obvious reason why it wasn’t working.
Next step was try and get some type of debug or error message as to why the public key exchange wasn’t working. Newer versions of Git can turn on SSH debugging by setting the GIT_SSH_COMMAND environment variable, so I did that:
export GIT_SSH_COMMAND="ssh -vvv"When re-running the git pull request, I get some somewhat useful debugs back:
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/j5/.ssh/id_rsa RSA SHA256:JBgC+R4Ozel+YI+7oEv1UOf9/jLqGBhysN8bpoEDbPU
debug1: send_pubkey_test: no mutual signature algorithmThe ‘no mutual signature algorithm’ indicated one side didn’t like the signing algorithm. I did a Google and found this article which indicates that Ubuntu 22 doesn’t allow RSA by default. I can’t change the setting on the Cloud Source side, so on the Ubuntu 22 client, I did this as a quick work-around:
echo "PubkeyAcceptedKeyTypes +ssh-rsa" > /etc/ssh/ssh_config.d/enable_rsa.confAnd now the git pull/push works without issue.
An alternate solution is instead use Elliptic Curve DSA rather than RSA. To generate a new ECDSA key:
ssh-keygen -t ecdsa
cat ~/.ssh/id_ecdsa.pubThen copy/paste the key in to the SSH Key Manager. This will be easier to copy/paste then RSA since it’s shorter.
My FreeBSD VM with its 10GB virtual hard disk ran out of space today. The primary culprit was /var/spool/clientmqueue consuming nearly 3GB of space:
# du -d 1 /var/spool/
8 /var/spool/output
4 /var/spool/opielocks
2955904 /var/spool/clientmqueue
4 /var/spool/dma
4 /var/spool/lpd
4 /var/spool/lock
4 /var/spool/mqueue
2955936 /var/spool/
But when trying to just delete the files, I got “argument list too long”:
# rm -f /var/spool/clientmqueue/*
/bin/rm: Argument list too long.
In the Google search I learned something interesting: find has a -delete option. This worked well:
# find /var/spool/clientmqueue -name '*' -deleteTime to move Rancid to a newer VM again, this time it’s Ubuntu 20. Hit a snag when I tried a test clogin run:
$ clogin myrouter
Unable to negotiate with 1.2.3.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1OpenSSH removed SHA-1 from the defaults a while back, which makes sense since the migration to SHA-2 began several years ago. So looks like SSH is trying to use SHA-2 but the Cisco Router is defaulting to SHA-1, and something has to give in order for negotiation to succeed.
My first thought was to tell the Cisco router to use SHA-2, and this is possible for the MAC setting:
Router(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits
Router(config)#ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
Router(config)#do sh ip ssh | inc MAC
MAC Algorithms:hmac-sha2-256,hmac-sha2-512
But not for key exchange, which apparently only supports SHA-1:
Router(config)#ip ssh server algorithm kex ?
diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm
diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm
Thus, the only option is to change the setting on the client. SSH has CLI options for Cipher and Mac:
-c : sets cipher (encryption) list.
-m: sets mac (authentication) list
One quick solution is tell the SSH client to support the Kex Exchange by adding this line to the /etc/ssh/ssh_config file:
KexAlgorithms +diffie-hellman-group14-sha1But, I wanted to change the setting only for Rancid and not SSH in general, hoping that Cisco adds SHA-2 key exchange soon. I found out it is possible to set SSH options in the .cloginrc file. The solution is this:
add sshcmd * {ssh\ -o\ KexAlgorithms=+diffie-
hellman-group14-sha1}Clogin is now successful:
$ clogin myrouter
spawn ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -c aes128-ctr,aes128-cbc,3des-cbc -x -l myusername myrouter
Password:
Router#_By the way, I stayed away from diffie-hellman-group-exchange-sha1 as it’s considered insecure, whereas diffie-hellman-group14-sha1 was considered deprecated but still widely deployed and still “strong enough”, probably thanks to its 2048-bit key length.
Sidenote: this only affects Cisco IOS-XE devices. The Cisco ASA ships with this in the default configuration:
ssh key-exchange group dh-group14-sha256
Layer 77 