Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help

[Matus UHLAR - fantomas]

On 26.04.20 08:14, russel0901 wrote:

Subject: Re: [squid-users] Squid - Can't visit (government site and Banking
Site) - Please help

Hi, upon checking I am using squid version 3.1 on CentOS 6.10


1. It is nice to mention your problem in mail body, not only in Subject:

2. As already advised, upgrade. CendOT 6.10 will only last 7 month from now.

3. Are you trying fo filter HTTPS  connections using sslbump?
  in such case, upgrade is even more important.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help

[russel0901]

Hi, upon checking I am using squid version 3.1 on CentOS 6.10



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Configure A Native FTP proxy on Squid

[Antony Stone]

On Sunday 26 April 2020 at 08:42:11, Amos Jeffries wrote:

> On 26/04/20 8:26 am, Antony Stone wrote:
> > On Saturday 25 April 2020 at 19:27:51, Dawood Aijaz wrote:
> >> 
> >> Currently, I am developing a Data Loss Prevention Tool. One of the
> >> requirements is to monitor FTP traffic. So can someone help me set up an
> >> FTP native proxy is squid and how will I be able to monitor FTP traffic
> > 
> > Why do you want to use Squid for this purpose when Squid is not a native
> > FTP proxy?
> 
> As of v3.5 the latest Squid actually can do native FTP relay.
> 
> 

Oh!

Thanks for the correction, Amos.

Apologies to Dawood for giving outdated information.


Regards,


Antony.

-- 
Most people have more than the average number of legs.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid - Can't visit (government site and Banking Site) - Please help

[Amos Jeffries]

On 25/04/20 9:09 am, russel0901 wrote:
> I am having a problem on my squid proxy
> 

Which version of Squid are you using?
Output of squid -v would be best if you can provide.


> this settings is allow all but i can't visit sites like bancnetonline, rcbc,
> philhealth (govt and bank site)
> 
> sometimes it can be visited, sometimes not... (weird???)
> 
> Please Help thank you.
> 

Following is a free review of your config settings.

To actually determine your problem we will need log records of a failing
transaction. At least access.log entries you see for it, and maybe also
something from cache.log if that is not enough.

... which brings me to the first problem in your config.

"cache_log /dev/null" is a very bad idea. This completely hides all
information about problems from *you* - the problems still exist, still
seen by everyone else involved.
 All this does is erase most of your ability to troubleshoot.

If your objective is reduced log verbosity use this setting instead:
  debug_options ALL,0

That reduces cache.log contents to mentions about critical failures of
Squid.


> 
> here is my squid conf...
> 
> max_filedesc 4096

Why so low? and why the deprecated RedHat experimental directive?

Current squid.conf directive is max_filedescriptors. It is a backup to
the --with-max-filedescriptors build option and system ulimit setup.



> request_header_access X-Forwarded-For allow all

This is pointless. All it does is waste CPU cycles on every request
through Squid.

> via off
> httpd_suppress_version_string on
> 
> http_port 
> icp_port 3535
> 
> hierarchy_stoplist cgi-bin ?

This is pointless. It is the default setting for all Squid-3 and later
versions.

> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

QUERY is obsolete and actually somewhat harmful in current Squid.

For much improved caching you can add the missing refresh_pattern
mentioned below, then erase these and all other rules using QUERY ACL name.


> cache_mem 32 MB
> maximum_object_size 5480 KB
> cache_dir ufs /home/squidcache 6000 16 256
> #cache_dir ufs /home/squidcache2 6000 16 256
> cache_access_log /home/squidcache/access.log

This directive has been deprecated since early Squid-2.
Current Squid use:
  access_log /home/squidcache/access.log


> cache_log /dev/null

Already mentioned the problems with this. Please revert it to the
default for your Squid version. You will need this log to investigate
the current problem.


> cache_store_log none

This is pointless. It is the default for all current Squid.

> ftp_user sq...@mds.com.sg
> dns_defnames on
> request_body_max_size 1 MB
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440

Missing pattern:

  refresh_pattern -i (/cgi-bin/|\?) 0 0%  0


> refresh_pattern .   0   20% 4320
> negative_ttl 1 minute
> negative_dns_ttl 5 minute
> connect_timeout 60 minute
> read_timeout 5 minute
> request_timeout 60 second
> client_lifetime 4 hour
> half_closed_clients off
> pconn_timeout 240 second
> shutdown_lifetime 5 second
> #acl localhost src 127.0.0.1/32 ::1
> #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl SSL_ports port 443 563 8003 8000 8080 8020 8021 8030 8031 8053 9053
> acl Safe_ports port 80 81 88 21 443 563 70 210 1025-65535
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl PURGE method purge

Do you or clients actually use PURGE method requests?

It would be worth looking into why. That old Squid custom extension to
HTTP is deprecated.

Current Squid obey HTTP/1.1 caching far better than old Squid-2 and
earlier versions. You can use Cache-Control:no-cache *request* header to
update cache contents better than PURGE ever could.

Also, HTCP protocol is better for cache management with HTTP/1.1 than
either PURGE or ICP protocol. If you can find or adapt tools to use that
protocol they will be much better off.




> acl manager proto cache_object

This is also a deprecated manager ACL definition. This implies that your
Squid is quite old. Please upgrade to a more current version.


> acl apache src 10.20.0.245
> 
> acl QUERY urlpath_regex -i owa
> acl QUERY2 urlpath_regex cgi-bin \?
> acl QUERY3 urlpath_regex -i php
> acl dontcache dstdomain "/etc/squid/dontcache"
> no_cache deny QUERY
> no_cache deny QUERY2
> no_cache deny QUERY3

"no_cache" is deprecated. Above rules are actually doing "cache deny".


It would be worth investigating why any URL containing the letters "owa"
or "php" are apparently trying to be forced to cache.

Please notice these ACL regex match if those letters occur *anywhere* in
the URL path portion. That includes 'folder' , 'filename', query-string,
and fragment strings. Also in non-HTTP URLs which have 'path' portions
and such.


> always_direct allow dontcache

This is a routing control directive. ACL called 

Re: [squid-users] Configure A Native FTP proxy on Squid

[Amos Jeffries]

On 26/04/20 8:26 am, Antony Stone wrote:
> On Saturday 25 April 2020 at 19:27:51, Dawood Aijaz wrote:
> 
>> Hi,
>>
>> Currently, I am developing a Data Loss Prevention Tool. One of the
>> requirements is to monitor FTP traffic. So can someone help me set up an
>> FTP native proxy is squid and how will I be able to monitor FTP traffic
> 
> Why do you want to use Squid for this purpose when Squid is not a native FTP 
> proxy?

As of v3.5 the latest Squid actually can do native FTP relay.




Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users