Re: [squid-users] MITM the MITM

2022-01-03 Thread Antony Stone 
On Tuesday 04 January 2022 at 01:19:28, Will BMD wrote:

> Hey all,
> 
> I currently have the following network topology, it's emulating a real
> world environment. The proxy is running ssl_bump.
> 
> LAN <-> Squid Proxy <-> Firewall <-> Internet
> 
> From the Firewall's perspective all client connections are originating
> as the proxy server.

Okay, that makes good sense.

> We're wanting to use the https inspect feature of the firewall,

Please give more details?

 - What sort of firewall is this?
 - What does "HTTPS inspect" actually mean?
 - How does the firewall "inspect" HTTPS traffic, which by design is encrypted 
between client and server (neither of which is the firewall)?
 - What does "inspect" mean?  What information is revealed from the inspection 
of the encrypted communication?

> but according to our firewall documentation it appears due to the location of
> our proxy servers we would be unable to do so.

Why?  Where would the proxy servers need to be instead, in order for this 
inspection to work?

Alternatively, how does/would it work if the proxy were not there, and clients 
communicated directly to the Internet through the firewall?

> My question is, if the proxy is behaving as a MITM between itself and
> the client, can't the Firewall do the same thing between itself and the
> proxy?

I agree.  Have you asked the suppliers / authors / vendors of the firewall?

> I suspect it is possible, but might potentially involve a lot of headaches
> and a big hit on performance?

Who knows?

If it's the firewall telling you there's a problem, this doesn't entirely feel 
like a Squid question.


Antony.

-- 
If you can smile when all about you things are going wrong, you must have 
someone in mind to take the blame.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] MITM the MITM

2022-01-03 Thread Will BMD 

Hey all,

I currently have the following network topology, it's emulating a real 
world environment. The proxy is running ssl_bump.


LAN <-> Squid Proxy <-> Firewall <-> Internet

From the Firewalls perspective all client connections are originating 
as the proxy server. We're wanting to use the https inspect feature of 
the firewall, but according to our firewall documentation it appears due 
to the location of our proxy servers we would be unable to do so.


My question is, if the proxy is behaving as a MITM between itself and 
the client, can't the Firewall do the same thing between itself and the 
proxy? I suspect it is possible, but might potentially involve a lot of 
headaches and a big hit on performance?


Any insight into this would be greatly appreciated.

Thank you,

Will





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Need Urgent Help the CPU load shows 99% for the squid process

2022-01-03 Thread Alex Rousskov 
On 1/3/22 1:45 AM, Punyasloka Arya wrote:

> I need a quick help regarding the squid process occupying 100% CPU
> showing on the top and becomes slow.
> 
> After starting the squid after 2 to 3 hours it is happening.
> After stopping the squid process it becomes normal.

Your Squid is overloaded (getting too much traffic), misconfigured
(e.g., forwarding loop or insufficient number of descriptors for the
given load), or hitting a bug. Lots of bugs have been fixed since Squid
v3.3 was released, including bugs that could lead to 100% CPU
utilization. Squid v3 has not been officially supported for years.

Your best long-term option is to upgrade, but that may take some
time/effort because your base version is so old.

If you want to troubleshoot this without going through the upgrade, try
figuring out which out of the three cases above you are dealing with.
Here are some hints:

* Grep cache.log for any assertions, errors, warnings, or repeated
messages (other than "running out of filedescriptors" which you already
shared).

* Check whether Squid receives the expected amount of traffic (you may
be able to do that by counting lines in access.log and/or watching
network interface stats).

* Check how many file descriptors Squid actually has. There should be a
message about that in the beginning of cache.log. For example:
2021/12/28 11:58:08| With 1024 file descriptors available

* Think of what has _changed_ in Squid environment since Squid was
running successfully (assuming it was).

* If Squid stops processing new requests, then check whether Squid is
stuck in a loop (using gdb or a similar tool).


HTH,

Alex.




> Squid installed version
> 
> [squid@wcb ~]$  /usr/squid/3.1/sbin/squid -version
> Squid Cache: Version 3.3.3
> configure options:  '--prefix=/usr/squid/3.1/'
> '--enable-storeio=ufs,aufs,diskd' 
> '--enable-removal-policies=heap,lru' '--enable-delay-pools'
> '--enable-useragent-log' '--enable-referer-log' '--enable-icmp'
> '--enable-cachemgr-hostname=wc.cdotb.ernet.in'
> '--enable-follow-x-forwarded-for' '--disable-ident-lookups'
> '--enable-auth-basic=PAM,NCSA,LDAP' '--sysconfdir=/etc/squid/'
> '--with-default-user=squid' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=16384'
> '--with-swapdir=/cache/squid' '--enable-ltdl-convenience'
> 
> HARDWARE   : Fujitsu Celsius Xeon Workstation Intel(R) Xeon(R) CPU
> E5-2690 0 @ 2.90GHz 16CPU 8-Core
> HARDDISK  : 500GB
> RAM   :24 GB
> OS   : CentOS 6.10(final)
> 
> 
> The output of the command  after load is 99% in the CPU
> 
> [root@wcb squid]#  tail -n 10 /var/log/squid/cache.log | grep -i
> descript
> 
> 2022/01/02 11:49:32 kid1| WARNING! Your cache is running out of
> filedescriptors
> 2022/01/02 11:49:48 kid1| WARNING! Your cache is running out of
> filedescriptors
> 2022/01/02 11:50:04 kid1| WARNING! Your cache is running out of
> filedescriptors
> 2022/01/02 11:50:20 kid1| WARNING! Your cache is running out of
> filedescriptors
> 
> Please suggest anything else i should check or missing.
> 
> From
> Punyasloka Arya
> 
> From
> Punya
> PUNYASLOKA ARYA            पुण्यश्लोक आर्या
> Staffno:3880,Netops,TS(B)
> Senior Research Engineer   वरिष्ठ अनुसंधान अभियंता
> C-DOT                      सी-डॉट                    
> Electronics City,Phase-1   इलैक्ट्रॉनिक्स सिटी फेज़ I        
> Hosur Road,Bangalore       होसूर रोड, बेंगलूरु
> 560100                     560100
> ### Please consider the environment and print this email only if necessary
> .
> Go Green ###
> 
> Disclaimer :
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you are not the intended recipient you are notified that disclosing,
> copying, distributing or taking any action in reliance on the contents of
> this
> information is strictly prohibited. The sender does not accept liability
> for any errors or omissions in the contents of this message, which arise
> as
> a
> result.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users