[squid-users] Re: Inject some html with transparent squid
Have a look at my posts in this thread: http://squid-web-proxy-cache.1019090.n4.nabble.com/Question-in-adding-banner-for-ads-by-squid-td4664976.html -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Inject-some-html-with-transparent-squid-tp4665224p4665295.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Error negotiation SSL-Connection with ssl_bump enabled and the impact of sslproxy_cipher
Hi Using latest squid 3.4.4 with ssl_bump. With ssl_bump enabled, I receive an error in cache.log (and the browser too) while opening the page 'https://www.pubservice.com/Subnew2page.aspx?PC=LJ': fwdNegotiateSSL: Error negotiating SSL connection on FD 67: error::lib(0):func(0):reason(0) (5/-1/104) I have found two workarounds: 1) Find out, which encryption the SSL-connection is using (curl -s -v -I -k https://www.pubservice.com/Subnew2page.aspx?PC=LJ;) and search for SSL connection using RC4-SHA. 1a) Define 'sslproxy_cipher RC4-SHA' in squid.conf and reload squid 2) Deny ssl_bump for the site mentioned above. Question: What encryption types does squid allow per default in sslproxy_cipher? Why do I need to extend the sslproxy_cipher-directive in some circumstandes? Why is this site not working with ssl_bump enabled and the default sslproxy_cipher? Thanks a lot. Tom
Re: [squid-users] Error negotiation SSL-Connection with ssl_bump enabled and the impact of sslproxy_cipher
On 19/03/2014 9:56 p.m., Tom Tom wrote: Hi Using latest squid 3.4.4 with ssl_bump. With ssl_bump enabled, I receive an error in cache.log (and the browser too) while opening the page 'https://www.pubservice.com/Subnew2page.aspx?PC=LJ': fwdNegotiateSSL: Error negotiating SSL connection on FD 67: error::lib(0):func(0):reason(0) (5/-1/104) I have found two workarounds: 1) Find out, which encryption the SSL-connection is using (curl -s -v -I -k https://www.pubservice.com/Subnew2page.aspx?PC=LJ;) and search for SSL connection using RC4-SHA. 1a) Define 'sslproxy_cipher RC4-SHA' in squid.conf and reload squid 2) Deny ssl_bump for the site mentioned above. #1 is very unsafe. RC4 and SHA1 are both very broken algorithms. Question: What encryption types does squid allow per default in sslproxy_cipher? Squid leaves the default up to the library. Check your OpenSSL library versions documentation. Why do I need to extend the sslproxy_cipher-directive in some circumstandes? Because there are broken/obsolete servers out there still. The default ciphers your Squid box SSL library provides do not always overlap with the ciphers requested by servers your clients are visiting. Since it is requiring RC4-SHA be enabled I expect the server has an extremely outdated SSL library with a small set of broken ciphers (possibly even just the one) and your Squid is using a newer library with the broken ciphers disabled by default. Why is this site not working with ssl_bump enabled and the default sslproxy_cipher? ssl-bump decrypts the traffic, Squid is required to re-encrypt it before sending to the server. That is where the above all comes in. fwdNegotiateSSL is an error when forwarding the traffic to the server. Amos
[squid-users] Intercept HTTPS with dynamic certificate for clients
Hi all, I am using Squid 3.4.4 on debian wheezy compiling the sources. I am trying to configure squid as a transparent proxy using : https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/CertifSignature/SquidServeurVeriSign.pem key=/etc/squid3/CertifSignature/Squid.key The SquidServeurVeriSign.pem have been signed by verisign. How can i avoid the alerts on firefox or safari (i am in a mac osx environment) because the alerts are spoting on every https pages : Connexion not certified You asked firefox to connect... we can't confirm the connexion is secured...website identity can't be verified. Sry for the translation... Can someone help me ? NB : I imported the root certificate in my firefox. -- LAZARO Emmanuel
[squid-users] Re: separate channels for http and https to the same host
Good info .. Thanks ! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/separate-channels-for-http-and-https-to-the-same-host-tp4665285p4665299.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] disable ssl client renegotiating
I look into redhat patch about openssl and I found that they have changed ssh.h from #define SSL_OP_ALL 0x8BFFL to #define SSL_OP_ALL 0x8BF7L /* we still have to include SSL_OP_DONT_INSER T_EMPTY_FRAGMENTS */ Could it be my problem? Cheers
Re: [squid-users] FileSystem mount options and other parameters
On 03/18/2014 02:29 AM, Omid Kosari wrote: AFAIK there is no complete guide for using FS types for squid. There is probably no truly complete guide for any complex topic, but Duane's Squid: The Definitive Guide book has two chapters on disk caching, including a section on file system type selection. Historically i am using ReiserFS 3.6 on Ubuntu 12.10 64bit . Here is my /etc/fstab /dev/sda1 /cache1 reiserfs notail,noatime,nodiratime,data=writeback,barrier=none,async,commit=10 0 0 /dev/sdb1 /cache2 reiserfs notail,noatime,nodiratime,data=writeback,barrier=none,async,commit=10 0 0 /dev/sdc1 /cache3 reiserfs notail,noatime,nodiratime,data=writeback,barrier=none,async,commit=10 0 0 and root@cache:~# cat /sys/block/sd*/queue/scheduler noop [deadline] cfq And some references https://reiser4.wiki.kernel.org/index.php/Mount http://doc.opensuse.org/products/draft/SLES/SLES-tuning_sd_draft/cha.tuning.io.html sda id SSD and sdb,sdc are SCSI 19k RPM and i think they should not be same . Note :For people who are not aware , i suggest investigating on these configs because they are very important for performance tuning of cache server . Anybody has suggestions ? I cannot suggest ReiserFS tuning options, but if performance is important for you, your Squid handles a lot of traffic, and you are still using ufs-based cache_dirs, then you probably should plan to migrate to SMP and Rock cache dirs (which means making sure SMP and Rock work well for you and fixing what does not work). The other cache_dir types are not designed for such environments IMO. For Rock, I personally recommend the simplest file system you can tune (e.g., ex2). The less file system does, the better are you chances of forcing it to do it right. Some Rock performance tuning advice is available at http://wiki.squid-cache.org/Features/RockStore And, as Amos has already said, efforts towards supporting raw Rock partitions/devices are welcomed: http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F Cheers, Alex.
Re: [squid-users] Intercept HTTPS with dynamic certificate for clients
On 03/19/2014 05:53 AM, Emmanuel LAZARO - S.IM.KO. wrote: I am trying to configure squid as a transparent proxy using : ... The SquidServeurVeriSign.pem have been signed by verisign. You need to create a self-signed (a.k.a. Root CA) certificate that is capable of signing any site certificate. Verisign will not sign your Root CA certificate so if your certificate is signed by Verisign, then your certificate is not a Root CA certificate. Needless to say that a browser with your Root CA certificate installed will trust any site signed by your Root CA certificate, just like it trusts any site signed by Verisign now. Be careful! There are many web pages with instructions on how to create a self-signed certificate, including a sketch at http://wiki.squid-cache.org/Features/DynamicSslCert Alex.
[squid-users] how to config radius auth with windows 2008R2 NPS
i test the helper ,but it echo ERR basic_radius_auth -h 192.168.1.1 -w test 192.168.1.1 is the NPS server how to config NPS server? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-to-config-radius-auth-with-windows-2008R2-NPS-tp4665303.html Sent from the Squid - Users mailing list archive at Nabble.com.