Re: [squid-users] Only checking URLs via Squid for SSL
On 24/08/2014 9:32 p.m., Nicolás wrote: Hi Amos, El 24/08/2014 0:52, Amos Jeffries escribió: On 24/08/2014 1:00 a.m., Nicolás wrote: Hi, I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, but I'd like to avoid cacheing HTTPS sites, and just determine whether the requested URL is listed as denied on Squid (via 'acl dstdom_regex' for instance), otherwise just make squid act as a proxy to the URL's content. Is that even possible without using SSL Bump? Otherwise, could you recommend the simplest way of achieving this? No it is only possible with bumping. For transparent interception of port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum, preferrably squid-3.5 with peek-n-splice when it comes out. If you bump and still do not want to cache for some reason the cache access control can be used like so: acl HTTPS proto HTTPS cache deny HTTPS Amos I finally installed Squid 3.4.6 from source with --enable-ssl and --enable-ssl-crtd options and put the corresponding configuration line for ssl-bump: https_port 0.0.0.0:3130 intercept ssl-bump cert=/opt/certs/server.crt key=/opt/certs/server.key This cert is self-signed and evidently it produces the 'sec_error_untrusted_issuer' error on the clients' browsers. Would that warning desappear if I used a recognized CA to sign that cert that would match the Squid box's FQDN, or is the installation of the autosigned cert on every client's browser the only option here? If the browser does not trust the signing CA it will warn. Amos
Re: [squid-users] Nudity Images Filter for Squid
Hallo, Squid, Du meintest am 23.08.14: Sure we may need a real time image filter for advanced image filtering. But that goal is far off squid. squid checks URLs (headers), you will check content. Viele Gruesse! Helmut
[squid-users] Re: kerberos_ldap_group stopped working with subdomains
Hi Pavel, Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed ? Markus Pavel Timofeev wrote in message news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=dd8...@mail.gmail.com... That's how squid's 3.4.6 helper works with usern...@example.org kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG support_member.cc(55): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.example@example.org support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_45620 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.example@example.org support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.ORG support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc1.example.org support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc2.example.org etc and no problems. 2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com: Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com: Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got default keytab
[squid-users] Fwd: New to FreeBSD, Squid experiencing request loops
Hello all, I'm having the same problem as this guy: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-with-one-nic-access-denied-problem-td4664881.html When I try to access a website I get a Access Denied by Squid message and in the access.log I see I'm getting a forwarding loop error. But we have different network setup and he's using Ubuntu. I'm running Squid 3.4 I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid) I have the following network: WAN1 + WAN2 in pfSense 10.0.0.1/24 (LAN1 in pfSense) 10.1.0.1/24 (LAN2 in pfSense) 10.2.0.1/24 (LAN3 in pfSense) (connecting to nginx+squid[10.2.0.2] VM) My squid.conf: # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl whatismyip dstdomain whatismyip.cc http_access allow whatismyip acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl WORK-PC srcdomain 10.1.0.3 # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy #http_access deny all # Squid normally listens to port 3128 http_port 10.2.0.2:3128 intercept # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid check_hostnames off unique_hostname squidcache dns_nameservers 8.8.8.8 tcp_outgoing_address 127.0.0.1
Re: [squid-users] Fwd: New to FreeBSD, Squid experiencing request loops
On 25/08/2014 12:37 p.m., orientalsniper wrote: Hello all, I'm having the same problem as this guy: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-with-one-nic-access-denied-problem-td4664881.html When I try to access a website I get a Access Denied by Squid message and in the access.log I see I'm getting a forwarding loop error. But we have different network setup and he's using Ubuntu. I'm running Squid 3.4 I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid) I have the following network: WAN1 + WAN2 in pfSense 10.0.0.1/24 (LAN1 in pfSense) 10.1.0.1/24 (LAN2 in pfSense) 10.2.0.1/24 (LAN3 in pfSense) (connecting to nginx+squid[10.2.0.2] VM) What is nginx in the mix for? and what is pfSense doing? where are the NATs happening? ** ** you must have at least three layers of NAT for that described setup to work: clients--10.2.0.2 (for delivery to nginx) 10.2.0.2:80 - 10.2.0.2:3128 (nginx outgoing MITM capture to Squid) 127.0.0.1 - 10.2.0.2 10.2.0.2 - Internet My squid.conf: (elided the comments for you so we can read it easier.) acl whatismyip dstdomain whatismyip.cc http_access allow whatismyip acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl WORK-PC srcdomain 10.1.0.3 10.1.0.3 is not a domain name. It is an IP address. Use src ACL type. http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_port 10.2.0.2:3128 intercept cache_dir ufs /var/squid/cache/squid 100 16 256 coredump_dir /var/squid/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user squid cache_effective_group squid check_hostnames off unique_hostname squidcache dns_nameservers 8.8.8.8 tcp_outgoing_address 127.0.0.1 127.0.0.1 is not a globally routable IP address. Nor can it be NAT'ed to one. Outgoing traffic from Squid to any other host is guaranteed to fail delivery. Amos
Re: [squid-users] Fwd: New to FreeBSD, Squid experiencing request loops
On 25/08/2014 2:22 p.m., orientalsniper wrote: nginx is serving as reverse proxy listening on 10.2.0.4-10.2.0.9 HTTP for some games patches. pfSense serves as firewall, captive portal and among other services. By NAT, I think you mean pfSense is doing it? pfSense is 10.0.0.1, 10.1.0.1 and 10.2.0.1. I have a NAT rule in pfSense to redirect all LAN2 HTTP traffic to 10.2.0.2 (port 3128). Great, that clarifies a lot. The problem is that NAT is being done on a separate box from Squid. The current Squid attempt to be as fully transparent as possible in intercept/transparent mode. That includes ensuring the domain/IP the client was contacting is actually the one Squid is using too - that is mandatory due to CVE-2009-0801 issues. With NAT on a separate box Squid only knows its own IP as the destination. So on the outbound things get looped. What you need to do to fix this is move the NAT rule changing port to 3128 onto the Squid VM. Have pfSense route port 80 traffic with 10.2.0.2 as the gateway router (policy routing) unless it came from 10.2.0.2 in the first place. After that your proxy should be usable. But there are some additional security issues that need resolving as well: 1) renumber the interception port in Squid to something other than 3128. Squid needs to use 3128 for forward-proxy traffic from the clients, manager API acces, icons, etc. 2) update the Squid VM firewall to prevent external machines directly accesing the intercept port you choose. It is only needed to be used by packets between Squid and the firewall on the same machine. If any outside machines do access it you will have looping problems and potentially a DoS happening. WORK-PC (10.1.0.3) ACL was redudant and I forgot to delete it, since it's part of 10.0.0.0/8 Regarding tcp_outgoing_address 127.0.0.1 that was one of my attempts to fix my issue, I've tried 10.2.0.2 also. You should not need to set outgoing IP at all. Remove that before testing the above changes. HTH Amos
[squid-users] Re: Squid not listening on any port
Amos Jeffries wrote Um, 100 is not a debug level between 0 and 9.Amos Nothing using 0:/[root@dxb-squid34 ~]# squid -N -d 02014/08/25 09:19:42| Warning: empty ACL: acl blockfiles urlpath_regex -i /etc/squid/local/bad/blockfiles2014/08/25 09:19:42| Starting Squid Cache version 3.4.6 for x86_64-unknown-linux-gnu.../Same thing using 9:/[root@dxb-squid34 ~]# ps aux|grep squidroot 30030 0.0 0.0 103252 828 pts/0S+ 09:20 0:00 grep squid//[root@dxb-squid34 ~]# squid -N -d 92014/08/25 09:21:04| Warning: empty ACL: acl blockfiles urlpath_regex -i /etc/squid/local/bad/blockfiles2014/08/25 09:21:04| Current Directory is /root2014/08/25 09:21:04| Starting Squid Cache version 3.4.6 for x86_64-unknown-linux-gnu...2014/08/25 09:21:04| Process ID 300312014/08/25 09:21:04| Process Roles: master worker2014/08/25 09:21:04| With 4096 file descriptors available2014/08/25 09:21:04| Initializing IP Cache...2014/08/25 09:21:04| DNS Socket created at 0.0.0.0, FD 62014/08/25 09:21:04| Adding nameserver 10.11.1.11 from squid.conf2014/08/25 09:21:04| Adding nameserver 10.11.1.12 from squid.conf2014/08/25 09:21:04| helperOpenServers: Starting 0/100 'squidGuard' processes2014/08/25 09:21:04| helperOpenServers: No 'squidGuard' processes needed.2014/08/25 09:21:04| Logfile: opening log /var/log/squid/access.log2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'2014/08/25 09:21:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec2014/08/25 09:21:04| Logfile: opening log /var/log/squid/store.log2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/store.log'2014/08/25 09:21:04| Swap maxSize 210944000 + 2097152 KB, estimated 16387780 objects2014/08/25 09:21:04| Target number of buckets: 8193892014/08/25 09:21:04| Using 1048576 Store buckets2014/08/25 09:21:04| Max Mem size: 2097152 KB2014/08/25 09:21:04| Max Swap size: 210944000 KB2014/08/25 09:21:04| Rebuilding storage in /cache2/squid (dirty log)2014/08/25 09:21:04| Rebuilding storage in /cache3/squid (dirty log)2014/08/25 09:21:04| Rebuilding storage in /cache4/squid (dirty log)2014/08/25 09:21:04| Using Least Load store dir selection2014/08/25 09:21:04| Current Directory is /root2014/08/25 09:21:04| Finished loading MIME types and icons.2014/08/25 09:21:04| HTCP Disabled./Any thoughts? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-not-listening-on-any-port-tp4667004p4667371.html Sent from the Squid - Users mailing list archive at Nabble.com.
