Re: [squid-users] correct regular expression to use to capture all

2023-07-09 Thread Walter H. 

On 08.07.2023 14:07, robert k Wild wrote:
True but I don't want to create two ACL lists, one for "ssl name" and 
one for "ssl name regex"


If I were you, I would create two ACL lists, because the one without 
regex as already mentioned needs


less resources - CPU, memory - and can have more rules; the regex thing 
has a limit in number of rules;





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 4.11, Almalinux 8.4 (RHEL 8.4 based) - user defined directory for certificate cache?

2021-10-10 Thread Walter H. 

Hello,

this
sudo -u squid /usr/lib64/squid/security_file_certgen -c -s 
/var/local/squid/ssl_db -M 4MB


gives the error

/usr/lib64/squid/security_file_certgen: Cannot create 
/var/local/squid/ssl_db


but this
sudo -u squid /usr/lib64/squid/security_file_certgen -c -s 
/var/spool/squid/ssl_db -M 4MB


works

both directories /var/spool/squid and /var/local/squid exist
and have the have squid_cache_t SELinux context and owned by squid:squid

Thanks




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] a specific host generates a 503 ...

2021-03-15 Thread Walter H. 

On 15.03.2021 10:14, Matus UHLAR - fantomas wrote:

On 12/03/21 1:14 am, Eliezer Croitoru wrote:

It's sitting behind:  DDoS protection by Cloudflare
So it makes sense that you would not be able to download it using 
wget.

The only option probably is using a web browser.
I would suggest contacting clamav.net web/system admins to verify 
what are the options.



On 11.03.2021 15:33, Amos Jeffries wrote:
FWIW, the tools I use seem to fetch it fine when adding the header 
"User-Agent: ClamAV/0.103.1 (OS: linux-gnu, ARCH: x86_64, CPU: 
x86_64)".



due to huge abuse from web fetchers like wget, clamav has recently 
blocked
fetching virus databases by non-freshclam clients and freshclam older 
than

0.100:
https://lists.clamav.net/pipermail/clamav-users/2021-March/010578.html


I found out, my older squid was the only squid, not clearing the User-Agent;

thanks for the infos;

now it works again with the originally used squid;

Thanks,
Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] a specific host generates a 503 ...

2021-03-13 Thread Walter H. 

On 11.03.2021 15:33, Amos Jeffries wrote:

On 12/03/21 1:14 am, Eliezer Croitoru wrote:

Hey Walter,

It's sitting behind:  DDoS protection by Cloudflare
So it makes sense that you would not be able to download it using wget.
The only option probably is using a web browser.
I would suggest contacting clamav.net web/system admins to verify 
what are the options.




FWIW, the tools I use seem to fetch it fine when adding the header 
"User-Agent: ClamAV/0.103.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)".


the freshclam updater does adding this User-Agent, and fails on the 
newer squids, only the older ones succeeeds;


and wget succeeds using the older squid, too?
(without adding a User-Agent)

why is that?

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] a specific host generates a 503 ...

2021-03-09 Thread Walter H. 

Hello,

can someone test the following URL

http://db.local.clamav.net/daily-26102.cdiff

e.g.   wget http://db.local.clamav.net/daily-26102.cdiff

I have an older squid (v3.1) there this works,
but with the newer ones (v3.4 and v3.5) this doesn't;

is there an explanation why?

the log shows this:

client-ip - - [10/Mar/2021:06:43:50 +0100] "GET 
http://db.local.clamav.net/daily-26102.cdiff HTTP/1.0" 503 8645 "-" 
"Wget/1.12 (linux-gnu)" TCP_MISS:HIER_DIRECT


the suspicious thing: when using a browser: this works with any squid, 
but this doesn't help because the clamav signature updates are loaded

by the freshclam which shows the  same failure as e.g. wget

client-ip - - [09/Mar/2021:06:00:03 +0100] "GET 
http://db.local.clamav.net/daily-26102.cdiff HTTP/1.0" 503 8642 "-" 
"ClamAV/0.103.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
TCP_MISS:HIER_DIRECT


I noticed this two days after the nightly freshclam (signature update) 
failure,

and changed the freshclam config to use the squid v3.1;

Thanks,
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] wiki.squid-cache.org has invalid SSL certificate

2021-01-23 Thread Walter H. 

On 23.01.2021 13:07, Matus UHLAR - fantomas wrote:

On 22.01.21 15:32, Alex Rousskov wrote:

On 1/22/21 3:10 PM, Walter H. wrote:


https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org
there is an invalid certificate as the intermediate


FWIW, I see nothing marked as "invalid" on that page, even after
clicking on one of the two servers and expanding the "Certification
Paths" group. The "certificate" score is 100%/Green.

The service does show one missing intermediate certificate ("certificate
chain is incomplete" and "extra download" annotations), which the
service was able to successfully download and validated. This extra work
reduced our overall score from A to B AFAICT. This is expected per Squid
Project NOC AFAICT.

It may help if you provide more details about the "invalid" annotations
that _you_ see on that report.


this may be obsolete info, both server certificate and intermediate were
signes last synday (Jan 17).

I have noticed similar problems for some letsencrypt certificates last
month. 


the reason:  Let's encrypt changed the interediate, see here: 
https://letsencrypt.org/certificates/


https://wiki.squid-cache.org/

got a new SSL certificate but the chain still has the old X3 instead of 
R3 ...


Thanks

Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] wiki.squid-cache.org has invalid SSL certificate

2021-01-22 Thread Walter H. 

Hello,

look here

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org

there is an invalid certificate as the intermediate

Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] distinguish between IPv4 and IPv6

2021-01-12 Thread Walter H. 

Hello,

I did something different, that prevents using the IPv6 of the tunnel 
device als source address;

(a general solution not just squid)

Walter

On 11.01.2021 21:29, Eliezer Croitoru wrote:


The detection of an IPV6 available DST can be determined by DNS and 
external ACL helper.


It will “slow” down the first couple bytes of the connection but can 
be much more reliable then the basic “dst” acl.


The basic test would be something like:

nslookup -type= www.squid-cache.org -timeout=10 |grep -v 
'#53'|grep Address:|wc -l


if the wc -l gt 0 then try to use IPV6.

I believe it’s pretty simple and the main issue is that if a service 
advertises unreachable IPV6 address.


It can be either because of network misconfiguration or FW or 
misconfigured DNS.


I have seen all of the above happen in production services in the last 
year.


I can write a helper for this if required.

Eliezer



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>

Zoom: Coming soon

*From:* squid-users  *On 
Behalf Of *?Amos Jeffries?

*Sent:* Monday, January 11, 2021 10:10 PM
*To:* Walter H. ; 
squid-users@lists.squid-cache.org

*Subject:* Re: [squid-users] distinguish between IPv4 and IPv6

The dst ACL type accepts the special value of "ipv4". You can use that 
and the "!" operator to split traffic.


However, please be aware dst is not very reliable until *after* the 
outgoing connection has been created, and we are still finding some 
access checks that do not use it correctly. YMMV.


Amos


 Original message 
From: "Walter H."
Date: Tue, 12 Jan 2021, 03:19

Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid
running on tunnel end;

Thanks,
Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] distinguish between IPv4 and IPv6

2021-01-11 Thread Walter H. 

Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid 
running on tunnel end;


Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cannot access web servers with a specific browser

2020-09-14 Thread Walter H. 

On 14.09.2020 14:50, Vieri wrote:

Hi,

Before digging into the whole squid configuration, I'd like to know what the 
following line means:

NONE_ABORTED/200 0 CONNECT 216.58.211.36:443 - HIER_NONE/- -

I get this when trying to access a web page with a specific browser (Google 
Chrome).

However, from the exact same client host, any other browser works fine (IE, 
Firefox) and I get this in the cache log:

NONE/200 0 CONNECT 216.58.211.36:443 - ORIGINAL_DST/216.58.211.36 -

along with many other log messages that follow.

So what does NONE_ABORTED mean and what should I search for to fix this so the 
client can use Chrome?


What about Microsoft Edge?

(especially the chromium based one)

as I see you don't do SSL-bump,

could it be that the clients (Chrome) capability of useable ciphersuites 
may not confirm to the ones offered by the server; the reason for 
'NONE_ABORTED'?


Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Gateway Proxy failure - but only with one browser ...

2020-04-29 Thread Walter H. 
It is very probable that the following has the same reason - but I don't 
know what's causing it ...


the old browser on old OS gives this


While trying to retrieve the URL: https://mein.elba.hypo.at/*

The following error was encountered:

    * Failed to establish a secure connection to 217.13.188.204

The system returned:

    (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

    Handshake with SSL server failed: error:1407742E:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

...


the  new browser works ...

I thought that the SSL connection between browser and squid is different 
from the one between squid and server;
how can there be a SSL handshake problem between squid and server when 
using an old browser?



On 29.04.2020 19:26, Walter H. wrote:

I have two squids,

one does SSL bump (3.5latest CentOS 6)
the other doesn't SSL bump (3.4latest CentOS 6)

everything works,

I have a site that uses SSL/TLS, and two different browsers (one in a 
VM with old windows),


when I use the squid without SSL bump, the site works with both browsers,

but when I use the squid with SSL bump, with the old browser I get a 
"Gateway Proxy failure"


the log shows this:

host - - [29/Apr/2020:19:04:11 +0200] "CONNECT 
ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; 
U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" 
TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:04:11 +0200] "GET 
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" 
"Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 
Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info


in compare to the log when using the other browser ...

host - - [29/Apr/2020:19:05:53 +0200] "CONNECT 
ssl.mathemainzel.info:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 
10.0; Win64; x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" 
TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:05:53 +0200] "GET 
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 
"https://ssl.mathemainzel.info/; "Mozilla/5.0 (Windows NT 10.0; Win64; 
x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT 
SNI:ssl.mathemainzel.info


is this caused by the browser on old OS itself?

squid.conf (of squid with SSL bump)

reply_header_access Public-Key-Pins deny all

reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; 
includeSubDomains


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all

sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db 
-M 16MB

sslcrtd_children 8

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem 
options=NO_SSLv2,NO_SSLv3



Thanks,
Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Gateway Proxy failure - but only with one browser ...

2020-04-29 Thread Walter H. 

I have two squids,

one does SSL bump (3.5latest CentOS 6)
the other doesn't SSL bump (3.4latest CentOS 6)

everything works,

I have a site that uses SSL/TLS, and two different browsers (one in a VM 
with old windows),


when I use the squid without SSL bump, the site works with both browsers,

but when I use the squid with SSL bump, with the old browser I get a 
"Gateway Proxy failure"


the log shows this:

host - - [29/Apr/2020:19:04:11 +0200] "CONNECT ssl.mathemainzel.info:443 
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; 
rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" TAG_NONE:HIER_DIRECT 
SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:04:11 +0200] "GET 
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 500 1679 "-" 
"Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.8.1.20) Gecko/20081217 
Firefox/2.0.0.20" TAG_NONE:HIER_NONE SNI:ssl.mathemainzel.info


in compare to the log when using the other browser ...

host - - [29/Apr/2020:19:05:53 +0200] "CONNECT ssl.mathemainzel.info:443 
HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.9) 
Goanna/4.5 PaleMoon/28.9.1" TAG_NONE:HIER_DIRECT SNI:ssl.mathemainzel.info
host - - [29/Apr/2020:19:05:53 +0200] "GET 
https://ssl.mathemainzel.info/sslinfo/ HTTP/1.1" 200 1977 
"https://ssl.mathemainzel.info/; "Mozilla/5.0 (Windows NT 10.0; Win64; 
x64; rv:68.9) Goanna/4.5 PaleMoon/28.9.1" TCP_MISS:HIER_DIRECT 
SNI:ssl.mathemainzel.info


is this caused by the browser on old OS itself?

squid.conf (of squid with SSL bump)

reply_header_access Public-Key-Pins deny all

reply_header_access Strict-Transport-Security deny all
reply_header_replace Strict-Transport-Security max-age=0; includeSubDomains

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all

sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem 
options=NO_SSLv2,NO_SSLv3



Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] several sites - cloudflare not working with ssl-bump ...

2020-02-25 Thread Walter H. 
On Tue, February 25, 2020 06:30, Amos Jeffries wrote:
> On 25/02/20 5:00 am, Walter H. wrote:
>> Hello,
>>
>> can someone explain, why
>> sites as https://dnslytics.com/
>> do not work any more if 'server-first',
>> they only work with 'client-first' why?
>>
>
> Not with the lack of information supplied.
>
> Amos

part of my squid.conf

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

# this doesn't work, my own Site also only with SNI works
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare step2
ssl_bump bump all

# this works
#ssl_bump client-first

# this doesn't work with these sites
#ssl_bump server-first

even WGET shows this:
ERROR: no certificate subject alternative name matches
which means that SNI isn't correctly handled, but why and which part of
the chain is causing this?

this problem is since e.g. dnslytics.com got a new SSL certificate this year

Thanks,
Walter



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] several sites - cloudflare not working with ssl-bump ...

2020-02-24 Thread Walter H. 

Hello,

can someone explain, why
sites as https://dnslytics.com/
do not work any more if 'server-first',
they only work with 'client-first' why?

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] difference of settings doing the same as it seems

2019-11-14 Thread Walter H. 

Hello,

I found out something strange

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid"

# I had these 3 settings - most worked, but only a few hosted at 
cloudflare worked: problems with SNI there, but only there

#ssl_bump stare step1 all
#ssl_bump splice nobumpsites
#ssl_bump bump all

# so I did these 3 settings
ssl_bump peek step1
ssl_bump splice nobumpsites
ssl_bump stare all

the file above contains server names where no SSL interception should be 
done, e.g. banking;


can someone explain the difference between these two ways - the 
commented ones and the other 3 settings?


Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump intermediate certificate

2019-10-30 Thread Walter H. 

On 30.10.2019 05:59, Marek Greško wrote:

Hello,

I am trying to configure ssl bumping on squid 4.8 but my browser is
not able to validate the certificate due to intermediate certificate
missing. How could I convince squid to send it?

Thanks

Marek
the ssl-bum certificate is either a root certificate itself which must 
be installed on the clients or an intermediate, where

the root and all intermediates between must be installed on the clients




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

2019-06-29 Thread Walter H. 

Hello Amos,

On 29.06.2019 14:13, Amos Jeffries wrote:


That is a good sign. That exact combo is in the set supported by the
breaking server so it is unlikely your Squid or its OpenSSL is
contributing to this particular problem.

quite strange only a few sites don't work, https://www.3bg.at is an 
example of such; many others work as expected; 

That is a bit odd. Though looking at the SSL Labs report for this
www.3bg.at site their restricting to only TLS/1.2 and there are many
clients for which the encryption handshake does not work.

  look to the
list of failures under "Handshake Simulation" and the whole list of "Not
simulated clients" for comparison with UA of any of your clients having
trouble connecting there.
I have my own website and there I did something similar - disabling 
TLSv1 and TLSv1.1,

thus only allowing TLSv1.2
here
https://www.ssllabs.com/ssltest/analyze.html?d=ssl.mathemainzel.info
shows the same; many failures under "Handshake Simulation"
but the weird thing, this works with my Squid :-)



Squid SSL-Bump is limited to negotiating use of TLS versions and
features which are supported by both itself and the client when offering
things to the server. So the problem of some clients agents not
supporting TLS/1.2 or the ciphers the server wants to use can make the
site fail even if your Squid outbound settings support them.


PS. At the technical level that exact error from OpenSSL means that some
data arrived from the server at a time when only TLS alert messages were
supposed to be happening.

there is also something different;   when doing the following:

openssl s_client -connect  HOST:PORT -servername HOST

this lasts about 1 or 2 minutes until a certificate is shown with  
www.3bg.at

but with my site this goes quickly withing seconds;


I suspect it could be a sign that the
Internet between your proxy and that server is being MITM'd by an agent
that corrupts the protocol for some reason. eg someone elses proxy
rejecting the connection but getting its error response syntax wrong.

could this be a proxy on the server side?
but the strange:  without SSL bump or direct without squid this site works;
(even my browser uses an uncommon UA string and is not the original Firefox)

what strange thing is doing this bad on some sites?

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

2019-06-29 Thread Walter H. 

On 29.06.2019 10:17, Amos Jeffries wrote:

On 29/06/19 3:03 am, Walter H. wrote:

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP
sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2


I do not see the tls-dh setting necessary for the elliptic curves to
work in your displayed config.

do you mean the dhparams= at the http_port here?

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squidCA.pem 
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
dhparams=/etc/squid/cert/dhparam.pem



  So that would make the above cipher
directive essentially disable everything except SSLv3 with MEDIUM/HIGH
level non-RSA ciphers.

even with this:

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
and the sslproxy_cipher commented out,

this site doesn't work;

sslcrtvalidator_program cache=8192 ttl=240 
/usr/lib64/squid/ssl_crtvalid/main.sh

sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

this validator isn't called at all with the site  https://www.3bg.at
e.g. with  https://wiki.squid-cache.org   this validator-script is 
caled, and

there is the following traced

0 cert_validate 5324 host=wiki.squid-cache.org
proto_version=TLSv1.2
cipher=ECDHE-RSA-AES256-GCM-SHA384
...




The value of sslproxy_options directive is colon (:) or comma (,)
delimited. When multiple values like the above are configured only the
first in the list is used. Which forces only TLS/1.2

I changed this to

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE


It is not clear what OpenSSL will do when those conflicting options are
handed to it. But it looks like it is down-grading to SSLv3 as L.P.H.
said then breaking when something else arrives back.
quite strange only a few sites don't work, https://www.3bg.at is an 
example of such;

many others work as expected;




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID_ERR_SSL_HANDSHAKE

2019-06-28 Thread Walter H. 

this is in my squid.conf


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpsites ssl::server_name "/etc/squid/sslnobumpsites-acl.squid" 
<-- e.g. www.google.com


ssl_bump stare step1 all
ssl_bump splice nobumpsites
ssl_bump bump all

acl brokenButTrusted dstdomain 
"/etc/squid/brokenbuttrustedsites-acl.squid" <-- contains e.g.  
download.microsoft.com


acl certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
...
acl squidSslHandshake ssl_error SQUID_ERR_SSL_HANDSHAKE

sslproxy_cert_sign_hash sha256

sslproxy_cert_error allow brokenButTrusted
sslproxy_cert_error deny all

sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher 
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!RSA:!SRP

sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB
sslcrtd_children 8




On 28.06.2019 16:34, L.P.H. van Belle wrote:

the SSL3_GET_MESSAGE?
Maybe because the only support TLSv1.2 ?
Its long ago i seen a site good configured for ones with its TLS 
settings.
So most probely, your downgrading the connection within the proxy 
settings to sslv3

And sharing you config might help to see that.
Greetz,
Louis

*Van:* squid-users
[mailto:squid-users-boun...@lists.squid-cache.org] *Namens *Walter H.
*Verzonden:* vrijdag 28 juni 2019 16:21
*Aan:* squid-users@lists.squid-cache.org
*Onderwerp:* [squid-users] SQUID_ERR_SSL_HANDSHAKE

Hello,

at some specific hosts
this is shown in cache.log
2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17:
error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
(1/-1/0)

and this is the error page I get

Failed to establish a secure connection to .../

 (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/
 Handshake with SSL server failed: error:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message

what is causing this?

in case some want to try: https://www.3bg.at/
(when disabling SSL-bump no problem)

Thanks,
Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SQUID_ERR_SSL_HANDSHAKE

2019-06-28 Thread Walter H. 

Hello,

at some specific hosts
this is shown in cache.log
2019/06/28 16:11:12 kid1| Error negotiating SSL on FD 17: 
error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message (1/-1/0)


and this is the error page I get

Failed to establish a secure connection to .../

 (71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/
 Handshake with SSL server failed: error:1408E0F4:SSL 
routines:SSL3_GET_MESSAGE:unexpected message


what is causing this?

in case some want to try:   https://www.3bg.at/
(when disabling SSL-bump no problem)

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] strange thing in the squid logs ...

2019-02-05 Thread Walter H. 

Hello,

in iptables I have this:

*nat
...
-A PREROUTING -i br0 -p tcp -s 192.168.1.100 --dport 80 -j DNAT 
--to-destination 192.168.1.1:3129




192.168.1.100 is my PC and 192.168.1.1 is my NAT-Router, that has squid, 
... running


here the log

192.168.1.100 - - [05/Feb/2019:20:57:09 +0100] "CONNECT 77.74.177.233:80 
HTTP/1.1" 403 1516 "-" "-" TCP_DENIED:HIER_NONE
192.168.1.100 - - [05/Feb/2019:20:58:41 +0100] "CONNECT 
130.117.190.168:80 HTTP/1.1" 403 1520 "-" "-" TCP_DENIED:HIER_NONE
192.168.1.100 - - [05/Feb/2019:21:06:12 +0100] "CONNECT 
207.123.56.252:80 HTTP/1.1" 403 1518 "-" "-" TCP_DENIED:HIER_NONE
this are only examples in real there are many of these with exakt these 
IP addresses


what is causing such strange?


here the squid.conf

acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines


acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 3128# squid (ftp-icons, /squid-internal) [me]
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports# i guess this rule is causing 
DENIED in the log, but why port 80 there???


http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all

http_reply_access allow all

http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port 192.168.1.1:3129 intercept

cache_dir ufs /var/spool/squid 16400 16 256
coredump_dir /var/spool/squid

always_direct allow all

acl crl-mime rep_mime_type application/x-pkcs7-crl
no_cache deny crl-mime

cache_mem 2560 MB

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

as_whois_server whois.ra.net

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Message with SSL-bump with a specific site ...

2018-11-05 Thread Walter H. 

Hello,

can some explain what is causing this message

While trying to retrieve the URL: https://www.3bg.at/*
The following error was encountered:

 * *Failed to establish a secure connection to 193.138.123.75 *

The system returned:
/(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)/

Handshake with SSL server failed: error:1408E0F4:SSL 
routines:SSL3_GET_MESSAGE:unexpected message

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Error Message alert handshake failure

2018-08-29 Thread Walter H. 

Hello,

what does this message

2018/08/29 16:11:28 kid1| Error negotiating SSL on FD 22: 
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure (1/-1/0)


in cache.log mean?

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid-announce] Squid 4.2 is available

2018-08-11 Thread Walter H. 

On 10.08.2018 07:41, Amos Jeffries wrote:

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.2 release!




will there be a RPM for latest CentOS 6 available?

Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] block visit 80/443 browsing via IP(no domain name)

2018-07-29 Thread Walter H. 

On 29.07.2018 06:11, Gordon Hsiao wrote:
is there a way to block any attempt to visit http/https by _any_ IP 
directly, i.e.


http://my-IP or https://my-IP (yes this will give a warning for SSL 
most likely). here my-IP could be any IPv4 address, for example.


Basically I want to have Squid to enforce all 80/443 access should be 
done via a FQDN instead of an IP, is this possible? or should this be 
handled in a redirector instead?



Hi,

I use this

/etc/squid/blockdomains-iphost-acl.squid  contains this

^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$
^\[([0-9a-f]{0,4})(:|:[0-9a-f]{0,4}){1,7}\]$

/etc/squid/squid.conf contains this

acl allow_domains_iphost dstdom_regex 
"/etc/squid/allowdomains-iphost-acl.squid"
acl block_domains_iphost dstdom_regex 
"/etc/squid/blockdomains-iphost-acl.squid"

...
deny_info ERR_DOMAIN_IPHOST_BLOCKED block_domains_iphost
...
http_access allow allow_domains_iphost
http_access deny block_domains_iphost





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Wpad problem (DNS)

2018-07-26 Thread Walter H. 

On 26.07.2018 17:32, erdosain9 wrote:

Hi, thanks
I try Explorer 8.0 and Chrome 68.0...

this can be deactivated on browser side; then wpad is for the cats ...

Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Walter H. 

On 26.06.2018 19:03, Amit pasari wrote:

Dear Walter
I have tried with both SHA1 and SHA256 cert .


Sent from my iPhone

On Jun 26, 2018, at 9:43 PM, Walter H. <mailto:walte...@mathemainzel.info>> wrote:



On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter


can you try this:

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

Walter


smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

2018-06-26 Thread Walter H. 

On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL errors with Squid 3.5.27

2018-06-10 Thread Walter H. 

On 10.06.2018 08:49, Amos Jeffries wrote:


Interesting.

The main issue was that you configured only params for the Diffi-Helman
(DH and DHE) ciphers - no curve name. That meant your specified EEC*
ciphers were disabled since they require a curve name as well.

Removing this option completely disables both DH and ECDH cipher types.
Leaving your proxy with only the RSA based ciphers.


can you please tell, how to configure this correct

I mean how to specify the curve name ...
and which curves are possible

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Google analytics screwing up a lot of sites?

2018-03-26 Thread Walter H. 

Hello

On 26.03.2018 21:27, Bob Cochran wrote:
We use squid 3.5.20 and a custom content filter to block undesirable 
(tracking) sites (e.g., google-analytics.com).

get 3.5.27 ...
It seems that Google's JavaScript ( or missing scripts ) is rendering 
various modal / dialog boxes useless (typically just see a blank modal 
and a spinning loading graphic).
this needn't be caused by this, it could be an invalid website admin not 
conforming to standards or just a broken browser
I have recently seen this on BMW, Verizon, Arrow electronics, etc.  
Shame on them all for tracking me.

do you mean   www.bmw.com with BMW?
here no problem, I do the same, blocking google analytics and some more ...
I'm thinking that squid & our content filter is doing its job, and its 
Google that's creating havoc.
my thought is just: when the damn website admin wants me to view his 
creation then he has to do it correct ...


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

2017-11-18 Thread Walter H. 

On 18.11.2017 13:51, Walter H. wrote:

Hello,

still certificate issues: missing intermediate certificate

Greetings,
Walter

@Amos:


 There is
 *no* chain. Our cert is directly signed by the LetsEncrypt CA.
 Amos


that's wrong;  LetsEncrypt is only an intermediate, and MUST be given by the 
server,
as it isn't in any Trust Store by default.





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

2017-11-18 Thread Walter H. 

Hello,

still certificate issues: missing intermediate certificate

Greetings,
Walter

On 17.11.2017 13:39, Walter H. wrote:

for more information see
https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org

- missing intermediate certificate
- ssl3 active, poodle vulnerable ...

Greetings,
Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

2017-11-17 Thread Walter H. 

for more information see
https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org

- missing intermediate certificate
- ssl3 active, poodle vulnerable ...

Greetings,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] IPv6 and TPROXY

2017-08-21 Thread Walter H. 

I got it working partially, some servers (URLs) worked, others not ...
the not working host resultet in 503 ...

as I don't have any knowledge where to look, I give up

it would have been great, if it had worked

@Amos: your question about firewall rules gave me a hint, but
I can't say why only a few servers (URLs) worked ...

Walter


On 20.08.2017 02:08, Eliezer Croitoru wrote:

You can use tproxy but you will need to somehow make it so squid will do "NAT" 
instead of only tproxy or to findout what is causing the issue to happen in the network 
layer of the connection.
It can be a simple iptables rule which block traffic or another issue like 
rp_filter.
If you are up to it I will be willing to try and setup a more advanced ipv6 
setup that might help to inspect the issue.

In the mean while I am missing one piece which maybe Amos can help with:
Is it possible to use tproxy for interception but force a non tproxy connection 
on the outgoing traffic?
I wrote such a proxy myself and I believe that there might be another solution 
to if nothing else would be found.

The other idea would be:
Use haproxy infront of the squid proxy to intercept traffic in the tcp level 
and pass to squid somehow the request via a proxy protocol enabled port.
I have used it in the past and it should be fine for port 80 but for 443 it's a 
whole other thing.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-----
From: Walter H. [mailto:walte...@mathemainzel.info]
Sent: Saturday, August 19, 2017 23:23
To: Eliezer Croitoru<elie...@ngtech.co.il>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY

Hello,

not really, I must live with the fact, that I can't configure tproxy, as
I can't update any kernel ...

Walter

On 19.08.2017 22:09, Eliezer Croitoru wrote:

Any progress with the issue?

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-----
From: Walter H. [mailto:walte...@mathemainzel.info]
Sent: Sunday, August 13, 2017 21:31
To: Eliezer Croitoru<elie...@ngtech.co.il>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter







smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid IPv4:port to IPv6

2017-08-19 Thread Walter H. 

On 19.08.2017 04:03, davidjesse...@aol.com wrote:
I'm trying to connect to Squid with one IPv4 IP and based on the port 
I'm connecting with, I want Squid to use a different IPv6 IP for the 
connection.


Below is my config file

|acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
#http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

# Allow all machines to all sites
http_access allow all

#Privacy Things
via off
forwarded_for off
follow_x_forwarded_for deny all


## designate acl based on inbound connection name
acl user1 myportname 3128
acl user2 myportname 3129
acl user3 myportname 3130
acl user4 myportname 3131
acl user5 myportname 3132

## define outgoing IPv6 per user
tcp_outgoing_address 2000:3c03:e000:25f::1:0 user1
tcp_outgoing_address 2000:3c03:e000:25f::1:1 user2
tcp_outgoing_address 2000:3c03:e000:25f::1:2 user3
tcp_outgoing_address 2000:3c03:e000:25f::1:3 user4
tcp_outgoing_address 2000:3c03:e000:25f::1:4 user5|


The issue I'm facing is that I can only use the proxy with port 3128, 
and it does proxy it to "2000:3c03:e000:25f::1:0" as it should. But if 
I use port 3129 then I can not connect to the proxy.

because you only have
http_port 3128
you also need
http_port 3129
http_port 3130
http_port 3131
http_port 3132
and in case there is a firewall, these ports must be open, too ...

by the way this setting only makes sense, when there is a restriction, 
that only a specific IP can use port 3128,

a specific IP can use port 3129, 
need not be IPv4 can also be IPv6 ...

Walter


smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] IPv6 and TPROXY

2017-08-13 Thread Walter H. 

Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80 
-j REJECT


any windows host inside this ipv6prefix has configured a proxy, but for 
some reason e.g. there is HTTP traffic of CRLs or OCSP

that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter

On 13.08.2017 15:48, Eliezer Croitoru wrote:

Hey,

Is there a specific reason for the usage of CentOS 6?
Also, do you need full tproxy featres or just to intercept the traffic?

And Amos:
Let say I want to intercept using tproxy but not use trpoxy for outgoing 
connections, would it be possible?
Would the usage of:
http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

override the tproxy function?

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-----
From: Walter H. [mailto:walte...@mathemainzel.info]
Sent: Saturday, August 12, 2017 22:03
To: Eliezer Croitoru<elie...@ngtech.co.il>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer,

not really,
as I don't understand, which IP squid needs to listen to

in my squid.conf I have this:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port [ipv6prefix::1]:3128
# Transparent Squid listens to port 3129 (IPv4 only)
http_port 192.168.1.1:3129 transparent
http_port [ipv6prefix::1]:3129 tproxy<-- does it need this?
http_port [::1]:3129 tproxy<-- or this?

the transparent proxy with ipv4 works ...

just had to add the following

e.g.
iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80
-j DNAT --to-destination 192.168.1.1:3129

with IPv6 it is more complicated ...

especially which IP6TABLES rule is meant by Amos question?

"I don't see anywhere in that INPUT list where the TPROXY'd traffic is
permitted to reach Squid. "

does this mean:

e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I
need to add

ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j ACCEPT
?

does this really need this two
ip -6 ...
commands, as I don't know what to add in a file in
/etc/sysconfig/network-scripts ...

Thanks,
Walter

On 12.08.2017 20:23, Eliezer Croitoru wrote:






smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] IPv6 and TPROXY

2017-08-12 Thread Walter H. 

Hello Eliezer,

not really,
as I don't understand, which IP squid needs to listen to

in my squid.conf I have this:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port [::1]:3128
http_port 192.168.1.1:3128
http_port [ipv6prefix::1]:3128
# Transparent Squid listens to port 3129 (IPv4 only)
http_port 192.168.1.1:3129 transparent
http_port [ipv6prefix::1]:3129 tproxy <-- does it need this?
http_port [::1]:3129 tproxy <-- or this?

the transparent proxy with ipv4 works ...

just had to add the following

e.g.
iptables -t nat -A PREROUTING -i br0 -p tcp -d 23.37.37.163 --dport 80 
-j DNAT --to-destination 192.168.1.1:3129


with IPv6 it is more complicated ...

especially which IP6TABLES rule is meant by Amos question?

"I don't see anywhere in that INPUT list where the TPROXY'd traffic is 
permitted to reach Squid. "


does this mean:

e.g.  when I want to use TPROXY to  IPv6 2a02:1788:2fd::b2ff:5302, I 
need to add


ip6tables -t filter -A INPUT -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302 
--dport 80 -j ACCEPT

?

does this really need this two
ip -6 ...
commands, as I don't know what to add in a file in 
/etc/sysconfig/network-scripts ...


Thanks,
Walter

On 12.08.2017 20:23, Eliezer Croitoru wrote:

Any progress with this issue?

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-----
From: Walter H. [mailto:walte...@mathemainzel.info]
Sent: Thursday, August 10, 2017 09:19
To: Eliezer Croitoru<elie...@ngtech.co.il>
Cc: squid-users@lists.squid-cache.org
Subject: RE: [squid-users] IPv6 and TPROXY

Hello Eliezer,

it is a CentOS 6 box,

br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
prefix

might this be a problem?

the results of "sysctl -a |grep forward|grep v6":

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0

Greetings,
Walter

On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:

Hey Walter,

I have ran basic tests which are not including direct internet access and
it seems like squid is intercepting traffic fine on a CentOS 7.
Try to use:
ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev lo table 100

ip6tables -t mangle -F
ip6tables -t mangle -F DIVERT
ip6tables -t mangle -X DIVERT
ip6tables -t mangle -N DIVERT
ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0x
ip6tables -t mangle -A DIVERT -j ACCEPT

ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 3129 --tproxy-mark 0x1/0x1

check the output of:
sysctl -a |grep forward|grep v6

Since some of the setup you describe are "unusual" like "br0" I cannot
promise you how things will work and if they should work.
On a regular linux machine with regular interfaces it works fine.
I do get the basic "access denied" page from squid.
If this doesn't show up then I belive it's a routing level issue and maybe
sysctl will help to reveal couple things about the subject.

All The Bests,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: Walter H. [mailto:walte...@mathemainzel.info]
Sent: Thursday, August 10, 2017 06:49
To: Eliezer Croitoru<elie...@ngtech.co.il>
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY

Hello Eliezer

ip -6 rule is this

0:  from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this


# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
--to 84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tc

Re: [squid-users] IPv6 and TPROXY

2017-08-10 Thread Walter H. 
Hello Eliezer,

it is a CentOS 6 box,

br0 is a bridge device, connecting eth0 and wlan0 to one ip subnet/ipv6
prefix

might this be a problem?

the results of "sysctl -a |grep forward|grep v6":

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.br0.mc_forwarding = 0
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sit0.mc_forwarding = 0
net.ipv6.conf.sit1.forwarding = 1
net.ipv6.conf.sit1.mc_forwarding = 0

Greetings,
Walter

On Thu, August 10, 2017 07:10, Eliezer Croitoru wrote:
> Hey Walter,
>
> I have ran basic tests which are not including direct internet access and
> it seems like squid is intercepting traffic fine on a CentOS 7.
> Try to use:
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev lo table 100
>
> ip6tables -t mangle -F
> ip6tables -t mangle -F DIVERT
> ip6tables -t mangle -X DIVERT
> ip6tables -t mangle -N DIVERT
> ip6tables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0x
> ip6tables -t mangle -A DIVERT -j ACCEPT
>
> ip6tables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> ip6tables -t mangle -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
>
> check the output of:
> sysctl -a |grep forward|grep v6
>
> Since some of the setup you describe are "unusual" like "br0" I cannot
> promise you how things will work and if they should work.
> On a regular linux machine with regular interfaces it works fine.
> I do get the basic "access denied" page from squid.
> If this doesn't show up then I belive it's a routing level issue and maybe
> sysctl will help to reveal couple things about the subject.
>
> All The Bests,
> Eliezer
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
>
> -Original Message-
> From: Walter H. [mailto:walte...@mathemainzel.info]
> Sent: Thursday, August 10, 2017 06:49
> To: Eliezer Croitoru <elie...@ngtech.co.il>
> Cc: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> ip -6 rule is this
>
> 0:  from all lookup local
> 32765:  from all fwmark 0x1 lookup 100
> 32766:  from all lookup main
>
> the two commands where
>
> ip -f inet6 rule add fwmark 1 lookup 100
> ip -f inet6 route add local default dev br0 table 100
>
> ip6tables-save is this
> 
>
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm
> --to 84 -m tcp --dport 80 -j DROP
> -A INPUT -m rt --rt-type 0 -j DROP
> -A INPUT -m state --state INVALID -j DROP
> -A INPUT -s fe80::/10 -j ACCEPT
> -A INPUT -d ff00::/8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m
> state --state NEW -j ACCEPT
> -A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m
> state --state NEW -j ACCEPT
> -A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m rt --rt-type 0 -j DROP
> -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -i br0 -o br0 -j ACCEPT
> -A FORWARD -i br0 -o sit1 -j ACCEPT
> -A OUTPUT -m rt --rt-type 0 -j DROP
> -A OUTPUT -m state --state INVALID -j DROP
> -A OUTPUT -s fe80::/10 -j ACCEPT
> -A OUTPUT -d ff00::/8 -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o br0 -j ACCEPT
> -A OUTPUT -o sit1 -j ACCEPT
> COMMIT
> # Completed on Thu Aug 10 05:26:04 2017
> # Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
> *mangle
> :PREROUTING ACCEPT [43:6775]
> :INPUT ACCEPT [104:10608]
> :FORWARD ACCEPT [12:2567]
> :OUTPUT ACCEPT [182:28756]
> :POSTROUTING ACCEPT [194:31323]
> :DIVERT - [0:0]
> -A PREROUTING -i br0 -p tcp -m socket -j DIVERT
> -A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport
> 80 -j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark
> 0x1/0x1
> -A DIVERT -j MARK --set-xmark

Re: [squid-users] IPv6 and TPROXY

2017-08-09 Thread Walter H. 

Hello Eliezer

ip -6 rule is this

0:  from all lookup local
32765:  from all fwmark 0x1 lookup 100
32766:  from all lookup main

the two commands where

ip -f inet6 rule add fwmark 1 lookup 100
ip -f inet6 route add local default dev br0 table 100

ip6tables-save is this


# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i sit1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i sit1 -p tcp -m string --string "GET /w00tw00t.at." --algo bm --to 
84 -m tcp --dport 80 -j DROP
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 2001:470:1f0b:9c8::/64 -d fe80::/10 -i br0 -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3128 -m state 
--state NEW -j ACCEPT
-A INPUT -d 2001:470:1f0b:9c8::1/128 -i br0 -p tcp -m tcp --dport 3129 -m state 
--state NEW -j ACCEPT
-A FORWARD -i sit1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o sit1 -j ACCEPT
-A OUTPUT -m rt --rt-type 0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o sit1 -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017
# Generated by ip6tables-save v1.4.7 on Thu Aug 10 05:26:04 2017
*mangle
:PREROUTING ACCEPT [43:6775]
:INPUT ACCEPT [104:10608]
:FORWARD ACCEPT [12:2567]
:OUTPUT ACCEPT [182:28756]
:POSTROUTING ACCEPT [194:31323]
:DIVERT - [0:0]
-A PREROUTING -i br0 -p tcp -m socket -j DIVERT
-A PREROUTING -d 2a02:1788:2fd::b2ff:5302/128 -i br0 -p tcp -m tcp --dport 80 
-j TPROXY --on-port 3129 --on-ip 2001:470:1f0b:9c8::1 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0x
-A DIVERT -j ACCEPT
COMMIT
# Completed on Thu Aug 10 05:26:04 2017



Thanks,
Walter

On 10.08.2017 02:18, Eliezer Croitoru wrote:

Can you attach or paste\gist the output of:
iptables-save
ip6tables-save
ip rule
??
It will help to also see the tables which you use in conjunction to the "ip 
rule" based on the mark.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Walter H.
Sent: Tuesday, August 8, 2017 17:15
To: squid-users@lists.squid-cache.org
Subject: [squid-users] IPv6 and TPROXY

Hello,

I did at the ip6tables like this:
https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129

in squid.conf I added

http_port  ipv6lan:3129 tproxy

I added the following also this rule to ip6tables

iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
-m state --state NEW -j ACCEPT

when I have tcpdump run, I get this:

16:08:58.452533 IP6 ipv6host.37656>  2a02:1788:2fd::b2ff:5302.80: Flags
[S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
ecr 0,nop,wscale 5], length 0
16:08:58.452794 IP6 ipv6lan>  ipv6host: ICMP6, destination unreachable,
unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88

when doing:

wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
http://crl.usertrust.com/AddTrustExternalCARoot.crl

(crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)

what am I missing?

Thanks
Walter





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] wiki.squid-cache.org SSL configuration problem ...

2017-08-08 Thread Walter H. 

Hello,

the intermediate certificate which is provided doen't go with the end 
entitiy certificate ...


the intermediate that is provided:  Let's Encrypt Authority X1
the intermediate that should be provided:  Let's Encrypt Authority X3

for more see: 
https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org=104.130.201.120


Thanks



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] IPv6 and TPROXY

2017-08-08 Thread Walter H. 
Hello,

I did at the ip6tables like this:
https://wiki.squid-cache.org/Features/Tproxy4#iptables_on_a_Router_device

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -i br0 -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -i br0 -p tcp -d 2a02:1788:2fd::b2ff:5302
--dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip ipv6lan --on-port 3129

in squid.conf I added

http_port  ipv6lan:3129 tproxy

I added the following also this rule to ip6tables

iptables -t filter -A INPUT -i br0 -d ipv6lan -m tcp -p tcp --dport 3129
-m state --state NEW -j ACCEPT

when I have tcpdump run, I get this:

16:08:58.452533 IP6 ipv6host.37656 > 2a02:1788:2fd::b2ff:5302.80: Flags
[S], seq 231343061, win 14400, options [mss 1440,sackOK,TS val 1875817945
ecr 0,nop,wscale 5], length 0
16:08:58.452794 IP6 ipv6lan > ipv6host: ICMP6, destination unreachable,
unreachable port, 2a02:1788:2fd::b2ff:5302 tcp port 80, length 88

when doing:

wget -6 --user-agent="Microsoft-CryptoAPI/10.0" --no-proxy
http://crl.usertrust.com/AddTrustExternalCARoot.crl

(crl.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5302)

what am I missing?

Thanks
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] This list generates a forward loop ...

2017-07-19 Thread Walter H. 

On 20.07.2017 05:35, Walter H. wrote:

On 19.07.2017 08:54, Amos Jeffries wrote:

On 19/07/17 01:42, Walter H. wrote:


<squid-us...@squid-cache.org> (expanded from
<squid-users@lists.squid-cache.org>): mail forwarding loop for
 squid-us...@squid-cache.org


Why?



You sent a mail to the address squid-users@squid-cache.*

The mailing list address is squid-users@lists.*


No, see the log of my outgoing Mail server ...


Jul 18 14:29:05 smtpout postfix/smtp[7177]: 537DB66: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.68, 
delays=0.02/0.1/0.21/0.36, dsn=2.0.0, status=sent (250 OK 
id=1dXRce-0008Hp-LA)
Jul 18 15:37:04 smtpout postfix/smtp[8973]: 85ED0FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.5, 
delays=0.01/0.03/0.33/0.13, dsn=2.0.0, status=sent (250 OK 
id=1dXSgR-0007G1-UM)
Jul 18 15:42:22 smtpout postfix/smtp[9121]: AB859FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.47, 
delays=0.01/0.04/0.33/0.09, dsn=2.0.0, status=sent (250 OK 
id=1dXSla-8Z-2r)
Jul 19 11:16:30 smtpout postfix/smtp[8824]: 51E02FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.54, 
delays=0.02/0.07/0.23/0.22, dsn=2.0.0, status=sent (250 OK 
id=1dXl5q-0002Io-Nu)
Jul 19 11:40:36 smtpout postfix/smtp[9466]: 534C9FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.35, 
delays=0.02/0.03/0.2/0.1, dsn=2.0.0, status=sent (250 OK 
id=1dXlTA-0006eh-JU)
Jul 19 19:30:41 smtpout postfix/smtp[21871]: 96E3FFA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.51, 
delays=0.02/0.07/0.27/0.15, dsn=2.0.0, status=sent (250 OK 
id=1dXso4-00027Q-Ux)
Jul 19 20:37:54 smtpout postfix/smtp[23635]: DF09966: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.45, 
delays=0.03/0.07/0.23/0.12, dsn=2.0.0, status=sent (250 OK 
id=1dXtr8-0007MA-7f)



the log entry of this mail is of course not included ...

I got back 5 error mails last night ...

here is the complete error mail, that was replied to this last mail ...

Return-Path: <>
Received: from storage.mail ([unix socket])
 by storage.mail (Cyrus v2.3.16-Fedora-RPM-2.3.16-15.el6) with LMTPA;
 Thu, 20 Jul 2017 05:47:11 +0200
X-Sieve: CMU Sieve 2.3
Received: from filter.mail by storage.mail (Postfix) with ESMTP id 
E379F60034

Received: by filter.mail (Postfix) id D82723CA4
Delivered-To: wal...@filter.mail
Received: from filter.mail [local] by filter.mail (Postfix) with ESMTP 
id B23E3451

Received: by filter.mail (Postfix, userid 500) id 9BF3A3CA8
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on filter.mail
X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=ham
version=3.3.1
Received: from filter.mail by filter.mail (Postfix) with ESMTP id DA0AF451
Envelope-to: walte...@mathemainzel.info
Delivery-date: Thu, 20 Jul 2017 05:44:37 +0200
Received: from [w4y-pop-server] by filter.mail with POP3 (fetchmail-6.3.17)
Received: from [81.19.149.115] (helo=mx05lb.world4you.com)
by mail12.world4you.com with esmtps 
(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

(Exim 4.89)
id 1dY2OD-0003V6-LA
for walte...@mathemainzel.info; Thu, 20 Jul 2017 05:44:37 +0200
Received: from [104.130.201.120] (helo=lists.squid-cache.org)
by mx05lb.world4you.com with esmtp (Exim 4.84_2)
id 1dY2OB-0004mf-Ud
for walte...@mathemainzel.info; Thu, 20 Jul 2017 05:44:37 +0200
Received: by lists.squid-cache.org (Postfix)
id C409FE23A1; Thu, 20 Jul 2017 03:44:49 + (UTC)
Date: Thu, 20 Jul 2017 03:44:49 + (UTC)
From: mailer-dae...@squid-cache.org (Mail Delivery System)
To: walte...@mathemainzel.info
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="15AD7E1196.1500522289/lists.squid-cache.org"
Message-Id: <20170720034449.c409fe2...@lists.squid-cache.org>
X-SA-Exim-Connect-IP: 104.130.201.120
X-SA-Exim-Mail-From:
Subject: Undelivered Mail Returned to Sender
X-SA-Exim-Version: 4.2.1 (built Thu, 31 Mar 2016 16:22:20 +0200)
X-SA-Exim-Scanned: Yes (on mx05lb.world4you.com)
X-AV-Scanned: ClamAV using ClamSMTP (filter.mail)

This is a MIME-encapsulated message.

--15AD7E1196.1500522289/lists.squid-cache.org
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host lists.squid-cache.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

<squid-us...@squid-cache.org> (expande

Re: [squid-users] This list generates a forward loop ...

2017-07-19 Thread Walter H. 

On 19.07.2017 08:54, Amos Jeffries wrote:

On 19/07/17 01:42, Walter H. wrote:


<squid-us...@squid-cache.org> (expanded from
<squid-users@lists.squid-cache.org>): mail forwarding loop for
 squid-us...@squid-cache.org


Why?



You sent a mail to the address squid-users@squid-cache.*

The mailing list address is squid-users@lists.*


No, see the log of my outgoing Mail server ...


Jul 18 14:29:05 smtpout postfix/smtp[7177]: 537DB66: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.68, 
delays=0.02/0.1/0.21/0.36, dsn=2.0.0, status=sent (250 OK 
id=1dXRce-0008Hp-LA)
Jul 18 15:37:04 smtpout postfix/smtp[8973]: 85ED0FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.5, 
delays=0.01/0.03/0.33/0.13, dsn=2.0.0, status=sent (250 OK 
id=1dXSgR-0007G1-UM)
Jul 18 15:42:22 smtpout postfix/smtp[9121]: AB859FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.47, 
delays=0.01/0.04/0.33/0.09, dsn=2.0.0, status=sent (250 OK 
id=1dXSla-8Z-2r)
Jul 19 11:16:30 smtpout postfix/smtp[8824]: 51E02FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.54, 
delays=0.02/0.07/0.23/0.22, dsn=2.0.0, status=sent (250 OK 
id=1dXl5q-0002Io-Nu)
Jul 19 11:40:36 smtpout postfix/smtp[9466]: 534C9FA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.35, 
delays=0.02/0.03/0.2/0.1, dsn=2.0.0, status=sent (250 OK 
id=1dXlTA-0006eh-JU)
Jul 19 19:30:41 smtpout postfix/smtp[21871]: 96E3FFA: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.51, 
delays=0.02/0.07/0.27/0.15, dsn=2.0.0, status=sent (250 OK 
id=1dXso4-00027Q-Ux)
Jul 19 20:37:54 smtpout postfix/smtp[23635]: DF09966: 
to=<squid-users@lists.squid-cache.org>, 
relay=smtp.world4you.com[81.19.149.200]:587, delay=0.45, 
delays=0.03/0.07/0.23/0.12, dsn=2.0.0, status=sent (250 OK 
id=1dXtr8-0007MA-7f)



the log entry of this mail is of course not included ...

I got back 5 error mails last night ...



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-19 Thread Walter H. 

Hello Eliezer,

it is just this:

# Generated by iptables-save v1.4.7 on Wed Jul 19 20:25:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT
-A INPUT -i br0 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j 
ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 
-j ACCEPT

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3478 -j REJECT 
--reject-with icmp-port-unreachable
-A FORWARD -i br0 -o eth1 -p udp -m udp --dport 3544 -j REJECT 
--reject-with icmp-port-unreachable

-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
COMMIT
# Completed on Wed Jul 19 20:25:22 2017

Walter

On 19.07.2017 20:03, Eliezer Croitoru wrote:

Hey Walter,

Can you please paste the output of "iptables-save" for me?
It's easier for me to read plain iptables-save then iptables -Lnv or any other 
format.
Then I would be able to send you a file that you can just pull into 
iptables-restore which should work.

And just to clear out my doubts on the scenario:
Is the RST packets coming from the gateway(192.168.0.1) but for request from 
the local proxy(192.168.0.10).
To eliminate couple things, can you test the next rule on the GW:
Iptables -I INPUT -s 192.168.0.10 -j ACCEPT

And see if it changes anything at all?

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Walter H.
Sent: Tuesday, July 18, 2017 15:29
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Packets logged as blocked even Firewall (IPtables) 
accepts them ...

Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in -A INPUT -i br0 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A 
INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface) -A INPUT -i br0 -m tcp -p tcp 
--dport 80 -m state --state NEW -j ACCEPT -A INPUT -i br0 -m tcp -p tcp --dport 
443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT # Block TEREDO 
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through -A FORWARD -i eth1 -o br0 -m 
state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction -A INPUT -i br0 -p 
icmp -j ACCEPT # Else only pings with restricted icmp are allowed -A INPUT -i 
eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # 
Enable TRACEroute to me from internet -A INPUT -i eth1 -p udp --sport 
32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7 -A FORWARD -j LOG  --log-prefix 
"IP[FWD]: " --log-level 7 -A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT


and these are logged entries:
(only partial, as they are many)


[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00

Re: [squid-users] Squid Version 3.5.20 Any Ideas

2017-07-19 Thread Walter H. 

Hello,

this seems not to be the problem, as the error messages are in 
cache.log, which is not a browser problem ...


the question: are the SSL bumped sites in intranet, which use a self 
signed CA cert itself, which squid doesn't know?


On 19.07.2017 17:36, Yuri wrote:


http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://i.imgur.com/A153C7A.png


19.07.2017 21:34, Cherukuri, Naresh пишет:


Hi All,

I installed Squid version 3.5.20 on RHEL 7 and generated self-signed 
CA certificates,  My users are complaining about certificate errors. 
When I looked at cache.log I see so many error messages like below. 
Below is my squid.conf file. Any ideas how to address below errors.






Cache.log

2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 689: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)


2017/07/18 16:05:34 kid1| Error negotiating SSL connection on FD 
1114: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert 
certificate unknown (1/0)


2017/07/18 16:05:37 kid1| Error negotiating SSL connection on FD 146: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)


2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 252: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)


2017/07/18 16:05:41 kid1| Error negotiating SSL connection on FD 36: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown (1/0)






smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-19 Thread Walter H. 
On Wed, July 19, 2017 11:31, Antony Stone wrote:
> On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
>
>> I added these rules, and will see which packets are caught
>>
>> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
>> "
>> --log-level 7
>> -A FORWARD -m state --state INVALID -j LOG --log-prefix
>> "IP[FWD(invalid)]:
>> " --log-level 7
>> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
>> "IP[OUT(invalid)]:
>> " --log-level 7
>>
>> and not by these after:
>>
>> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
>> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
>
> Note that any packets caught by the first rules will *also* be caught by
> the
> second rules (since there is no DROP in between, and the second rule does
> not
> exclude INVALID),

how would I exclude INVALID in the second rules?


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-19 Thread Walter H. 
On Wed, July 19, 2017 03:21, Amos Jeffries wrote:
> On 19/07/17 01:37, Walter H. wrote:
>> On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:
>>> On 18.07.17 14:29, Walter H. wrote:
>>>> -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>>> -A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j
>>>> ACCEPT
>>>
>>>> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>>>
>>>> [17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>>>> MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>>>> DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>>>> SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>>>
>>> it's a RST packet, apparently for connection that was already closed
>>> and
>>> thus is not ESTABLISHED,RELATED nor NEW
>>>
>>> logging state INVALID could explain
>>
>> how would I do this?
>
>
> Add this line in your iptables config above the generic log ones:
>
>   -A INPUT -i br0 -m state --state INVALID -j LOG --log-prefix "IP[IN]
> INVALID]: " --log-level 7

I added these rules, and will see which packets are caught

-A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]: "
--log-level 7
-A FORWARD -m state --state INVALID -j LOG --log-prefix "IP[FWD(invalid)]:
" --log-level 7
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "IP[OUT(invalid)]:
" --log-level 7

and not by these after:

-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] This list generates a forward loop ...

2017-07-18 Thread Walter H. 
Hello,

On every post I get an error mail back:


Subject:Undelivered Mail Returned to Sender
From:   "Mail Delivery System" 
Date:   Tue, July 18, 2017 15:36
To: ...
Priority:   Normal

This is the mail system at host lists.squid-cache.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

 (expanded from
): mail forwarding loop for
squid-us...@squid-cache.org


Why?

Thanks,
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-18 Thread Walter H. 
On Tue, July 18, 2017 15:28, Matus UHLAR - fantomas wrote:
> On 18.07.17 14:29, Walter H. wrote:
>>-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>>-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT
>
>>-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
>
>>[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
>>MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
>>DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
>>SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
>
> it's a RST packet, apparently for connection that was already closed and
> thus is not ESTABLISHED,RELATED nor NEW
>
> logging state INVALID could explain

how would I do this?

Thanks,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

2017-07-18 Thread Walter H. 
Hello,

my Router Box runs a CentOS 6, with the EPEL squid34 RPM package

this the iptables

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Allow multicast
-A INPUT -d 224.0.0.0/4 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j ACCEPT

# Allow anything on the local link
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Allow anything out on LAN
-A OUTPUT -o br0 -j ACCEPT
# Allow established, related packets back in
-A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable DHCP for LAN
-A INPUT -i br0 -m udp -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# Enable DNS-Cache for LAN
-A INPUT -i br0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m udp -p udp --dport 53 -j ACCEPT

# Enable SSH from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Enable HTTP/HTTPS from LAN (some gui interface)
-A INPUT -i br0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Enable Squid-Proxy from LAN
-A INPUT -i br0 -m tcp -p tcp --dport 3128 -m state --state NEW -j ACCEPT

# Block STUN
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3478 -j REJECT
# Block TEREDO
-A FORWARD -i br0 -o eth1 -m udp -p udp --dport 3544 -j REJECT

# Allow Forwarding to WAN interface
-A FORWARD -i br0 -o eth1 -j ACCEPT
# Allow established, related packets back through
-A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Only the lan is allowed to ping me without restriction
-A INPUT -i br0 -p icmp -j ACCEPT
# Else only pings with restricted icmp are allowed
-A INPUT -i eth1 -p icmp -m limit --limit 2/sec --limit-burst 4 -j ACCEPT

# Enable TRACEroute to me from LAN
-A INPUT -i br0 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
# Enable TRACEroute to me from internet
-A INPUT -i eth1 -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# Log all other
-A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
-A FORWARD -j LOG  --log-prefix "IP[FWD]: " --log-level 7
-A OUTPUT -j LOG  --log-prefix "IP[OUT]: " --log-level 7

COMMIT


and these are logged entries:
(only partial, as they are many)


[17-Jul-2017; 19:49:13.590130] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[17-Jul-2017; 19:49:13.590236] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:00:08:01:05:24:08:00 SRC=192.168.0.10
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=54916 DPT=3128 WINDOW=0 RES=0x00 RST URGP=0
[18-Jul-2017; 13:02:19.162684] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=28792 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK FIN URGP=0
[18-Jul-2017; 13:02:19.593099] IP[IN]: IN=br0 OUT=
MAC=24:01:00:00:01:24:24:ff:ff:ff:ff:24:08:00 SRC=192.168.0.2
DST=192.168.0.1 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=28797 DF PROTO=TCP
SPT=1219 DPT=3128 WINDOW=65125 RES=0x00 ACK PSH FIN URGP=0


192.168.0.1  is the router itself
192.168.0.10  is a VM running another squid, using the router box as
parent proxy
192.168.0.2   is my windows box

why are these packets blocked?

by the way the router box has of course more interfaces
a br0 (LAN) and eth1 (WAN), where can I ensure that squid only listens to
the LAN IP?


acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 1025-65535# unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# and finally allow by default
http_reply_access allow all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 16400 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

acl crl-mime rep_mime_type application/x-pkcs7-crl
no_cache deny crl-mime

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320


Thanks,
Walter

___
squid-users mailing list

Re: [squid-users] CentOS6 and squid34 package ...

2017-05-27 Thread Walter H. 

On 26.05.2017 17:49, Amos Jeffries wrote:

On 26/05/17 07:51, Mike wrote:
Walter, what I've found is when compiling to squid 3.5.x and higher, 
the compile options change. Also remember that many of the options 
that were available with 3.1.x are depreciated and likely will not 
work with 3.4.x and higher.


The other issue is that squid is only supposed to be handling HTTP 
and HTTPS traffic, not FTP. trying to use it as a FTP proxy will need 
a different configuration than the standard HTTP/Secure proxy.




Well, to be correct Squid talks HTTP to the client software. It has 
log supported mapping FTP server URLs into HTTP.


This second problem seems like the symptoms of 
<http://bugs.squid-cache.org/show_bug.cgi?id=4132> which was fixed 
years ago in the Squid-3.5.5 release. But that was apparently a 
regression not affecting 3.4 or 3.1. Hmm.




Strange, isn't it?



On 5/25/2017 14:07 PM, Walter H. wrote:

On 25.05.2017 12:50, Amos Jeffries wrote:


On 25/05/17 20:19, Walter H. wrote:

Hello

what is the essential difference between the default squid package 
and this squid34 package,



as I have problems using this squid34 package for FTP connections;
there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
when I tell the browser to show the image then I get this squid 
generated message ...


the same config /etc/squid/squid.conf works with the default squid 
package ...



While trying to retrieve the URL: 
http://proxy.local:3128/squid-internal-static/icons/silk/folder.png <http://zbox-ci323.waldinet.local:3128/squid-internal-static/icons/silk/folder.png> 





Notice the port number in that URL...


yes I see the squid port 3128

when I do this with the default squid package, there I get the 
icons, and when I want to get the URL of such an icon,
it shows e.g. 
ftp://ftp.adobe.com/squid-internal-static/icons/anthony-dir.gif


what is running wrong here?
is there a setting I can change without having to allow
port 3128 traffic go through the proxy?
(this is not really logic, as the default squid package also doesn't 
allow port 3128 traffic go through ...)


Er, it is using the recommended default config we ship from upstream. 
Some Vendors like to install packages that are not usable without 
manual attention. Usually by commenting out the "http_access allow 
localnet" rule though, not marking registered HTTP ports as unsafe for 
use with HTTP.


Anyhow:

 acl Safe_ports port 3128
 acl port3128 port 3128
 acl squid-internal urlpath_regex ^/squid-internal

Then add this directly before the "deny manager" line:

  http_access deny port3128 !squid-internal 


Many thanks,
this shows the icons and doesn't allow port 3128 go through ...
exactly as I wanted

Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] CentOS6 and squid34 package ...

2017-05-27 Thread Walter H. 

On 25.05.2017 21:51, Mike wrote:
Walter, what I've found is when compiling to squid 3.5.x and higher, 
the compile options change. Also remember that many of the options 
that were available with 3.1.x are depreciated and likely will not 
work with 3.4.x and higher.



the compile options are not really the matter ...
The other issue is that squid is only supposed to be handling HTTP and 
HTTPS traffic, not FTP.

this is definitely wrong ...



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] CentOS6 and squid34 package ...

2017-05-25 Thread Walter H. 

On 25.05.2017 12:50, Amos Jeffries wrote:

On 25/05/17 20:19, Walter H. wrote:

Hello

what is the essential difference between the default squid package 
and this squid34 package,


Run "squid -v" to find out if there are any build options different. 
Usually its just two alternative versions from the vendor.



Squid Cache: Version 3.4.14
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' 
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' 
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--enable-internal-dns' '--disable-strict-error-checking' 
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' 
'--localstatedir=/var' '--datadir=/usr/share/squid' 
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' 
'--disable-dependency-tracking' '--enable-arp-acl' 
'--enable-follow-x-forwarded-for' 
'--enable-auth-basic=LDAP,MSNT,NCSA,PAM,SMB,POP3,RADIUS,SASL,getpwnam,NIS,MSNT-multi-domain' 
'--enable-auth-ntlm=smb_lm,fake' 
'--enable-auth-digest=file,LDAP,eDirectory' 
'--enable-auth-negotiate=kerberos' 
'--enable-external-acl-helpers=file_userip,LDAP_group,session,unix_group,wbinfo_group' 
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' 
'--enable-referer-log' '--enable-removal-policies=heap,lru' 
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' 
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' 
'--enable-http-violations' '--with-aio' '--with-default-user=squid' 
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' 
'--with-pthreads' '--disable-arch-native' 
'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'CXXFLAGS=-O2 -g 
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


and

Squid Cache: Version 3.1.23
configure options:  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' 
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' 
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' 
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--enable-internal-dns' '--disable-strict-error-checking' 
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' 
'--localstatedir=/var' '--datadir=/usr/share/squid' 
'--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' 
'--with-pidfile=$(localstatedir)/run/squid.pid' 
'--disable-dependency-tracking' '--enable-arp-acl' 
'--enable-follow-x-forwarded-for' 
'--enable-auth=basic,digest,ntlm,negotiate' 
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' 
'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' 
'--enable-digest-auth-helpers=password,ldap,eDirectory' 
'--enable-negotiate-auth-helpers=squid_kerb_auth' 
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' 
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost' 
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
'--enable-ident-lookups' '--enable-linux-netfilter' 
'--enable-referer-log' '--enable-removal-policies=heap,lru' 
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' 
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' 
'--enable-http-violations' '--with-aio' '--with-default-user=squid' 
'--with-filedescriptors=16384' '--with-dl' '--with-openssl' 
'--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie' 
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 
--with-squid=/builddir/build/BUILD/squid-3.1.23





as I have problems using this squid34 package for FTP connections;
there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
when I tell the browser to show the image then I get this squid 
generated message ...


the same config /etc/squid/squid.conf works with the default squid 
package ...



While trying to retrie

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

2017-05-25 Thread Walter H. 

On 25.05.2017 11:25, Amos Jeffries wrote:

On 25/05/17 19:51, Miguel Barbero wrote:

Good morning,

We have a special requirement and we are not sure whether it's 
possible to accomplish.


We have defined a whitelist and a blacklist on our Squid. Its 
behaviour is as usual and how it could expect.


All the traffic less blacklist is passed however we are interested to 
get an alert about the passed traffic that don't belong neither 
whitelist or blacklist.


Is there any way to get this?


It is. I would configure it like this:


acl blacklist ...
http_access deny blocklist

acl whitelist ...
http_access allow whitelist

external_acl_type notify %% /path/to/notify_script
acl notify external notify

http_access allow notify
http_access deny all

Where the notify_script is a helper that sends your notification 
however you want and returns "OK" to Squid. 

Hello Amos,

this helps me too, but where at the above "notify" can be a own defined 
label?


acl videourls ...
acl audiourls ...

external_acl_type notify %% /path/to/notify_script
acl notifyscript external notify

http_access allow notifyscript

how can I have two different notify_scripts?
e.g. one for acl  videourls and one for acl audiourls

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logs from traffic that don't belong to either whitelist or blacklist

2017-05-25 Thread Walter H. 

On 25.05.2017 09:51, Miguel Barbero wrote:

Good morning,

We have a special requirement and we are not sure whether it's 
possible to accomplish.


We have defined a whitelist and a blacklist on our Squid. Its 
behaviour is as usual and how it could expect.


All the traffic less blacklist is passed however we are interested to 
get an alert about the passed traffic that don't belong neither 
whitelist or blacklist.


Is there any way to get this?

Thanks and kind regards



you could do this with an url-rewrite-program, which does only the alert;
the same I do when the URL ends with   .mp4, I send a mail with the 
complete URL to myself


smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] CentOS6 and squid34 package ...

2017-05-25 Thread Walter H. 

Hello

what is the essential difference between the default squid package and 
this squid34 package,

as I have problems using this squid34 package for FTP connections;
there are no shown icons, when going to e.g. ftp://ftp.adobe.com/
when I tell the browser to show the image then I get this squid 
generated message ...


the same config /etc/squid/squid.conf works with the default squid 
package ...



While trying to retrieve the URL: 
http://proxy.local:3128/squid-internal-static/icons/silk/folder.png 
 



The following error was encountered:

 * *Access Denied. *

Access control configuration prevents your request from being allowed at 
this time.

Please contact your service provider if you feel this is incorrect.

Your cache administrator is ...


Generated Thu, 25 May 2017 06:50:02 GMT by proxy.local (squid/3.4.14)



has anybody the hint for me, what is wrong ..., here is the 
/etc/squid/squid.conf



acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
http_reply_access allow all

http_port 3128

cache_dir ufs /var/spool/squid 16400 16 256
coredump_dir /var/spool/squid

nonhierarchical_direct off

visible_hostname proxy.local
unique_hostname proxy.local

forwarded_for off
cache_mem 2560 MB

icon_directory /usr/share/squid/icons
error_directory /etc/squid/errors

as_whois_server whois.ra.net

logformat combined %>A %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid/access.log combined

refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


the same host has a running apache, where host proxy.local is a password 
protected web, which has the folling


for port 80

RewriteCond %{HTTP_HOST} ^proxy\.local(:80)?$ [NC]
RewriteRule ^/(.*)$ https://proxy.local/$1 [L,R=301]


for port 443


AuthName Firewall/Router
AuthType Basic
AuthUserFile /var/www/passwrds
Require User admin



/var/log/squid/access.log has this ...

client - - [25/May/2017:08:50:02 +0200] "GET 
http://proxy.local:3128/squid-internal-static/icons/silk/folder.png 
HTTP/1.1" 403 1655 "ftp://ftp.adobe.com/; "UserAgent" TCP_DENIED:HIER_NONE



the apache doesn't log anything in connection with this ...

has anybody the hint for me, what is causing this?

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-18 Thread Walter H. 

On 18.05.2017 19:40, chcs wrote:

One more cuestion:
With 2 CA differents certificates to block twitter.com>>  differents results

Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET
https://www.twitter.com/ - HIER_NONE/- text/html
Result: no problem, it's show me squid custom error page

Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
www.twitter.com:443 - HIER_NONE/- text/html
Result: It doesnt show me squid custom error page

Why?

and what is the end entity certificate where the issuer is Let's encrypt?
(this might be the reason)



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] list generates error messages ...

2017-05-17 Thread Walter H. 

whenever I send a mail to the list, I get
such an error message back from
mailer-dae...@squid-cache.org

This is the mail system at host lists.squid-cache.org.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

  (expanded from
): mail forwarding loop for
squid-us...@squid-cache.org



Reporting-MTA: dns; lists.squid-cache.org
X-Postfix-Queue-ID: 7EF5FE0F2B
X-Postfix-Sender: rfc822;walte...@mathemainzel.info
Arrival-Date: Wed, 17 May 2017 14:49:16 + (UTC)

Final-Recipient: rfc822;squid-us...@squid-cache.org
Original-Recipient:rfc822;squid-users@lists.squid-cache.org
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail forwarding loop for
squid-us...@squid-cache.org




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-17 Thread Walter H. 

On 17.05.2017 16:04, Amos Jeffries wrote:

On 17/05/17 23:32, chcs wrote:

Expected Results:
Display proxy server error page with deny info.


This is a well-known problem with Browsers, they all refuse to display 
any response to a CONNECT tunnel message.
 



Use of TLS to secure the connection to the proxy does not affect this 
browser behaviour on HTTPS traffic. The best you can hope for is to 
make Squid use a 511 status code with deny_info and hope that it 
chooses to display something halfway useful.

there seems to be another problem ...

at my setup any browser shows the proxy messages;

with deny_info the special page
e.g. ERR_DOMAIN_BLOCKED,
without just the ERR_ACCESS_DENIED as default ...

my squid 3.5,25 (CentOS 6.9) - thanks to
Eliezer Croitoru for doing this good job;

the custom error pages are only shown, when the proxy does
SSL interception and the browser has installed the squid CA certificate ...

why is this:

without SSL interception, the browser sends a CONNECT
and expects a SSL/TLS handshake, instead he gets an
HTTP reply with the custom error page, which the browser
doesn't know to handle at this moment ...
only the information of HTTP header is processed;

in case someone has configured https_port this is just the same,
because the SSL/TLS connection to the webserver is tunneled inside
the SSL/TLS connection between client and browser ...



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + IPv6

2017-05-16 Thread Walter H. 

On 16.05.2017 21:21, IAPS Security Services, Ltd. wrote:

How can I compile squid for windows to get around the 128 ip limit imposed?

have you ever tried to give each network interface more than 128 IP 
addresses at a time?





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Object Size?

2017-02-08 Thread Walter H. 
Hello,

the setting

maximum_object_size 4 MB

is the default;

would the following setting

maximum_object_size 2 MB

also mean,
that there would be stored much more objects on disk?

Thanks
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hint for howto wanted ...

2016-11-29 Thread Walter H. 
On Tue, November 29, 2016 03:59, Amos Jeffries wrote:
> On 29/11/2016 7:49 a.m., Walter H. wrote:
>> Hey,
>>
>> On 28.11.2016 14:51, Eliezer Croitoru wrote:
>>> Now to me the picture is much clear technically.
>>> As Amos suggested fix the first proxy(and I am adding choose how to
>>> approach) and then move on to the next ones.
>> why fix the first proxy, I wouldn't need it, if ssl-bump plus parent
>> proxy (the remote one) worked ...
>
> Where do you expect the child proxy gets server certificate and related
> details to do the bumping when its upstream server is just another proxy?

if I knew how to SSL-bump with a parent proxy, there would be only one
squid (the 3.5.20 I already have, which does SSL-bump) at home and another
squid (a 3.4.14 in another country which doesn't do SSL-bump)

Thanks,
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hint for howto wanted ...

2016-11-29 Thread Walter H. 
Hello,

On Mon, November 28, 2016 22:45, Eliezer Croitoru wrote:

> So much clear now to a solution.
> If you don’t know what Policy Based Routing and you have a bunch of VM's
and you are configuring the proxy in the browser manually you just need
to install on the first proxy 3.5.22 that allows you to tunnel CONNECT
requests to a parent proxy based on the request domain.
exact this I need/want to know;
can you please give an example in squid.conf, how to achieve this?

> What do you want to achieve? Content filtering? Special Routing(access
the internet from another county)? Intercept the connections or use the
browser settings to access the web?

just Content-filtering (including SSL-bump) and special routing (access
the internet via a proxy in another country) when using a proxy in the
browser settings ...
without browser settings there needn't be anything ..., in case this
client is blocked on the router, than this is ok, no need of intercepting
any connection ...

> Every question have a whole set of option and it's very simple to route
CONNECT requests to a parent proxy if the client configures the proxy in
it's settings.
> Indeed you won't need 3.5.22 to do that but you will need something that
can do that.
>
> Now my conclusion is this:
> Your need is to be able to pass CONNECT requests to a parent proxy. Amos
can you answer how it should be done and if it's possible at all using
3.1.X?

it would be great if you or Amos tells me how to do this with 3.5.20 or
with 3.4.14 by an example in squid.conf

Thanks,
Walter



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hint for howto wanted ...

2016-11-28 Thread Walter H. 

Hey,

On 28.11.2016 14:51, Eliezer Croitoru wrote:

Now to me the picture is much clear technically.
As Amos suggested fix the first proxy(and I am adding choose how to approach) 
and then move on to the next ones.
why fix the first proxy, I wouldn't need it, if ssl-bump plus parent 
proxy (the remote one) worked ...

There are couple subjects in your one single question which are conflicting 
your desire(or at least how they are written).
If you want to Intercept ssl traffic of clients at the network 172.16.0.0/24(or 
what ever you have there..) specific clients such as that cannot use a proxy, 
you will need to either bump them(and splice if no bump required) on the router 
level of the network or route their traffic towards the right next-hop.

both proxies, the first and the local parent are VMs on my PC ...

Since you are already blocking clients with iptables you should get familiar if 
not yet,

this is just a few iptables rules ...

  with connection marking or Policy Based Routing.

I don't know what you mean by that?

What router are you using a CentOS also?

this is a NAT router, nothing more ...

If so it would be pretty simple to configure a routing policy which will be 
based on the source IP address of the connections.
Choose if you want to bump on the first proxy ie the 3.1.23 by upgrading to 
3.5.X or route the traffic over a tunnel instead of just blocking the traffic.

a tunnel between 2 VMs which share the same LAN interface?

Depend on your router OS you will have different instructions on how to route the 
"blocked" clients into a proxy that will intercept the connections which needs 
to be inspected.
this is neither needed nor wanted ..., the clients configure their proxy 
manually ... this is my home LAN not a company environment ...

Where are you stuck in the implementation?

how to have a parent proxy even when SSL-bump is done ...

Can't you upgrade the 3.1.23(First proxy)?

this is just another VM like the 3.5.20 (parent proxy)

What is blocking you from routing the traffic toward to the second parent proxy 
from the first one or from the router?
these two share the same LAN interface, these are VMware guests of my 
VMware host running Windows ...


Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hint for howto wanted ...

2016-11-28 Thread Walter H. 
Hello,

I think we aren't understanding each other ...

let me show what my system is now:

a few clients - not all¹ - have configured a proxy,
let's say with IP 172.16.0.10
this proxy is a CentOS 6.8 with squid 3.1.23
this proxy only decides which parent to use ...

¹ some clients must be able to use internet without a proxy, my computer
e.g. is blocked at the router to use internet and therefore must use the
proxy;

one parent is a CentOS 6.8 with squid 3.5.20, which does ACL filtering,
SSL-bump, malware checking with ClamAV, let's say with IP 172.16.0.20

the other parent at a webhoster in another country is also a CentOS 6.8
with squid 3.4.14, which should only be used for geoblocked content,
nothing more ..., let's say with IP 60.60.60.60

the television has let's say 172.16.10.10

my public IP address at home is let's say 80.80.80.80

the iptables of remote-proxy has besides other web, mail, ... specific
things just this:

-A INPUT -s 80.80.80.80 -m tcp -p tcp --dport 3128 -m state --state NEW -j
ACCEPT
-A INPUT -m tcp -p tcp --dport 3128 -j DROP

just to prevent others using my proxy;


the first proxy has this in it's squid.conf

acl kaspersky-labs-net dst 62.128.100.0/23 81.19.104.0/24 195.122.177.128/25
always_direct allow kaspersky-labs-net

# specific for the television
acl apa-net dst 185.85.28.0/24 185.85.29.0/24 194.232.0.0/16
always_direct allow apa-net

acl tv-device src 172.16.10.10

cache_peer 172.16.0.20 parent 3128 0 name=local-proxy proxy-only no-digest
default
cache_peer 60.60.60.60 parent 3128 0 name=remote-proxy proxy-only no-digest

acl remote-domains dstdomain "/etc/squid/remote-domains-acl.squid"

cache_peer_access local-proxy deny remote-domains
cache_peer_access local-proxy deny tv-device

cache_peer_access remote-proxy allow remote-domains
cache_peer_access remote-proxy allow tv-device
cache_peer_access remote-proxy deny all

cache_peer_access local-proxy allow all


as you see this is a little bit complex:
- the remote proxy is only used by the television,
  because there is the prevention of geoblocking critical,
  and for a few domains;²
- some networks are accessed directly without filtering,
  this is because some clients are blocked to connect
  to internet directly, but can use a proxy, or there is a
  problem with self-signed certificates; and filling up the logs
  a 2nd time with 'CONNECT' doesn't really make a sense ...
- some clients must connect to the internet without a proxy,
  either because they cannot configured to use a proxy or
  they don't want to use a proxy;

this reduces the origin question:

how can I use a parent proxy, when doing SSL-bump without changing any
iptables?
(in order not to have to configure SSL-bump a 2nd time on the remote proxy)

Thanks,
Walter


On Mon, November 28, 2016 11:18, Eliezer Croitoru wrote:
> Hey Walter,
>
> I am not sure you understand the direction of things or what I am aiming
> for.
> First if the client has CentOS 6.8 There are RPM's for newer versions
> which I am building manually for the public use.
> Second: You can simplify the picture from Intercepting traffic using the
> local squid into "route" the traffic in the IP level towards the remote
> proxy.
> You can open a gre tunnel or to use some kind of simple VPN service to
> tunnel between the client box to the 3.5.20 box.
> If you will route the clients traffic towards the proxy in the IP level
> you would be free from handling the 3.1.X proxy.
>
> You should prioritize your goals between:
> - Caching
> -  ACL
> - Others
>
> Once you will open your mind from resolving and issue and convert it into
> a second form which is functionality I think I would be able to assist
> you.
>
> What is missing from the 3.1.X proxy?
> Is the SSL BUMP missing?
> What iptables rules are you using on the client machine(3.1.X)?
>
> All the above matters to understand how to offer the right solution.
>
> Eliezer
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-
> From: Walter H. [mailto:walte...@mathemainzel.info]
> Sent: Monday, November 28, 2016 10:59
> To: Eliezer Croitoru <elie...@ngtech.co.il>
> Cc: squid-users@lists.squid-cache.org
> Subject: RE: [squid-users] Hint for howto wanted ...
>
> On Mon, November 28, 2016 06:56, Eliezer Croitoru wrote:
>> OK so the next step is:
>
>> Routing over tunnel to the other proxy and on it(which has ssl-bump)
>> intercept.
> by now only the 3.5.20 squid on the local VM does SSL-bump
>
>> If you have a public on the remote proxies which can use ssl-bump then
>> route the traffic to there using Policy Based routing.
> how do I configure this?
>
>> You can selectively route by source or destination IP addresses.
> by now the re

Re: [squid-users] Hint for howto wanted ...

2016-11-28 Thread Walter H. 
On Mon, November 28, 2016 06:56, Eliezer Croitoru wrote:
> OK so the next step is:

> Routing over tunnel to the other proxy and on it(which has ssl-bump)
> intercept.
by now only the 3.5.20 squid on the local VM does SSL-bump

> If you have a public on the remote proxies which can use ssl-bump then
> route the traffic to there using Policy Based routing.
how do I configure this?

> You can selectively route by source or destination IP addresses.
by now the remote has in its iptables to only accept port 3128 from my
home IP (IPv6 and IPv4), but the IPv4 at home changes several times a
year;
means it is not fix;

>
> Now my main question is: Can't you just install 3.5 on the 3.1.23 machine
> and bump there?
SSL bump and parent proxy together doesn't work,
if this worked I wouldn't need the 3.1.23 machine at all ...
the 3.1.23 machine has the other 2 proxies (3.4.14-remote and
3.5.20-local) as parent ...

I should mention that the 3.5.20 box also has ClamAV (SquidClam) which
does malware checking ...
(the remote proxy can't run ClamAV)

> How are you intercepting the connections? What are the iptables rules you
> are using?

the client have configured the 3.1.23 squid box as proxy

> What OS are you running on top of the Squid boxes?

all squid boxes run CentOS 6.8

Thanks,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Hint for howto wanted ...

2016-11-27 Thread Walter H. 

Hello,

yes I have full control of all three proxies,  both local proxies and 
remote proxy; and in my LAN I use static IP addresses;


cache_peer_access remote-proxy allow remote-domains <-- this is 
neccessary because a few domains


have geo location restrictions which are bypassed 
with this
cache_peer_access remote-proxy allow tv-device <-- but this sends 
anything from the TV there,


   even requests that should be blocked ...

(selective doesn't work)

the proxy that is used by the clients is a squid 3.1.23, the one that is 
remote is a 3.4.14 and the local parent proxy is a 3.5.20


Thanks,
Walter


On 28.11.2016 04:40, Eliezer Croitoru wrote:

A question that will simplify things:
Are you full in control of the remote and the local proxy?
If so you can create a tunnel from the local gateway to the remote squid and
pass the web traffic in the routing level.
This way you would be able to intercept port 80 on the remote proxy and if
required also BUMP the ip addresses you want.

If you have static IP addresses you would probably be able to decide which
of the clients you will bump or not.
I think that TV in general in the form I know of needs filtering since not
everything there you will want anyone to see.
But again maybe in your area TV is something else then in mine.

If you need more help let me know.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Walter H.
Sent: Sunday, November 27, 2016 19:17
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Hint for howto wanted ...

Hello,

I've got a special problem ...

I have several devices in my LAN:
- PCs, Notebooks
- a Tablet-PC
- a Smartphone
- a Television

on my LAN I've two squids as VMs on my PC (both are CentOS 6)

I also have a virtual server (a CentOS 6, too)  at a webhoster in a
different country, which I have configured as a proxy (squid) only for me
besides the web service;

/etc/squid/squid.conf of the main proxy, which is used as proxy by the
clients has this ...

acl tv-device src ip-of-tv

cache_peer parentproxy.local  parent 3128 0
name=local-proxy proxy-only no-digest default cache_peer
virtualserver-at-webhoster  parent 3128 0 name=remote-proxy proxy-only
no-digest

acl remote-domains dstdomain "/etc/squid/remote-domains-acl.squid"

cache_peer_access remote-proxy allow remote-domains cache_peer_access
remote-proxy allow tv-device cache_peer_access remote-proxy deny all

cache_peer_access local-proxy allow !tv-device

this proxy and the one at the webhoster don't do SSL-bump, only the parent
proxy does ...
at the moment only the parentproxy.local does filtering and blocks unwandted
IPs, hosts, ...

what is the easiest way to do smart filtering for the tv-device, as this
doesn't use parentproxy.local at all ...
do  I really have to do smart filtering on both, the one at the hoster (plus
SSL bump) and the parentproxy that already does?

Thanks,
Walter







smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Hint for howto wanted ...

2016-11-27 Thread Walter H. 

Hello,

I've got a special problem ...

I have several devices in my LAN:
- PCs, Notebooks
- a Tablet-PC
- a Smartphone
- a Television

on my LAN I've two squids as VMs on my PC
(both are CentOS 6)

I also have a virtual server (a CentOS 6, too)  at a webhoster in a 
different country,
which I have configured as a proxy (squid) only for me besides the web 
service;


/etc/squid/squid.conf of the main proxy, which is used as proxy by the 
clients has this ...


acl tv-device src ip-of-tv

cache_peer parentproxy.local  parent 3128 0 
name=local-proxy proxy-only no-digest default
cache_peer virtualserver-at-webhoster  parent 3128 0 name=remote-proxy 
proxy-only no-digest


acl remote-domains dstdomain "/etc/squid/remote-domains-acl.squid"

cache_peer_access remote-proxy allow remote-domains
cache_peer_access remote-proxy allow tv-device
cache_peer_access remote-proxy deny all

cache_peer_access local-proxy allow !tv-device

this proxy and the one at the webhoster don't do SSL-bump, only the 
parent proxy does ...
at the moment only the parentproxy.local does filtering and blocks 
unwandted IPs, hosts, ...


what is the easiest way to do smart filtering for the tv-device, as this 
doesn't use parentproxy.local at all ...
do  I really have to do smart filtering on both, the one at the hoster 
(plus SSL bump) and the parentproxy that already does?


Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] CentOS 6, Squid 3.5.20, Error message in /var/log/squid/cache.log

2016-11-23 Thread Walter H. 

Hello,

can someone tell me, especially the maintainer of the binary packages 
for CentOS


what this message

2016/11/23 19:08:58 kid1| Error negotiating SSL on FD 39: 
error::lib(0):func(0):reason(0) (5/0/0)


should say to me ...

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Walter H. 
On Tue, October 18, 2016 13:31, Garri Djavadyan wrote:
> On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote:
>> Hello,
>>
>> just in case anybody wants to run Squid 3.5.x on CentOS
>> with SELinux enforcing,
>>
>> here is the semodule
>>
>> 
>> module squid_update 1.0;
>>
>> require {
>> type squid_conf_t;
>> type squid_t;
>> type var_t;
>> class file { append open read write getattr lock
>> execute_no_trans };
>> }
>>
>> #= squid_t ==
>> allow squid_t squid_conf_t:file execute_no_trans;
>> allow squid_t var_t:file { append open read write getattr lock };
>> 
>>
>> and do the following:
>>
>> checkmodule -M -m -o squid_update.mod squid_update.tt
>> semodule_package -o squid_update.pp -m squid_update.mod
>> semodule -i squid_update.pp
>
> Hi,
>
> Have you tried to use default policy and relabel target dirs/files
> using types dedicated for squid? For example:
>
> # semanage fcontext -l | grep squid
> ...

my output differs a little bit; and yes the target files/dirs are labeled
as dedicated;

don't ask me why, but I have two CentOS 6.x VMs (each latest) one with the
official package (release 3.1.23) and one with this 3.5.20 RPM package;

with the 3.1.x there is no problem with

url_rewrite_program /etc/squid/url-rewrite-program.pl
url_rewrite_children 8
url_rewrite_host_header on
url_rewrite_access allow all

but with the 3.5.x there is access denied (shown in /var/log/audit/audit.log)
and squid doesn't start;

specific to the 3.5.x release, I added a certificate validator helper,
which has also problems ...

with this semodule package everything works fine ...

so there must be something different, between these two releases;

with SELinux disabled or permissive there is no need of this semodule
package;

Greetings,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ciphersuites with SSL bump [squid 3.5.19]

2016-05-20 Thread Walter H. 

Hello,

I'd like to disable some ciphersuites when connecting with web servers;

when I go there: https://cc.dcsec.uni-hannover.de/
I'm shown this (only the column with ciphersuite names):

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
RSA-AES256-GCM-SHA384
DH-RSA-MISTY1-SHA  (*)
RSA-AES256-SHA
RSA-CAMELLIA256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
RSA-AES128-GCM-SHA256
DH-DSS-MISTY1-SHA  (*)
RSA-AES128-SHA
RSA-CAMELLIA128-SHA
ECDHE-RSA-3DES-EDE-SHA
ECDHE-ECDSA-3DES-EDE-SHA
DHE-RSA-3DES-EDE-SHA
ECDH-RSA-3DES-EDE-SHA
ECDH-ECDSA-3DES-EDE-SHA
RSA-3DES-EDE-SHA
EMPTY-RENEGOTIATION-INFO-SCSV

and these are the lines in my squid.conf

sslproxy_cafile /etc/squid/ca-bundle.trust.crt
sslproxy_cipher 
!SSLv2:+SSLv3:!AECDH:!ADH:!DES:HIGH:+3DES:!RC4:!MD5:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SEED:!SRP

sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2

and I would like to disable the ciphersuites marked with (*), but how 
would I do this?


any hint would be nice;

Thanks and greetings from Austria,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL-Bump and generated certificates ...

2016-05-16 Thread Walter H. 

Hello,

I updated squid 3.4.10 to 3.5.19 on my CentOS VM, I noticed that the 
generated certificates are now SHA2 and not SHA1,

can I influence somewhere to generate still SHA1 certificates?
(I have devices which use this proxy and are not able to handle SHA2)

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Regular expressions with dstdom_regex ACL

2016-05-13 Thread Walter H. 
On Fri, May 13, 2016 07:32, Amos Jeffries wrote:
> On 13/05/2016 3:44 p.m., Walter H. wrote:
>> p.s.
>> the sample here
>> http://wiki.squid-cache.org/ConfigExamples/Chat/Skype
>> doesn't work, too
>>
>
> The skype pattern is matching the port Skype uses. You need to drop that
> off the pattern. But it should match if you use just the raw-IP part.

it is somewhat weired, because
wget http://[2a00:1a68:3:1::c5a5:8590]/
isn't blocked and the following are
all blocked as they should:
wget http://[2a00:1a68:3::c5a5:8590]/
wget http://[2a00:1a68:3:1::c5a:8590]/
wget http://[2a00:1a68:3:1::c5a5:859]/
wget http://[2a00:1a68:2:1::c5a5:8590]/

here this part in access.log

parentproxy.local - - [13/May/2016:09:44:10 +0200] "GET
http://[2a00:1a68:2:1::c5a5:8590]/ HTTP/1.0" 403 1578
"-" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
parentproxy.local - - [13/May/2016:09:46:53 +0200] "GET
http://[2a00:1a68:3:1::c5a5:8590]/ HTTP/1.0" 301 590 "
-" "Wget/1.12 (linux-gnu)" TCP_MISS:HIER_DIRECT
parentproxy.local - - [13/May/2016:09:46:54 +0200] "GET
http://mathemainzel.info/ HTTP/1.0" 200 2662 "-" "Wget
/1.12 (linux-gnu)" TCP_MISS:HIER_DIRECT
parentproxy.local - - [13/May/2016:09:47:03 +0200] "GET
http://[2a00:1a68:2:1::c5a5:8590]/ HTTP/1.0" 403 1578
"-" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
parentproxy.local - - [13/May/2016:09:47:14 +0200] "GET
http://[2a00:1a68:3::c5a5:8590]/ HTTP/1.0" 403 1574 "-
" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
parentproxy.local - - [13/May/2016:09:47:37 +0200] "GET
http://[2a00:1a68:3:1::c5a:8590]/ HTTP/1.0" 403 1576 "
-" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
parentproxy.local - - [13/May/2016:09:47:45 +0200] "GET
http://[2a00:1a68:3:1::c5a5:859]/ HTTP/1.0" 403 1576 "
-" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE

here the ACL

acl block_domains_iphost dstdom_regex "/etc/squid/iphost-acl.squid"
deny_info ERR_DOMAIN_IPHOST_BLOCKED block_domains_iphost
http_access deny block_domains_iphost

and iphost-acl.squid has the following content:

^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$
^\[([0-9a-f]{0,4})(:|[0-9a-f]{0,4}){1,7}\]$
^\[::1\]$
^\[.*\]$
^([0-9a-f]{0,4})(:|[0-9a-f]{0,4}){1,7}$
^::1$
^.*$

some part above I have this in squid.conf

acl allow_domains dstdom_regex "/etc/squid/domain_regex-acl.squid"
http_access allow allow_domains

and domain_regex-acl.squid has the following content:

...
\.mathemainzel\.info$
...

what is this mystic, that
wget http://[2a00:1a68:3:1::c5a5:8590]/
isn't blocked, even it should ...

by the way  wget http://81.19.145.52/ is blocked as you see in the log

parentproxy.local - - [13/May/2016:10:12:53 +0200] "GET
http://81.19.145.52/ HTTP/1.0" 403 1550 "-" "Wget/1.12 (li
nux-gnu)" TCP_DENIED:HIER_NONE

just as an experiment, if I remove this one entry of domain_regex-acl.squid
then
wget http://[2a00:1a68:3:1::c5a5:8590]/
is blocked, why not with this entry?

Thanks and greetings from Austria,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Regular expressions with dstdom_regex ACL

2016-05-12 Thread Walter H. 

On 12.05.2016 22:20, Walter H. wrote:

Hello,
can someone please tell me how I can achive this?

the result should be that
any URL like this
http(s)://ip-address/ should be blocked by the specified error page

Thanks and Greetings from Austria,
Walter

p.s.
the sample here
http://wiki.squid-cache.org/ConfigExamples/Chat/Skype
doesn't work, too



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Regular expressions with dstdom_regex ACL

2016-05-12 Thread Walter H. 

Hello,

can someone please tell me which regular expression(s) would really block
domains which are IP hosts

for IPv4 this is my regexp:
^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$
and this works as expected

acl block_domains_iphost dstdom_regex 
^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$

deny_info ERR_IPHOST_BLOCKED block_domains_iphost
http_access deny block_domains_iphost

BUT, I tried and tried and failed with IPv6

this section in squid.conf

acl block_domains_ip6host dstdomain [ipv6]
deny_info ERR_IPHOST_BLOCKED block_domains_iphost6
http_access deny block_domains_iphost6

doesn't work for exact this given IPv6 address ...

I want any IPv6 address

can someone please tell me how I can achive this?

the result should be that
any URL like this
http(s)://ip-address/ should be blocked by the specified error page

Thanks and Greetings from Austria,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] DNS-Errors ... squid-cache.org

2016-05-10 Thread Walter H. 
Hello,

has anybody an idea where this errors come from,
or what is causing them?

May 10 11:21:00 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'lists.squid-cache.org/MX/IN': 173.255.241.90#53
May 10 11:21:01 lxwaldivm-001 named[30098]: error (connection refused)
resolving 'lists.squid-cache.org/MX/IN': 209.169.10.132#53
May 10 11:21:04 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'lists.squid-cache.org/A/IN': 173.255.241.90#53
May 10 11:21:04 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'lists.squid-cache.org//IN': 173.255.241.90#53
May 10 11:21:05 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'lists.squid-cache.org/NS/IN': 173.255.241.90#53
May 10 11:21:05 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'squid-cache.org/NS/IN': 173.255.241.90#53
May 10 11:21:09 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'eu.squid-cache.org/A/IN': 173.255.241.90#53
May 10 11:21:09 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'ns1.squid-cache.org//IN': 173.255.241.90#53
May 10 11:21:09 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'ns1.squid-cache.org/A/IN': 173.255.241.90#53
May 10 11:21:09 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'eu.squid-cache.org//IN': 173.255.241.90#53
May 10 11:21:09 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'ns2.squid-cache.org/A/IN': 173.255.241.90#53
May 10 11:21:09 lxwaldivm-001 named[30098]: error (unexpected RCODE REFUSED)
resolving 'ns2.squid-cache.org//IN': 173.255.241.90#53

these are listed quite often at /var/log/messages on my DNS-machine ...

Thanks,
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to suppress SQUID_X509_V_ERR_DOMAIN_MISMATCH error for known domains?

2016-03-26 Thread Walter H. 

On 26.03.2016 11:53, Yuri Voinov wrote:

Look at this, gents.

http://i.imgur.com/kxrOEVd.png 

can you give me the complete URL just for testing purpose;

https://download.microsoft.com/   does a forward to
https://www.microsoft.com/en-us/download

which squid version is in use?



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL-bump and Ciphersuite?

2016-01-11 Thread Walter H. 
Hello,

I'd restrict the client by using a less resource consuming TLS encryption;

I though doing just this

e.g.
http_port 3128 ... cipher=3DES ...
(for restricting clients connecting to 3DES)

or what would be less resource consuming?
AES128?

but where can I see, which ciphersuite is really used?
(which log shows this? is it /var/squid/cache.log?)

the reason why I'm asking this:

I'm using Kaspersky Anti-Virus on client side, this does a 2nd
SSL-interception, and there the browsers show different Ciphersuites;

e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256

or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus, the
Anti-Virus itself uses 3DES to the proxy server?
(the proxy server matches another Ciphersuite to the web host)

Kaspersky Anti-Virus installed its own Root certificate into the Certstore
of my Windows and of Mozilla Firefox; for sites the Antivirus does no
SSL-intercept, I see the Root certificate of my proxy and for sites the
Antivirus does SSL-Intercept I see the Kaspersky's Antivirus Root
certificate;

Thanks,
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL-bump and Ciphersuite?

2016-01-11 Thread Walter H. 
Hello Amos,

On Mon, January 11, 2016 11:13, Amos Jeffries wrote:
> On 11/01/2016 10:50 p.m., Walter H. wrote:
>> Hello,
>>
>> I'd restrict the client by using a less resource consuming TLS
>> encryption;
>>
>> I though doing just this
>>
>> e.g.
>> http_port 3128 ... cipher=3DES ...
>> (for restricting clients connecting to 3DES)
>>
>> or what would be less resource consuming?
>> AES128?
>
> Depends on the specific TLS library implementation, what other hashes
> etc are used alongside, and any crypto hardware support in the machine
> running it.
>
there is no crypto hardware support as far as I know, my squid box is just
a VM, and I guess squid (I'm using 3.4.10) is using OpenSSL als TLS
library (latest of CentOS 6)

>> the reason why I'm asking this:
>>
>> I'm using Kaspersky Anti-Virus on client side, this does a 2nd
>> SSL-interception, and there the browsers show different Ciphersuites;
>>
>> e.g. Google Chrome shows AES128, Mozilla Firefox shows Camellia 256
>>
>> or is it like this: e.g. Google Chrome uses AES128 to the Anti-Virus,
>> the
>> Anti-Virus itself uses 3DES to the proxy server?
>> (the proxy server matches another Ciphersuite to the web host)
>
> Yes it is like that. TLS is point-to-point encryption.

Ok, because the strange in connection with this:

I had

http_port 3128 ... dhparam=./dhparam.pem

and before installing Kaspersky Anti-Virus there was not any error; but in
connection with the SSL-Interception of Kaspersky Anti-Virus, I got an SSL
error in Mozilla Firefox like "invalid server hello"
removing dhparam=... from http_port resolves this "issue";

Thanks,
Walter

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Using subordinate CA for SSL Bump

2015-12-17 Thread Walter H. 

On 14.12.2015 22:26, Yuri Voinov wrote:


Hi all.

Does anybody can tell me - is it possible to use subordinate secondary
CA in squid for SSL Bumping purpose?

this is possible; I had this for several months this way;

I.e., we have self-signed primary CA for issue subordinate CA,

subordinate CA we install in squid's setup,

primary CA certificate install to clients.

For example.

For mimicking we'll using subordinate CA, and, in case of subordinate
key forgery, we can use primary CA to revoke subordinate CA and re-issue
them without total replacement primary CA on clients.

This will seriously increase bumping security procedure, hm?
no; but there you have to keep some steps, you wouldn't need if squid 
used a root CA certificate; *)
you can replace the sub CA every month without extra work on client side 
because the clients have the root CA in their trust store;

I've tried this scheme with 3.5.11, but without success.

ok I was using this with 3.4.10

*)  this is more work than someone may think, because you must fake a 
complete CA, this means:


in the sub CA certificate there must be anything neccessary to validate 
it, this means that there must be
an OCSP againt the root, and also a CRL link in the CA certificate 
attributes; and keep in mind
the only user agent in windows honoring the CRL is google's chrome; so 
keep it up to date ...


also there must be link to the root CA inside the sub CA certificate;

there must said something, when doing it this way:
the symbol chrome is showing for SSL connections may be a normal one as 
when there is no MITM ...


Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Using subordinate CA for SSL Bump

2015-12-17 Thread Walter H. 

On 17.12.2015 18:01, Alex Rousskov wrote:

On 12/17/2015 03:12 AM, Yuri Voinov wrote:

This looks like. Root CA doesn't send. Subordinate CA uses as signer for
mimicked. All and any clients got security alert.


There may still be some terminology misunderstanding here because not
sending the root certificate is the right thing to do

as a correct configured web server does;
this sends only its SSL certificate with the issuing intermediate plus 
any other intermediate certificate,

but no root certificate ...

so in this case there is just the intermediate certificate the one squid 
uses for SSL bump;
the root certificate is installed on the clients and both the mimicked 
and the intermediate are sent by squid,

and all is fine;



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] http request header must use hostname

2015-12-07 Thread Walter H. 

On 07.12.2015 08:49, Amos Jeffries wrote:

On 7/12/2015 5:41 p.m., Walter H. wrote:

On 07.12.2015 00:21, Amos Jeffries wrote:

Getting complicated...

So xxiao8, why does one want to censor these requests anyway?

Amos

try to connect natively with the IP-Address instead of the hostname ...
the SSL certificate of the host itself prevents the connection without
message in the user agent ...

TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH

xxiao was asking about http:// plain-text scope. TLS bugs in client UA
(sending SNI with raw-IP values) are irrelevant there.

Amos

then this

"http_access deny CONNECT numeric_IPs"

is wrong, because CONNECT and has nothing to do with http://, isn't it?



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] http request header must use hostname

2015-12-06 Thread Walter H. 

On 07.12.2015 00:21, Amos Jeffries wrote:

Getting complicated...

So xxiao8, why does one want to censor these requests anyway?

Amos

try to connect natively with the IP-Address instead of the hostname ...
the SSL certificate of the host itself prevents the connection without 
message in the user agent ...


TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Block google pictures

2015-11-26 Thread Walter H. 

use SSL bump and block URLs and/or URL-paths

On 26.11.2015 15:27, Funke, Martin wrote:

Im using squid + squid guard in a primary school and sometimes the 
primary-school pupil search for penis and things like that :).

That’s why I need a way to stop them doing these things.





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sslBump adventures in enterprise production environment

2015-11-14 Thread Walter H. 

On 13.11.2015 14:53, Yuri Voinov wrote:

There is no solution for ICQ with Squid now.

You can only bypass proxying for ICQ clients.

from where do the ICQ clients get the trusted root certificates?
maybe this is the problem, that e.g. the squid CA cert is only installed 
in FF

and nowhere else ...

13.11.15 14:41, Eugene M. Zheganin пишет:

Hi.

Today I discovered that a bunch of old legacy ICQ clients that some
people till use have lost the ability to use HTTP CONNECT tunneling with
sslBump. No matter what I tried to allow direct splicing for them, all
was useless:

- arranging them by dst ACL, and splicing that ACL
- arranging them by ssl::server_name ACL, and splicing it

So I had to turn of sslBumping. Looks like it somehow interferes with
HTTP CONNECT even when splicing it.
Last version of sslBump part in the config was looking like that:


acl icqssl ssl::server_name login.icq.com
acl icqssl ssl::server_name go.icq.com
acl icqssl ssl::server_name ars.oscar.aol.com
acl icqssl ssl::server_name webim.qip.ru
acl icqssl ssl::server_name cb.icq.com
acl icqssl ssl::server_name wlogin.icq.com
acl icqssl ssl::server_name storage.qip.ru
acl icqssl ssl::server_name new.qip.ru

acl icqlogin dst 178.237.20.58
acl icqlogin dst 178.237.19.84
acl icqlogin dst 94.100.186.23

ssl_bump splice children
ssl_bump splice sbol
ssl_bump splice icqlogin
ssl_bump splice icqssl icqport
ssl_bump splice icqproxy icqport

ssl_bump bump interceptedssl

ssl_bump peek step1
ssl_bump bump unauthorized
ssl_bump bump entertainmentssl
ssl_bump splice all

I'm not sure that ICQ clients use TLS, but in my previous experience
they were configured to use proxy, and to connect through proxy to the
login.icq.com host on port 443.
Sample log for unsuccessful attempts:

1447400500.311 21 192.168.2.117 TAG_NONE/503 0 CONNECT
login.icq.com:443 solodnikova_k HIER_NONE/- -
1447400560.301 23 192.168.2.117 TAG_NONE/503 0 CONNECT
login.icq.com:443 solodnikova_k HIER_NONE/- -
1447400624.832359 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -
1447400631.038108 192.168.2.117 TCP_TUNNEL/200 0 CONNECT
login.icq.com:443 solodnikova_k HIER_DIRECT/178.237.20.58 -


maybe give 3.4.x a try, 3.5 seems to have bugs 3.4.x don't have ...
or this is caused by the above ...



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump and url_rewrite_program (like squidguard)

2015-11-12 Thread Walter H. 

On 05.11.2015 04:26, Amos Jeffries wrote:
There was a bug about the wrong SNI being sent to servers on bumped 
traffic that got re-written. That got fixed in Squid-3.5.7 and 
re-writers should have been fully working since then. 

This seems to be a bug in 3.5.x only
with 3.4.10 this works fine ...

just tries the following url-rewrite-program (perl)


#!/usr/bin/perl -wl
$ |= 1;  # don't buffer the output
while ( <> )
{
unless( m,(\S+) (\S+)/(\S+) (\S+) (\S+), )
{
$uri = ''; next;
}
$uri = $1;
...
$uri = "301:https://rsa-md5.ssl.hboeck.de/; if ( $uri =~ 
m/^https:\/\/ssl\.hboeck\.de\/(\S*)/ );

}
continue
{
print "$uri";
}
exit;




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Walter H. 

On 19.10.2015 01:01, Amos Jeffries wrote:


If you are interested in getting this helper bundled with Squid

No;

  the
details on how to prepare and submit a patch to squid-dev mailing list
are at:


The style guide-line is not compatible with mine (space - tab);

 by the way it is only C and only for Linux;
no Windows or other operating systems not conforming to Linux;

Greetings,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-20 Thread Walter H. 

it was just the solution I did for myself,
and brought it to the "public" AS IS.

On 21.10.2015 00:53, Brett Lymn wrote:

On Tue, Oct 20, 2015 at 12:45:57PM +0200, Walter H. wrote:

The style guide-line is not compatible with mine (space - tab);

which can be fixed mostly by indent(1) - that shouldn't be a barrier.

not me;
anybody else can do this ...

  by the way it is only C and only for Linux;
no Windows or other operating systems not conforming to Linux;

Only for linux sounds a bit specious - I can understand not for Windows
but other unix operating systems should be close enough.

maybe it works with Unix, maybe it doesn't ...




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-18 Thread Walter H. 

On 04.10.2015 21:08, Walter H. wrote:

Hello,

does anybody know if squid does certificate checks and how to tell 
squid to do so;


this is a site with a revoked certificate
https://revoked.grc.com/

without squid, the browser shows that the certificate is revoked and 
doesn't show the page

with squid, the page is shown ...

Thanks,
Walter


I have solved it:

my solution not only does certificate checks using OCSP, it also stores 
the real certificates into a different "database" folder;

if someone doesn't want this, just remove the few lines of the shell script;
as there exist no CA that allows IP adresses neither in certificate 
subject nor in the SAN (subject alternative name),


https://www.whitehouse.gov/
(is blocked at my solution because of a root certificate not in the cert 
store)


all these candidates are blocked with error

/X509_V_ERR_CERT_REJECTED/

it uses two components:

- a shell script (BASH) called by the programme
- the main programme (in C): the only missing is an exception list of 
domains/hosts not to validate through this procedure


the squid.conf is expanded by these lines:


acl certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
acl certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED
acl certNotValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID
acl certRejected ssl_error X509_V_ERR_CERT_REJECTED
acl certRevoked ssl_error X509_V_ERR_CERT_REVOKED
acl certUntrusted ssl_error X509_V_ERR_CERT_UNTRUSTED

acl certSelfSignedChain ssl_error X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
acl certChainTooLong ssl_error X509_V_ERR_CERT_CHAIN_TOO_LONG
acl certPathLengthExceeded ssl_error X509_V_ERR_PATH_LENGTH_EXCEEDED

acl certSignatureFailure ssl_error X509_V_ERR_CERT_SIGNATURE_FAILURE
acl crlSignatureFailure ssl_error X509_V_ERR_CRL_SIGNATURE_FAILURE

acl caInvalid ssl_error X509_V_ERR_INVALID_CA

acl squidDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
acl squidInfiniteValidation ssl_error SQUID_X509_V_ERR_INFINITE_VALIDATION
acl squidSslHandshake ssl_error SQUID_ERR_SSL_HANDSHAKE

sslproxy_cert_adapt setValidBefore all   ; I have these two, but they 
are not needed;

sslproxy_cert_adapt setValidAfter all

sslproxy_cert_error deny certSelfSigned
sslproxy_cert_error deny certRejected
sslproxy_cert_error deny certRevoked
sslproxy_cert_error deny certHasExpired
sslproxy_cert_error deny certNotValid
sslproxy_cert_error deny certUntrusted
sslproxy_cert_error deny certSelfSignedChain
sslproxy_cert_error deny certChainTooLong
sslproxy_cert_error deny certPathLengthExceeded
sslproxy_cert_error deny certSignatureFailure
sslproxy_cert_error deny crlSignatureFailure
sslproxy_cert_error deny caInvalid
sslproxy_cert_error deny squidDomainMismatch
sslproxy_cert_error deny squidInfiniteValidation
sslproxy_cert_error deny squidSslHandshake
sslproxy_cert_error allow all

sslcrtvalidator_program cache=8192 ttl=240 
/usr/lib64/squid/ssl_crtvalid/main.sh

sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1


this main.sh script is only


#!/bin/sh
/usr/lib64/squid/ssl_crtvalid/helper 2>>/tmp/crtvalid-debug.log

when someone compiles the programme without _DEBUG
then the line in squid.conf would be without this

sslcrtvalidator_program cache=8192 ttl=240 
/usr/lib64/squid/ssl_crtvalid/helper


the shellscript  verify.sh is


#!/bin/sh

CAFILE=/etc/pki/tls/certs/ca-bundle.trust.crt
DTABASE=/var/local/squid/ssl_crtvalid

CERT=$1
CHAIN=$3
ISSUER=$2
SSLHOST=$4

openssl verify -CAfile $CAFILE -untrusted $CHAIN $CERT

OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri)

if [ "$OCSPURL" == "" ];
then
  echo "$CERT: rejected"
else
  OCSPHOST=$(echo "$OCSPURL" |gawk -F\/ '{ print $3 }' -)
  openssl ocsp -CAfile $CAFILE -no_nonce -noverify -issuer $ISSUER 
-cert $CERT -url "$OCSPURL" -header Host $OCSPHOST |grep "$CERT"

fi

FINGERPRINT=$(openssl x509 -in $CERT -noout -sha1 -fingerprint |sed 
"{s/SHA1\ Fingerprint\=//g;s/\://g}")

SUBJECT=$( openssl x509 -in $CERT -noout -subject |sed "{s/subject\=\ //g}")

if [ -f $DTABASE/certs/$FINGERPRINT.pem ];
then
  ENTRY=$(cat $DTABASE/index.txt |grep "$SSLHOST" |grep "$FINGERPRINT")
  if [ "$ENTRY" == "" ];
  then
echo -e -n "$SSLHOST\t$SUBJECT\t$FINGERPRINT.pem\n" 
>>$DTABASE/index.txt

  fi
else
  openssl x509 -in $CERT -out $DTABASE/certs/$FINGERPRINT.pem
  echo -e -n "$SSLHOST\t$SUBJECT\t$FINGERPRINT.pem\n" >>$DTABASE/index.txt
fi



/*
 * Squid SSL Validator helper programme
 *
 */

#include 
#include 

#include 
#include 
#include 

#include 

#include 

#define _DEBUG

#ifdef _DEBUG
#define DEBUGINIT( ) debugInit( __LINE__ )
#define DEBUGOUT2( val, len ) debugWrite( (const void*) ( val ), len )
#define DEBUGOUT( szval ) debugWrite( (const void*) ( szval ), strlen( 
szval ) )

#define DEBUGOUTINT( intval ) debugOutputInt( __LINE__, #intval, intval )
#define DEBUGOUTSZ( sz

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H. 

On 07.10.2015 11:05, Amos Jeffries wrote:

On 7/10/2015 4:27 a.m., Alex Rousskov wrote:

On 10/06/2015 01:27 AM, Jason Haar wrote:

Good catch - I don't think squid does CRL/OCSP checks
But this is a bug in squid - this means untrustworthy certs become
trusted again - not a good look


IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
difficult to configure to do CRL checks. If my recollection is correct,
then this is not exactly a Squid bug but more like a missing convenience
feature.

Exactly. All thats missing is the squid.conf directive in Squid-3.x.
That has been added in Squid-4.


Squid does not know about OCSP. Another missing feature.

One may perform all those checks using a custom certificate validator
helper, of course.


Amos


Hi Amos,

what about these two directives in squid.conf?

sslcrtvalidator_program and sslcrtvalidator_children

or

sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

can I have a working sample of valid_cert.pl that results
in an "access denied" or any other error page of squid?
(it may bring this on any page that is ssl_bumped,
so I know the interface, because this here:
http://wiki.squid-cache.org/Features/SslServerCertValidator
is wrong;

instead of
/usr/lib64/squid/cert_valid.pl
I used a bash-script with this content

#!/bin/bash

myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl

and the C source of myprog:


#include
#include
int main( int argc, char* argv[ ] )
{
static char szBuf[ 260 ];
int nLen;
while( ( nLen = read( 0, (void*) szBuf, 256 ) )>  0 )
{
write( 1, (void*) szBuf, nLen );
write( 2, (void*) szBuf, nLen );
}
return 0;
}

so I got the ident content as stdout and stderr and there I catched e.g. this:


0 cert_validate 3373 host=revoked.grc.com
cert_0=-BEGIN CERTIFICATE-
MIIE7jCCA9agAwIBAgISESFVaI04B3XaNMXfl0M+0/anMA0GCSqGSIb3DQEBBQUA
MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw
NDIzMTUzNzUyWhcNMTcwNDIzMTUzNzUyWjBKMQswCQYDVQQGEwJVUzEhMB8GA1UE
CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDEw9yZXZva2VkLmdy
Yy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDemi+5M5XRD7PR
/4177a6x7upbXMm2b79x/PwBELElAsUq+qtmoBs0FXiMmOfxp1BUW3KO4fJGjMuE
G0UxJNo4YOYuNTW4PQnWpLqsGh8epcLi7DDQax+yKU4VaTOnHqJDjyQjiVvqojkJ
nzaSMSrUgbr7gfQwrmUVlSYhMb1j4HMQUPEyvRtkeevwBU5PHsUEIZBheTo0P8RC
1BvxXl6cSAdKiOgiloDGEAKwAa1u8ZJWtuPQbp2fbOIyMygwjo8F1JC7ybw4lT6c
UluSPZew2LPLRIJea8nYjGl1jEbCm3I8gnWAcOywjgSCv3egvxDA1NrgGjKBszXd
pZdnZLmDAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+
BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4IPcmV2b2tlZC5ncmMuY29tggxtYWls
LmdyYy5jb20wCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n
cy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6MEEGCCsGAQUFBzAC
hjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZh
bGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29t
L2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFHI8mO4OWDHnVO+3VJ6CsEaSE1JfMB8G
A1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqGSIb3DQEBBQUAA4IB
AQCSJwP5JwWeGblum7enlfmALaBZ+HpA7GwaCopvR2+oEI/saMalUYTog8B+m9Xr
zF4iCkAnxoe3PYlfSAONioXQA9qVrsJsrQhdfgWuFsQOwu30bwhpolxk0M50wYPE
FxAIfwW/FsCkUFQ/5t0yUuiGCAIhGQ6mU39RkC6t43NyzVAWy1cDL30VSRRtppjl
WnHI9r3t8wPyu0nVOWq1IQ+BWnrO9F7Eb8dvgbSRa+ZL+p6eDX+6OEp8IxVToTa7
4LN/oqAYvkOh5k8sBrwqUZWUV0emBPI0vcT2LoBQDjziBk/PcssQj8XK2VLJ8smp
iitPBGOk/ZlPIIN9//bfyVn+
-END CERTIFICATE-
cert_1=-BEGIN CERTIFICATE-
MIIEWjCCA0KgAwIBAgILBAABL07hQUMwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
MDBaFw0yMjA0MTMxMDAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMS0wKwYDVQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0
aW9uIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxo83A
3zNAJuveWteUZtQBY8wzRIng4rjCRw2PrWmGHKhzQgvxcvstrLURcoMi9lbnLsVn
cZ0AHDK84+0uCEWp5vrdyIyDBcFvS9AmSgv2G0XATX6TvA0nhO0wo+nGJibdLR/Y
i8POGdBb/Aif5NjiNeSgaKb2DaN0YEKyl4IkjkGk8i5eto6nbtlsfw07JDVq0Ktb
aveXAgA/UaanbnPKdw12fJu2MBoanPcfKHsOi0cf538FjMbJyLvP6dx6QS6hhtrU
ObLiE0CmqDr6D1MeT+xumAkbypp3s1WFhekuFrWdXlTxSnpsObpuFwY0s7JC4ffz
nJoLEUTeaniOsRNPAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlq36sFu5g2QqdsIcimnaQtz+/SgwRwYD
VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh
bHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEEMTAvMC0GCCsG
AQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwHwYDVR0j
BBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEFBQADggEBADrn
/K6vBUOAJ3VBX6jwKI8fj4N+sri6rnUxJ4il5blOBEPSregTAKPbGQEwnmw8Un9c

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-07 Thread Walter H. 

On 07.10.2015 16:48, Amos Jeffries wrote:

or

sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

can I have a working sample of valid_cert.pl that results
in an "access denied" or any other error page of squid?

An ERR result from the helper should result in the invalid certificate
handling happening in Squid. Whether that results in a particular error
page (or not) depends on several things I'm not completely certain about.

Not really, there happens nothing different;



(it may bring this on any page that is ssl_bumped,
so I know the interface, because this here:
http://wiki.squid-cache.org/Features/SslServerCertValidator
is wrong;


Ah. I see the concurrency channel is not documented, but is being sent.
What Squid version are you using?

I'm using squid 3.4.10, the build from Eliezer
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.4.10-1.el6.x86_64.rpm
and
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-helpers-3.4.10-1.el6.x86_64.rpm


instead of
/usr/lib64/squid/cert_valid.pl
I used a bash-script with this content

#!/bin/bash

myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl

and the C source of myprog:


#include
#include
int main( int argc, char* argv[ ] )
{
 static char szBuf[ 260 ];
 int nLen;
 while( ( nLen = read( 0, (void*) szBuf, 256 ) )>   0 )
 {
 write( 1, (void*) szBuf, nLen );
 write( 2, (void*) szBuf, nLen );
 }
 return 0;
}

This helper is broken. The protocol here or even other helpers, has
never been to dump the input back to Squid.
be careful, this is part of the helper script above, to catch the 
content, whats sent to the helper ...

Input and output "lines" have different syntax and contents.

of course ...

so I got the ident content as stdout and stderr and there I catched e.g.
this:


0 cert_validate 3373 host=revoked.grc.com
cert_0=-BEGIN CERTIFICATE-



-END CERTIFICATE-


with this I could programme a correct certificate validator using OpenSSL,
but I MUST have a little bit more precise knowledge about the correct
interface;

can someone please explain how the 3373 of the CATCH CONTENT above is
calculated?

Documented in the wiki:
"Total size of the following request bytes taken by the key=pair
parameters."

That is the byte size of the "host=...END CERTIFICATE-" key-pair
part of the message.

Ok, I'll try if something was kicked away ...

returns always "0 OK 0 \1"
what does \1 mean here?

\1 is the binary code (0x01) for end of line/message this helper
requires. We cannot use \n like other helpers since several \n are part
of the cert PEM format.


is this also true for requests this helper receives?

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-06 Thread Walter H. 
Hello,

can you please provide an example of how to use this in squid.conf

by the way how would I use these

sslcrtvalidator_program
and
sslcrtvalidator_children

Thanks,
Walter

On Tue, October 6, 2015 09:27, Jason Haar wrote:
> Good catch - I don't think squid does CRL/OCSP checks
>
> I'm using the external_acl_type method to achieve that: it does the
> extra work and returns "ERR" for revoked certs - which (for me) causes
> squid to fallback on splice mode - so that the client browser can see
> the actual fault directly (ie I'm making sure revoked certs are never
> bumped)
>
> But this is a bug in squid - this means untrustworthy certs become
> trusted again - not a good look
>


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Possible Bug in squid? [Fwd: Re: [openssl-users] Problem checking certificate with OCSP]

2015-10-05 Thread Walter H. 
Hello could the following be the reason why

https://revoked.grc.com/

doesn't get any errors, when using SSL-Bump?

Thanks,
Walter

 Original Message 
Subject: Re: [openssl-users] Problem checking certificate with OCSP
From:"Dr. Stephen Henson" <st...@openssl.org>
Date:Mon, October 5, 2015 17:11
To:  openssl-us...@openssl.org
--

On Mon, Oct 05, 2015, Walter H. wrote:

> Hello,
>
> attached is the certificate and its chain of  https://revoked.grc.com/
>
> doing this:
>
> openssl ocsp -no_nonce -issuer chain.pem -cert cert.pem -text -url
> http://ocsp2.globalsign.com/gsdomainvalg2
>
> goves the following:
>
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: 45658DA20174402FF48B3A6AC0BC69208095C7CA
>   Issuer Key Hash: 96ADFAB05BB983642A76C21C8A69DA42DCFEFD28
>   Serial Number: 112155688D380775DA34C5DF97433ED3F6A7
> Error querying OCSP responsder
> 139928584042312:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server
response
> error:ocsp_ht.c:250:Code=403,Reason=Forbidden
>
> where is the problem for this strange error?
>

Some OCSP responders need the host header, try adding:

 -header Host ocsp2.globalsign.com

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Ssl-Bump and revoked server certificates

2015-10-04 Thread Walter H. 

On 04.10.2015 21:08, Walter H. wrote:

Hello,

does anybody know if squid does certificate checks and how to tell 
squid to do so;


this is a site with a revoked certificate
https://revoked.grc.com/

without squid, the browser shows that the certificate is revoked and 
doesn't show the page

with squid, the page is shown ...

Thanks,
Walter 


these are my sslproxy_* lines in squid.conf

sslproxy_cipher 
HIGH:MEDIUM:!AECDH:!ADH:!DES:!SSLv2:+SSLv3:+3DES:!RC4:!MD5:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:!SEED:!IDEA


sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.trust.crt

acl ssl_expired_cert ssl_error X509_V_ERR_CERT_HAS_EXPIRED
acl ssl_revoked_cert ssl_error X509_V_ERR_CERT_REVOKED
sslproxy_cert_error deny ssl_expired_cert <-- must these be 'allow'?
sslproxy_cert_error deny ssl_revoked_cert
sslproxy_cert_sign signUntrusted ssl_revoked_cert <.-- how should I 
recognice if this won?

sslproxy_cert_sign signUntrusted ssl_expired_cert
sslproxy_cert_error deny all

and that doesn't work



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ssl-Bump and revoked server certificates

2015-10-04 Thread Walter H. 

Hello,

does anybody know if squid does certificate checks and how to tell squid 
to do so;


this is a site with a revoked certificate
https://revoked.grc.com/

without squid, the browser shows that the certificate is revoked and 
doesn't show the page

with squid, the page is shown ...

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.9 RPM are available

2015-09-30 Thread Walter H. 

Hello,

can you do a little test for me?

can you please try the following acl

acl block_as4837 dst_as 4837
http_access deny block_as4837

and then try in a browser
http://sudo.ml

Thanks,
Walter

On 30.09.2015 18:45, Veiko Kukk wrote:

On 30/09/15 18:27, Veiko Kukk wrote:

I'm sorry, should have provided operating system version with my first
post. It is CentOS 6.7 with latest updates.

Sure, when changing selinux to permissive mode, it works. I have not had
time meanwhile to find out what are the required minimal selinux changes
required, probably allowing squid to write to /dev/shm.


If somebody has the same problem, and happens to read mailinglist 
archive, this is the solution. My guess about /dev/shm was true,


# grep squid /var/log/audit/audit.log| audit2allow -a
#= squid_t ==
# The source type 'squid_t' can write to a 'dir' of the following 
types:
# squid_log_t, var_log_t, var_run_t, pcscd_var_run_t, squid_var_run_t, 
squid_cache_t, tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, 
krb5_host_rcache_t, cluster_conf_t


allow squid_t tmpfs_t:dir { write remove_name add_name };
allow squid_t tmpfs_t:file { create unlink };
allow squid_t user_tmpfs_t:file { read write };

If you agree with offered rights, create custom module and load it.

# grep squid /var/log/audit/audit.log| audit2allow -a -M mysquid
 IMPORTANT ***
To make this policy package active, execute:

# semodule -i mysquid.pp

And now squid 3.5.9 on CentOS 6.7 works with selinux enforced mode.

Veiko





smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL-bump and Public Key Piinning (HPKP)

2015-07-05 Thread Walter H. 

Hello,

I'm using squid with ssl-bump, after updating (I update only in bigger 
steps and not this often) my browser I realize,

that this supports HPKP; I didn't find how to deactivate this - Chrome 43

so I thought, I could prevent squid of replying this header field with this:

reply_header_access Public-Key-Pins deny all

but this doesn't really work; is there another way?

the squid is running in a VM on my own computer and only used by me;

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Correct Syntax for ACL?

2015-05-27 Thread Walter H. 

Hello,

would this be the correct syntax:

acl crl-file url_regex -i \.crl$

or need it to be

acl crl-file url_regex -i \.crl$

how does squid distinquish between a file containing rules
e.g. acl acl-file url_regex -i /etc/url-acl.squid
 or the rule itself
e.g.  acl acl-rule url_regex -i \.exe$
with the same acl-type?

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] IPv6 and syntax?

2015-05-16 Thread Walter H. 

On 16.05.2015 01:41, Amos Jeffries wrote:

On 16/05/2015 6:14 a.m., Walter H. wrote:

Hello,

is IPv6 somewhat similar to IPv4?

Somewhat, yes.

I just wondered because of the different behaviour;

e.g.

I would write

acl block_ipv4_range dst  84.84.84.0/24
deny_info errorpage block_ipv4_range
http_access deny block_ipv4_range

to block any hosts within this IPv4 range

Taking a step asside, that is not quite what those rules do. They block
access from anywhere *to* the IP address range (TCP/IP packet
destination on the request messages).

yes this should be the intention, that you get an error (in this case 
the errorpage) when
you have e.g.  http://84.84.84.2/ or https://84.84.84.2/ as URL in your 
browser ...

If you were trying to prevent those hosts themselves from accessing
anything through the proxy you need the src ACL type.

I know;

how would be the syntax for blocking any hosts within a specific IPv6
subnet
e.g. [2408:8000::]/24

FYI the [] syntax is URL format - for uses when a port may exist. So the
':' between IP:port dont get confused.

I noticed the difference, but wondered why e.g. /etc/hosts.deny contains 
this:

sshd: [2408:8000::]/24


should it be this?

acl block_ipv6_subnet dst 2408:8000::/24
deny_info errorpage block_ipv6_subnet
http_access deny block_ipv6_subnet

Yes. Though the /N CIDR range is probably different. An IPv4 /24 is
equivalent to an IPv6 /52  (255 separate pieces of hardware with a
mandatory /64 each).

why I'm asking, because; when having both sections in squid.conf and 
doing SSL-bump

you get a different reaction in the browser:

https://84.84.84.22/
brings the 'errorpage' as expected
the generated certificate has the IP-address (84.84.84.22) as its common 
name;


but
https://[2408:8000::3]/
behaves different in various browsers:

- IE 7: brings a certificate error, when accepting you get the errorpage
   the generated certificate has the IP-address 2408:8000::3 as 
its common name


- later FF (17+) do nothing, older FF (3.6) bring
   The proxy server is refusing connections
   Firefox is configured to use a proxy server that is refusing 
connections.


- Chrome 42 brings ' Your connection is not private' and 
NET::ERR_CERT_COMMON_NAME_INVALID

 when clicking advanced and proceed with warning you get the errorpage
   the generated certificate has the IP-address 2408:8000::3 as 
its common name


trying https://[2408:8000:0:0:0:0:0:3]/  does an automatic reduction to 
https://[2408:8000::3]/ by the browser


does it seem to be problematic, when having an TLS-server with an IPv6 
address only without DNS, because of the comm name?


Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] IPv6 and syntax?

2015-05-15 Thread Walter H. 

Hello,

is IPv6 somewhat similar to IPv4?

e.g.

I would write

acl block_ipv4_range dst  84.84.84.0/24
deny_info errorpage block_ipv4_range
http_access deny block_ipv4_range

to block any hosts within this IPv4 range

how would be the syntax for blocking any hosts within a specific IPv6 subnet
e.g. [2408:8000::]/24

should it be this?

acl block_ipv6_subnet dst 2408:8000::/24
deny_info errorpage block_ipv6_subnet
http_access deny block_ipv6_subnet


Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

  1   2   >