Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Alex Rousskov
On 07/07/2016 01:53 PM, Amos Jeffries wrote: > On 8/07/2016 4:50 a.m., Alex Rousskov wrote: >> On 07/07/2016 06:23 AM, Amos Jeffries wrote: >>> On 7/07/2016 11:30 p.m., Marcus Kool wrote: >> On 07/06/2016 10:07 PM, Alex Rousskov wrote: >>> Q3. What should Squid do when receiving a wildcard

Re: [squid-users] [squid-announce] Squid 3.5.20 is available

2016-07-07 Thread Eliezer Croitoru
The article was published at: http://www1.ngtech.co.il/wpe/?p=293 I am happy to publish the article for: Squid-Cache 3.5.20 and 4.0.12 beta release. The details about the the RPMs repository are at squid-wiki . RPMs Available

Re: [squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

2016-07-07 Thread Amos Jeffries
On 8/07/2016 10:42 a.m., Moataz Elmasry wrote: > Hi all, > > I just had an idea. Refering to the last email. > The reason why I'm getting those "Header forgery" errors might be because > of the defined nat rules. I'm using the following rules: > > iptables -t nat -A OUTPUT --match owner

Re: [squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

2016-07-07 Thread Amos Jeffries
On 8/07/2016 5:28 a.m., Moataz Elmasry wrote: > Sorry, I just realized, I sent you a private email instead of to the > mailing list. Apologies for that. > > Hi Amos, > > I did some progress today so that least I'm not getting any errors in the > browser, te url_redirect_program receives the

Re: [squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

2016-07-07 Thread Moataz Elmasry
Hi all, I just had an idea. Refering to the last email. The reason why I'm getting those "Header forgery" errors might be because of the defined nat rules. I'm using the following rules: iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport 80 -j ACCEPT iptables -t nat -A

Re: [squid-users] Skype, SSL bump and go.trouter.io

2016-07-07 Thread Eliezer Croitoru
Returning back to the beginning of the subject there are couple other ideas on the table to allow these connections to exit or somehow either predict them or identify them as they come. The first thing is that you don't really care to pass authentication sessions from a caching perspective,

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Eliezer Croitoru
Thanks for clearing things out. I suspect that at 1987 I wasn't able yet to understand English as I am now. And also the Internet in my area at this year was something worth almost like GOLD. So it seems that this is the first time of me actually encountering a case which a "hostname" was used

Re: [squid-users] Empty response from website via proxy

2016-07-07 Thread Amos Jeffries
On 7/07/2016 1:01 p.m., Dan Charlesworth wrote: > It looks like I'm probably going to get fobbed off by this site's > administrators. "It's our load balancer" — "Simply set up a bypass" etc. > Hmm. How to politely answer that.. Sending their traffic to goaste is not a polite option. > Is

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Amos Jeffries
On 8/07/2016 5:05 a.m., Alex Rousskov wrote: > On 07/07/2016 10:41 AM, Steve Hill wrote: >> Realistically, shouldn't the SNI reflect the DNS request that was made >> to find the IP of the server you're connecting to? You would never make >> a DNS request for '*.example.com' so I don't see a

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Amos Jeffries
On 8/07/2016 4:50 a.m., Alex Rousskov wrote: > On 07/07/2016 06:23 AM, Amos Jeffries wrote: >> On 7/07/2016 11:30 p.m., Marcus Kool wrote: > On 07/06/2016 10:07 PM, Alex Rousskov wrote: >> Q3. What should Squid do when receiving a wildcard SNI? > >>> Squid _has_ the original IP so why

Re: [squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

2016-07-07 Thread Moataz Elmasry
Sorry, I just realized, I sent you a private email instead of to the mailing list. Apologies for that. Hi Amos, I did some progress today so that least I'm not getting any errors in the browser, te url_redirect_program receives the actual url. Redirecting normal http urls work fine, but

Re: [squid-users] Skype, SSL bump and go.trouter.io

2016-07-07 Thread Alex Rousskov
On 07/07/2016 10:12 AM, Steve Hill wrote: > I've compared the headers and the original contains: > Upgrade: websocket > Connection: Upgrade > > Unfortunately, since Squid doesn't support websockets I think there's no > way around this Squid can be taught to recognize HTTP upgrades to

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Alex Rousskov
On 07/07/2016 10:41 AM, Steve Hill wrote: > Realistically, shouldn't the SNI reflect the DNS request that was made > to find the IP of the server you're connecting to? You would never make > a DNS request for '*.example.com' so I don't see a reason why you would > send an SNI that has a larger

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Alex Rousskov
On 07/07/2016 06:23 AM, Amos Jeffries wrote: > On 7/07/2016 11:30 p.m., Marcus Kool wrote: On 07/06/2016 10:07 PM, Alex Rousskov wrote: > Q3. What should Squid do when receiving a wildcard SNI? >> Squid _has_ the original IP so why would Squid potentially connect to an >> other IP ? >

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Steve Hill
On 07/07/16 02:07, Alex Rousskov wrote: Q1. Is wildcard SNI "legal/valid"? I do not know the answer to that question. The "*.example.com" name is certainly legal in many DNS contexts. RFC 6066 requires HostName SNI to be a "fully qualified domain name", but I failed to find a strict-enough RFC

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Steve Hill
On 06/07/16 20:54, Eliezer Croitoru wrote: There are other options of course but the first thing to check is if the client is a real browser or some special creature that tries it's luck with a special form of ssl. In this case it isn't a real web browser - it's an iOS app, and the vendor

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Alex Rousskov
On 07/07/2016 01:37 AM, Eliezer Croitoru wrote: > Maybe the future will bring the wildcard into the DNS world FYI: Wildcards have been in DNS world since before RFC 1035 dated 1987: >- The results of standard queries where the QNAME contains "*" > labels if the data might be used to

Re: [squid-users] Skype, SSL bump and go.trouter.io

2016-07-07 Thread Steve Hill
On 07/07/16 11:07, Eliezer Croitoru wrote: Can you verify please using a debug 11,9 that squid is not altering the request in any form? Such as mentioned at: http://bugs.squid-cache.org/show_bug.cgi?id=4253 Thanks for this. I've compared the headers and the original contains:

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Yuri Voinov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 07.07.2016 19:59, Marcus Kool пишет: > > > On 07/07/2016 10:49 AM, Yuri wrote: > A similar question can be asked about SNI names containing unusual characters. At some point, it would be too dangerous to include SNI

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Marcus Kool
On 07/07/2016 10:49 AM, Yuri wrote: A similar question can be asked about SNI names containing unusual characters. At some point, it would be too dangerous to include SNI information in the fake CONNECT request because it will interfere with HTTP rules, but it is not clear where that point is

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Yuri
07.07.2016 19:08, Marcus Kool пишет: On 07/07/2016 09:23 AM, Amos Jeffries wrote: On 7/07/2016 11:30 p.m., Marcus Kool wrote: On 07/07/2016 07:15 AM, Amos Jeffries wrote: On 7/07/2016 1:55 p.m., Marcus Kool wrote: On 07/06/2016 10:07 PM, Alex Rousskov wrote: On 07/06/2016 05:01 PM,

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Marcus Kool
On 07/07/2016 09:23 AM, Amos Jeffries wrote: On 7/07/2016 11:30 p.m., Marcus Kool wrote: On 07/07/2016 07:15 AM, Amos Jeffries wrote: On 7/07/2016 1:55 p.m., Marcus Kool wrote: On 07/06/2016 10:07 PM, Alex Rousskov wrote: On 07/06/2016 05:01 PM, Marcus Kool wrote: On 07/06/2016 11:36

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Amos Jeffries
On 7/07/2016 11:30 p.m., Marcus Kool wrote: > > > On 07/07/2016 07:15 AM, Amos Jeffries wrote: >> On 7/07/2016 1:55 p.m., Marcus Kool wrote: >>> >>> >>> On 07/06/2016 10:07 PM, Alex Rousskov wrote: On 07/06/2016 05:01 PM, Marcus Kool wrote: > On 07/06/2016 11:36 AM, Steve Hill wrote:

Re: [squid-users] how to connect machine linux to squid proxy, not in browser?

2016-07-07 Thread Jorgeley Junior
I dont know if I understand well, but if you want all linux enviroment to access your proxy you must set the enviroment vars, suck like this: *ftp_proxy=ftp://192.168.1.254:8213/ http_proxy=http://192.168.1.254:8213/

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Marcus Kool
On 07/07/2016 07:15 AM, Amos Jeffries wrote: On 7/07/2016 1:55 p.m., Marcus Kool wrote: On 07/06/2016 10:07 PM, Alex Rousskov wrote: On 07/06/2016 05:01 PM, Marcus Kool wrote: On 07/06/2016 11:36 AM, Steve Hill wrote: I'm using a transparent proxy and SSL-peek and have hit a problem with

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Amos Jeffries
On 7/07/2016 1:55 p.m., Marcus Kool wrote: > > > On 07/06/2016 10:07 PM, Alex Rousskov wrote: >> On 07/06/2016 05:01 PM, Marcus Kool wrote: >>> On 07/06/2016 11:36 AM, Steve Hill wrote: I'm using a transparent proxy and SSL-peek and have hit a problem with an iOS app which seems to be

Re: [squid-users] Skype, SSL bump and go.trouter.io

2016-07-07 Thread Eliezer Croitoru
Can you verify please using a debug 11,9 that squid is not altering the request in any form? Such as mentioned at: http://bugs.squid-cache.org/show_bug.cgi?id=4253 Have you tried adding: request_header_access Surrogate-Capability deny all Microsoft is in the edge of technology compared to what

Re: [squid-users] Skype, SSL bump and go.trouter.io

2016-07-07 Thread Steve Hill
On 06/07/16 20:44, Eliezer Croitoru wrote: There are couple options to the issue and a bad request can happen if squid transforms or modifies the request. Did you tried to use basic debug sections output to verify if you are able to "replicate" the request using a tiny script or curl? I think

Re: [squid-users] how to connect machine linux to squid proxy, not in browser?

2016-07-07 Thread Antony Stone
On Thursday 07 July 2016 at 10:11:14, admin wrote: > It is transparent (intercept) mode See http://wiki.squid-cache.org/SquidFaq/InterceptionProxy for details. Note that: - getting intercept mode to work is more complex than standard (browser- configured) mode; you are recommended to make

Re: [squid-users] how to connect machine linux to squid proxy, not in browser?

2016-07-07 Thread admin
It is transparent (intercept) mode james82 писал 2016-07-07 12:26: > In normal, people away connect squid proxy with browser. But I want method > work with whole computer, like VPN, is mean connect machine linux, window or > Mac to squid proxy installed on it? How to do that? > > -- > View this

[squid-users] how to connect machine linux to squid proxy, not in browser?

2016-07-07 Thread james82
In normal, people away connect squid proxy with browser. But I want method work with whole computer, like VPN, is mean connect machine linux, window or Mac to squid proxy installed on it? How to do that? -- View this message in context:

Re: [squid-users] host_verify_strict and wildcard SNI

2016-07-07 Thread Eliezer Croitoru
Couple thoughts Alex, Currently the basic splice rules are being used with regex which means that they can work with wildcard. And I can understand the argument of a client wanting some wildcard domain but I do not know about an application that actually tries to uses such logic. There are