Re: [squid-users] c-icap documentation getting stuck

i dont get any errors but when i run the below i get warnings  /usr/local/bin/c-icap WARNING Bad configuration keyword: enable_libarchive 0 WARNING Bad configuration keyword: banmaxsize 2M thanks, rob You should be asking these questions on whatever resources c-icap provide for that

Re: [squid-users] c-icap documentation getting stuck

robert, I'd go the ecap way if I was you - no daemons to set up, just a library. c-icap has always been an issue as distros packages have never really acknowledged it exists in terms of permissions. The ecap way avoids all of that mess entirely. http://www.e-cap.org/docs/

Re: [squid-users] cant download microsoft cert file

On 16/12/2019 09:10, robert k Wild wrote: Would this work aswell refresh_pattern -i /etc/squid/wu.txt/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)  4320 80% 43200 reload-into-ims And

Re: [squid-users] cant download microsoft cert file

On 16/12/2019 08:06, robert k Wild wrote: How can I make a pattern that matches multiple domains please Amos? > > refresh_pattern -i .microsoft.com .windows.com > .windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)

Re: [squid-users] Digicert replacing couple root CA, why it wasn't mentioned here?

It was all over the IT news sites I read (Register, Slashdot, etc). Changed all our Thawte certs from Symantec to Digicert a few months ago. Pretty painless actually. Alex On 17/01/2019 17:03, Eliezer Croitoru wrote: I noticed that there was a change in the RootCA world:

Re: [squid-users] Is this the next step of SSL encryption? Fwd: Encrypted SNI

... until the browser starts using DNS over HTTPS (with a pinned certificate of the "resolving" HTTPS server)?   Alex. It is relatively easy to block DNS over HTTPS and I think there will be demand for that. And I predict that Squid will have a feature to selectively block connections with

Re: [squid-users] want to change squid name

Hi Ahmad, I still don't understand properly. Do you want to run Squid as your own nonprivileged user, "ahmad" or "stinger", instead of the "squid" or "webproxy" user that is the usual in distros? That is easy, but trying to sed squid to in the codebase is likely to fail, imagine trying to

Re: [squid-users] want to change squid name

What about this? http://www.squid-cache.org/Doc/config/via/ we just don't understand the reason you are asking for this. As was already mentioned (iirc), technically  you can change the name "squid" to something else, but it is not supported (which means, there's no standard way to do that)

Re: [squid-users] Using CA signed certificate for SSL bump

You can set up your own internal CA. You then have the CA key (so can generate certificates for any domain) and install the CA public certificate on all client machines. That CA can be anything from a local CA on the squid box, using a central VM with something like XCA installed, all the

Re: [squid-users] simple question Installed squid right now all internet access is blocked

If it's an internal/RFC1918  IP then it makes no difference to your security in telling the list. If it's a public IP address then I hope you have your squid firewalled off from the internet. If you at least paste your access.log and cache.log it will help. Alex On 16/08/18 12:29, Oldman

Re: [squid-users] NgTech repo new service: fastest.ngtech.co.il/repo/

On 16/07/18 00:17, Eliezer Croitoru wrote: Hey Squid-Users, I am running a trial period to see how it works for these who needs it. The RPM’s repository is sitting at: http://fastest.ngtech.co.il/repo/ and will give faster speed ie 10Mbps++ compared to the local server which has only 1Mbps

Re: [squid-users] Question about traffic calculate

On 08/06/18 17:29, Amos Jeffries wrote: On 09/06/18 02:56, Tiraen wrote: Small clarification If the normal behavior of the proxy server described above is correct, then maybe there are other methods of gathering information on traffic in online mode? What is "online mode" ? SNMP is built

[squid-users] Sibling cache with ssl peek/splice/bump?

Hi list, Is it currently possible in v4 with bumping to have a cache_peer setup so that https:// resources can be fetched from a peer if they are available there? Many thanks Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are

Re: [squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

Unless the protocol design changes to expose full URLs and/or MIME types, nothing will replace Squid Bumping. That being said, we are headed to the vortex by 2018.05.01. Let's drown together, while we yell and curse at Google! MK Erm, can someone elucidate the issue here? Can't see

Re: [squid-users] Assertion failed on Squid 4 when peer restarted.

On 28/03/18 02:22, Amos Jeffries wrote: On 28/03/18 03:24, Alex Crow wrote: I have a squid 4.0.22 running peered with a 3.5.24 proxy. The latter machine stopped responding and I had to reboot it, and then the 4.0.22 one crashed. Here's a log snippet: 2018/03/27 15:01:48 kid1| WARNING: failed

[squid-users] Assertion failed on Squid 4 when peer restarted.

I have a squid 4.0.22 running peered with a 3.5.24 proxy. The latter machine stopped responding and I had to reboot it, and then the 4.0.22 one crashed. Here's a log snippet: 2018/03/27 15:01:48 kid1| WARNING: failed to unpack metadata because store entry metadata is too big 2018/03/27

Re: [squid-users] Allow some domains to bypass Squid

. The alternative for ssl-bump is the splice action. For that you only need to know the server names each company uses. OP, It would be a lot easier to just create exceptions on the squid device for sites where bumping doesn't work which cause then to be tunnelled or spliced rather then

Re: [squid-users] I can't understand the SSL connectios interception concept in explicit mode

On 02/02/18 15:12, Roberto Carna wrote: OK Matus, now I understandbut let me ask one more question: In explicit mode, is it possible that a given person with Squid advanced knowledge can see the plain text of the traffic? Because if this person is the admin of the proxy server, I think it

Re: [squid-users] Squid 4 and missing intermediate certs

On 26/01/18 17:50, Alex Rousskov wrote: On 01/26/2018 02:30 AM, Alex Crow wrote: I've just set up a new SSL interception proxy using peek/splice/bump using squid 4.0.22 and I'm getting SSL errors on some site indicating missing intermediate certs as described here: https://blog.diladele.com

Re: [squid-users] squid asking for authentication repeatedly

Firefox is not great at Auth. Chrome works better imho. FF seems ok with digest, ie AD. ⁣Sent from TypeApp ​ On 11 Dec 2017, 22:05, at 22:05, Paul Hackmann wrote: >Has anyone had the instance where the proxy will ask the user to >authenticate several times as they are

Re: [squid-users] https://wiki.squid-cache.org provides invalid certificate chain ...

On 18/11/17 12:56, Walter H. wrote: On 18.11.2017 13:51, Walter H. wrote: Hello, still certificate issues: missing intermediate certificate Greetings, Walter @Amos:  There is  *no* chain. Our cert is directly signed by the LetsEncrypt CA.  Amos that's wrong;  LetsEncrypt is only an

Re: [squid-users] Website pointed to 127.0.0.1

On 15/09/17 13:58, Matheus Fernandes wrote: Hello! I have a fqdn that points to 127.0.0.1, when I try to access it through squid, I get an error. I need to make it process on the same machine that made the request, and not on squid server. I tried using always_direct directive, but squid

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 17/11/16 18:11, Patrick Chemla wrote: > > Hi Alex, sorry for disturbing, but it works with > > https_port 5.39.105.241:443 accel defaultsite=www.sempli.com > cert=/etc/squid/ssl/sempli.com.crt > key=/etc/squid/ssl/sempli.com.key > > Many, many, many Thanks for valuable help. > >

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 16/11/16 17:33, Patrick Chemla wrote: > Thanks for your answers, I am not doing anything illegal, I am trying to > build a performant platform. > > I have a big server running about 10 different websites. > > I have on this server virtual machines, each specialized for one-some > websites,

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 15/11/16 16:22, Yuri Voinov wrote: You can if you have control over the clients, ie install your CA into the browser/OS. ... and this can be illegal ;) YMMV (depending on where you live/work)! -- This message is intended only for the addressee and may contain confidential information.

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 15/11/16 14:28, Yuri Voinov wrote: So, you can't do SSL bump without users notification. You can if you have control over the clients, ie install your CA into the browser/OS. Alex -- This message is intended only for the addressee and may contain confidential information. Unless you

Re: [squid-users] Trusted CA Certificate with ssl_bump

On 15/11/16 14:22, Sergio Belkin wrote: Hi, When using something like that: http_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private Is possible to use a

Re: [squid-users] Caching Google Chrome googlechromestandaloneenterprise64.msi

On 24/10/16 11:26, Yuri wrote: No, Amos, I'm not trolling your or another developers. I just really do not understand why there is a caching proxy, which is almost nothing can cache in the modern world. And that in vanilla version gives a maximum of 10-30% byte hit. From me personally, it

Re: [squid-users] Force DNS queries over TCP?

Packt Publishing has a book about FreeSWAN (don't use that) which is almost all applicable to LibreSWAN (do use this, it's a newer fork). Easiest is to set up a tunnel with PSKs, more secure is with RSA keys or X509 certs. Alex On 30/06/16 19:20, Chris Horry wrote: > > On 06/30/2016 13:34

Re: [squid-users] Force DNS queries over TCP?

I'd suggest changing IP as this practice is a) a violation of trust, forcing you to use a potentially compromised resource you have no control over b) a clear violation of net-neutrality c) a violation of standards (as it's probably one of those that instead of returning NXDOMAIN as required

Re: [squid-users] SSL Bump with valid CA

> > Now i need to try to configurate squid with a non self-signed certificate > This is impossible, as you don't have access to the CA's signing key, for very good reason (you could create certs for any site in the world and it would be trusted by any browser that trusts StartSSL's CA). You

Re: [squid-users] SSL certifcate on android device not working

On 06/05/16 14:09, Reet Vyas wrote: Hi I have squid ssl bump working but when I added squid.crt to my android , it not working but working with Iphone cause they have certificate installer app , I dont know exact issue cause my apps are on working . I have installed squid.crt on mobile

Re: [squid-users] Squid 3.5.5 CentOS RPMs release

Thanks for this Eliezer - however I can't rebuild the SRPM on latest CentOS: configure: Authentication support enabled: yes checking for ldap.h... (cached) no checking winldap.h usability... no checking winldap.h presence... no checking for winldap.h... no configure: error: Basic auth helper

Re: [squid-users] Squid 3.5.5 CentOS RPMs release

in the RPMs you would have seen that I changed\removed a helper or two from the build. I didn't had time to inspect the issue yet. How do you rebuild from SRPM?(important) Eliezer On 30/06/2015 21:48, Alex Crow wrote: Thanks for this Eliezer - however I can't rebuild the SRPM on latest CentOS

[squid-users] Centos7 rpms?

On 11/06/15 20:25, Eliezer Croitoru wrote: What is the issue?? Did you tried the latest RPM's ?? http://wiki.squid-cache.org/KnowledgeBase/CentOS Eliezer Hi, Are there any plans to build centos/rhev7 packages? Native LVM caching on SSD is something that may well benefit Squid performance.

Re: [squid-users] Tracking user connection times

On 20/04/15 15:34, Dan Berry wrote: I have setup a squid proxy as a POC for user tracking. I am looking for a way to track for close events, most of the customer sites that are accessed are HTTPS so I can’t track activity. I might be able to get by with tracking total connect time, so I know

Re: [squid-users] 100Mbps Connection Issues

Speed tests will always enforce nocache so you will always see overhead from a speed test site. That's just the way proxies work. You can't make a single, new download any quicker that it would be, and since it has a flag telling Squid not to cache it, Squid has to go the the trouble of both

Re: [squid-users] You MUST specify at least one Domain Controller.You can use either \ or / as separator between the domain name

Hi, That is how NTLM works. It doesn't (normally) indicate anything is wrong. You do seem to have a /lot/ of DENIED though. NTLM Auth will slow down browsing somewhat because authentication is performed for every object retrieved. Google Maps can be a real nasty because it loads lots of

Re: [squid-users] Unhandled exception: c

Hi, Anyone have any ideas on this? Thanks Alex Hi Amos, I spoke to soon. I have this (maybe more informative than the original error though). 2014/07/31 11:57:45 kid1| assertion failed: String.cc:201: len_ + len 65536 2014/07/31 11:58:07 kid1| Starting Squid Cache version

Re: [squid-users] Re: ONLY Cache certain Websites.

http://www.squid-cache.org/Doc/config/cache/ On 03/08/14 10:25, nuhll wrote: Seems like acl all src all fixed it. Thanks! One problem is left. Is it possible to only cache certain websites, the rest should just redirectet? -- View this message in context:

Re: [squid-users] Unhandled exception: c

Hi Amos, That patch seems to have worked. No crashes so far since it went into production. Thanks very much! Alex Hi Amos, I spoke to soon. I have this (maybe more informative than the original error though). 2014/07/31 11:57:45 kid1| assertion failed: String.cc:201: len_ + len

Re: [squid-users] why squid can block https when i point my browser to port , and cant when its transparent ?

On 27/07/14 16:00, Dr.x wrote: hi all , i have 2 questions. 1- why when i make a normal squid with normal http port , and i direct my browser to ip/port it can block https facebook Because the browser is aware of the cache and issues CONNECT requests for SSL sites. Squid can see these and

Re: [squid-users] Squid 3.4 very high cpu - strace.

Another experiment is to try purging and rebuilding the ssl_crtd helper cache. Hi Amos, We do the above on every squid restart anyway (via a wrapper script). Your config file has some nits (may not be relevant to the problem though): * Try switching the order of manager localhost so

Re: [squid-users] Squid 3.4 very high cpu - strace.

On 20/06/14 14:28, Eliezer Croitoru wrote: OK after reading the config file it seems like there are couple things that we\you should be aware of when looking at the issue: 1. External helpers code was changed from 3.3 to 3.4 (one way) 2. you are using delay_pools. 3. you are using ntlm

Re: [squid-users] Squid 3.4 very high cpu - strace.

On 21/05/14 08:30, Amos Jeffries wrote: On 21/05/2014 8:11 a.m., Alex Crow wrote: Wrong on my part again. Changing the memory_replacement_policy still got to 100% cpu after Shift-reload in Thunderbird a few times - even disabling cache_mem entirely did not eliminate it. 3.3 never gets about

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

to me about LARTC, but I need to find a solution quickly, so I fear that it was too long to understand the Linux QoS possibilities. Regards. 2014-05-31 12:54 GMT-04:00 Amos Jeffries squ...@treenet.co.nz: On 1/06/2014 3:49 a.m., Alex Crow wrote: snip But given all you really need is QoS, why

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

and the Squid server that does QoS? Or just see if Squid delay pools work for SSL (I think they *do*, the traffic still passes via Squid as a CONNECT request - it's just that Squid can't see or proxy the plaintext content.) Cheers Alex 2014-05-30 11:44 GMT-04:00 Alex Crow a...@nanogherkin.com: Hi

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

Hi Antoine, Replies below: On 30/05/14 15:44, Antoine Klein wrote: Ok i'm really sorry, i don't understand the english very well... I read again the discussion but i am confused :/ Before this project i had not any knowledge about certificates and SSL connexions but i did several research on

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

| clientNegotiateSSL: Error negotiating SSL connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0) Do you know these errors ? 2014-05-28 11:39 GMT-04:00 Alex Crow a...@nanogherkin.com: You cannot generate on the fly new certs that are signed by a commercial CA. You

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

On 28/05/14 03:43, Amos Jeffries wrote: On 28/05/2014 8:19 a.m., Antoine Klein wrote: I want to bump ssl connections, but without produce a warning of course. I read it is possible to generate a request of certification with a key and send this file to an authority to sign it, do you know

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

Hi, You can't possibly do this. To ssl-bump you need access to a private key to sign the certs you offer to clients. Not in a million years is a Commercial CA going to give you their private key. Such a key can sign any certificate which would then be trusted by any software that includes

Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

Hi, Mistake in my post: should be: and jump through many hoops you will *NOT* get a subordinate signing key from a reputable commercial CA. Otherwise, the internet and SSL would already be more borken than it is right now ;-) Alex On 27/05/14 19:13, Antoine Klein wrote: Hi there, My

Re: [squid-users] Squid 3.4 very high cpu - strace.

Thunderbird, are these troubles all coming from HTML emails? I meant Firefox, sorry - I was writing the email in Thunderbird so typed that in instead. Not quite 40 yet but already losing it! Does using AUFS instead of diskd cache types help? there are a lot of calls in that trace

Re: [squid-users] Unhandled exception: c

I will apply this over the weekend and we'll keep our fingers crossed for Monday. Would a similar patch be required for 3.4 assuming this fixes the problem? Cheers Alex Hi Amos, That patch seems to have worked. No crashes so far since it went into production. Thanks very much! Alex

[squid-users] Squid 3.4 very high cpu - strace.

Hi Amos, all, I have set up a test box with latest 3.4.5 nightly. I get 95-100% cpu even with one client accessing the cache. I've attached a compressed strace of the child process in case anything is evident from that. Please tell me what else I might need to do to help resolve this issue.

Re: [squid-users] Squid 3.4 very high cpu - strace.

I think I've just found something. I had this set: memory_replacement_policy heap GDSF replacing this with: memory_replacement_policy lru got rid of the high CPU in 3.4 (works ok in 3,3). I will try heap LRU. Cheers Alex On 20/05/14 19:54, Alex Crow wrote: Hi Amos, all, I have set up

Re: [squid-users] Squid 3.4 very high cpu - strace.

the the trace shows something up. Cheers Alex On 20/05/14 20:04, Alex Crow wrote: I think I've just found something. I had this set: memory_replacement_policy heap GDSF replacing this with: memory_replacement_policy lru got rid of the high CPU in 3.4 (works ok in 3,3). I will try heap LRU

Re: [squid-users] Unhandled exception: c

On 2014-05-16 07:01, Amos Jeffries wrote: On 16/05/2014 7:42 a.m., Alex Crow wrote: Grr, I apologise profusely. The server does run 3.3.11, *not* 3.2.11, Had a couple of nights being waken up by our devs askng about DNS... Right lot of fun we are. I too seem to have been working on a bit

Re: [squid-users] Unhandled exception: c

On 15/05/14 08:06, Amos Jeffries wrote: On 15/05/2014 7:37 a.m., Alex Crow wrote: Hi, Is this any good at all or do I need ro provide more? It seems a trivial issue to restart a browser but the bigwigs are climbing all over me now! Cheers Alex On 12/05/14 16:22, Alex Crow wrote: Hi Amos

Re: [squid-users] Intercept HTTPS without using certificates - Just apply a QoS on the connexion

Hi, Welcome to the practically incomprehensible world of QoS on Linux - look up LARTC and then feel the fear! It's really powerful but even after 14 years of managing Linux gateways I still prefer you just use shorewall to take away the complexity - and you are welcome to call me lazy ;-)

Re: [squid-users] Unhandled exception: c

to adjust my debain rules file or similar? Cheers Alex On 15/05/14 17:51, Alex Crow wrote: Hi Thanks for that. This is odd because I compiled .debs myself from the source using the debian folder from an older version of squid as a template. I'm pretty sure I cleaned out the debian/patches

Re: [squid-users] Unhandled exception: c

Hi, Is this any good at all or do I need ro provide more? It seems a trivial issue to restart a browser but the bigwigs are climbing all over me now! Cheers Alex On 12/05/14 16:22, Alex Crow wrote: Hi Amos, New backtrace - I hope this helps! Core was generated by `(squid-1) -YC -f /etc

Re: [squid-users] Unhandled exception: c

Jeffries wrote: On 1/05/2014 6:19 a.m., Alex Crow wrote: Brilliant! I will try to apply this and see if we get more detail. Will it apply to 3.2.x? I can't run 3.4.x in prod due to the CPU load issue - and I only see the crash in prod, never managed to trigger it in a test. Yes it should apply

Re: [squid-users] Unhandled exception: c

a.m., Alex Crow wrote: dying from an unhandled exception: c I just realised what is generating this is a Must(c). There are only two of them Squid, but unfortunately in the generic and widely used CbcPointer template. Can you apply this patch please and see if we get a useful backtrace next time

Re: [squid-users] Unhandled exception: c

' processes On 26/04/14 10:19, Amos Jeffries wrote: On 26/04/2014 5:38 a.m., Alex Crow wrote: HI all, I forgot I still have the issue in the subject bugging me too. Is the below backtrace of any use or do I need to provide more? Unfortunately yes these unhandled excetion ones do not show where

Re: AW: [squid-users] squid 3.4. uses 100% cpu with ntlm_auth

Hi, I use NTLM with Squid and also wbinfo_group helper. In 3.2 series everything is fine but in 3.4 after a few hours everything slows down and CPU usage is over 90%. In 3.2 it's in the teens. I also use ssl_bump if that helps - does anyone else with this problem also use it? Cheers Alex

[squid-users] Unhandled exception: c

HI all, I forgot I still have the issue in the subject bugging me too. Is the below backtrace of any use or do I need to provide more? Thanks Alex On 07/02/14 10:41, Alex Crow wrote: Hi Thanks for that - I did get a backtrace today... Program terminated with signal 6, Aborted. #0

Re: [squid-users] squid advice needed.

LDAP with Samba with Squid using NTLM auth would work for Windows machines. For non-windows you would have to enter credentials and/or store then in the client device for BASIC auth. Printing has nothing to do with Squid, Samba/CUPS will deal with that bit. Cheers Alex On 18/04/14 07:01,

Re: [squid-users] Re: squid3 block all 443 ports request

Hi Khalil, You've supplied a logically invalid access rule, ie an impossible match. You're trying to block everything that is on port 445 and also at the same time everything that is *not* on 443. I'd be surprised if you can get any access with that! What you need is something like (if you

Re: AW: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

Hi Thanks for that - I did get a backtrace today... Program terminated with signal 6, Aborted. #0 0x7fa89b3fb1b5 in raise () from /lib/libc.so.6 (gdb) backtrace #0 0x7fa89b3fb1b5 in raise () from /lib/libc.so.6 #1 0x7fa89b3fdfc0 in abort () from /lib/libc.so.6 #2

Re: AW: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

On 06/02/14 07:56, Amos Jeffries wrote: On 2014-02-06 11:09, Alex Crow wrote: Amos, Yes, I compiled a Debian package and installed the squid3*dbg*.deb file. This is a bit tricky as this is a production just from testing with a few clients the problem does not appear. I can definitely say

Re: AW: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

., Alex Crow wrote: Hi, Just noticed something in the changelogs for the nightly build that might mean this is fixed - I'm optimistic anyway: Tue 2014-01-21 20:29:15 -0700 http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13079.patch Amos Jeffries +10 -2 Fix

Re: AW: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

why there are missing symbols. Cheers Alex On 05/02/14 15:10, Amos Jeffries wrote: On 6/02/2014 2:17 a.m., Alex Crow wrote: Hi Amos, I get the following: # gdb squid3 core GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later

Re: AW: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

Hi, Just noticed something in the changelogs for the nightly build that might mean this is fixed - I'm optimistic anyway: Tue 2014-01-21 20:29:15 -0700 http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13079.patch Amos Jeffries +10 -2 Fix external_acl_type async

Re: [squid-users] Squid 3.4.1 Workers Option

On 30/12/13 15:25, Will Roberts wrote: Hi, I'm trying to use the SMP Scale feature added in 3.2 and I'm having a little trouble activating it. If I add workers = 2 to my squid.conf I get the following error during startup: FATAL: Bungled /etc/squid3/squid.conf line 3: workers = 1 I built

Re: [squid-users] Squid 3.4.1 Workers Option

On 30/12/13 16:21, Will Roberts wrote: On 12/30/2013 11:16 AM, Alex Crow wrote: Hi, Are you sure you don't have it in twice once you add your line? Check line 3 of the conf to make sure it's not there already. Cheers Alex Alex, Yes I'm sure it's only in the file once, it's pretty small

Re: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

to verify if this issue is related to the subprocess or the parent process. Thanks, Eliezer On 27/12/13 19:58, Alex Crow wrote: Hi Amos, Yes, this works re: the helper, but unfortunately we get very high CPU usage in 3.4.1 as opposed to 3.3.11. I was getting 80-100% after a few minutes whereas

Re: [squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

On 24/12/13 02:39, Amos Jeffries wrote: On 24/12/2013 2:28 a.m., Alex Crow wrote: Hi, I use the below: external_acl_type nt_group ttl=20 children-startup=10 children-max=70 children-idle=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl to be able to use NT groups in my squid config. This works

[squid-users] Squid 3.4 sends Windows username without backslash to external wbinfo_group helper

Hi, I use the below: external_acl_type nt_group ttl=20 children-startup=10 children-max=70 children-idle=10 %LOGIN /usr/lib/squid3/ext_wbinfo_group_acl to be able to use NT groups in my squid config. This works fine in 3.2 and 3.3, but I recently tried to upgrade to 3.4 and this stopped

Re: [squid-users] Does Squid 3.3 AD authentication

On 23/12/13 18:57, javed_samtiah wrote: Hi, Does SQUID 3.3 supports active directory authentication in Transparent Poxy mode ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Does-Squid-3-3-AD-authentication-tp4664003.html Sent from the Squid - Users

Re: [squid-users] SSL bump interception and certificates warnign

On 11/09/13 20:56, Loïc BLOT wrote: Then, if i add my own CA to firefox warning will disappear ? Yes, that is the way SSL works. Just make sure you install the proxy's CA cert in trusted root CAs in Windows cert store and/or other browsers' stores and you are good to go. NB this may not be

Re: [squid-users] Updating Squid

Hi Gustavo, Eliezer has RPMs for 6.4 (x64 only) here: http://repo.ngtech.co.il/rpm/centos/6/x86_64/ Cheers Alex On 13/07/13 20:06, Gustavo Esquivel wrote: HI Antony, my Linux distribution version is CentOS release 6.4 (Final) about the package manager, i'm not sure how it works in console

[squid-users] Memory leaks in squid 3.3.5?

Hi all, I've been running 3.3.5 with NTLM auth an icap service (c-icap with clamav) and SSL Bump/Dynamic cert, and I've noticed that the squid3 process rapidly consumes almost all of my RAM (12G) within just a few hours: 16143 proxy 20 0 8554m 8.2g 5788 S0 69.6 35:09.43 squid3 My

Re: [squid-users] Memory leaks in squid 3.3.5?

will probably be out next week since it builds fine. What version of linux are you using? Eliezer On 07/11/2013 08:32 PM, Alex Crow wrote: Hi all, I've been running 3.3.5 with NTLM auth an icap service (c-icap with clamav) and SSL Bump/Dynamic cert, and I've noticed that the squid3 process

Re: [squid-users] Memory leaks in squid 3.3.5?

or another solvable. If you can take a sec to file at http://bugs.squid-cache.org/ it will help the project a lot. Thanks, Eliezer On 07/11/2013 10:39 PM, Alex Crow wrote: Hi Eliezer, I build .debs for squeeze, basically copying the debian subdir from the source packages into the extracted archives

Re: [squid-users] Re: https traffic using squid and icap

Hi, If you go here: http://www.eicar.org/85-0-Download.html And try one of the https links, and c-icap gives you a virus warning, then the content is being passed to c-icap. Cheers Alex On 21/06/13 02:49, sjaipuri wrote: Now it make more sense to me. Yes, right now I am only seeing

Re: [squid-users] https traffic using squid and icap

Where are you doing the packet capture, ie are you doing it on the host+interface with address 172.30.20.212? I'm also not sure if the always_direct bypasses bumping, I'm sure Amos or others would tell you. Alex On 20/06/13 19:49, sjaipuri wrote: Hi, I am working on one of my project in

Re: [squid-users] running squid by only one eth

On 25/04/13 09:42, John Doe wrote: From: ma~sha sspard...@gmail.com Is it possible to run squid by only one eth, for example eth0 only? If this is possible how do I do it? What about the following? http_port eth0_IP:PORT JD Exactly, there is no requirement for Squid to be dual-homed.

Re: [squid-users] YAALQ

You have allowed the http request to the site, but you have denied the reply. http_access and http_reply access are different rule types. If you add an http_reply_access allow no_filter_dest above the last rule I think it will work. Thanks Alex On 31/03/13 12:21, richard lucassen wrote:

Re: [squid-users] Bypass bumping all websites in SSL transparent mode

I thought ssl_bump should be defined on the http port, not the https one. However I've not done transparent for ages so I could be wrong. If you don't want it, why put it in the *_port directives at all? Alex On 12/03/13 19:00, David Touzeau wrote: Dear I would like to use Squid 3.3x in

Re: [squid-users] Re: ipv6 support for 3.1.16

Kaspersky do an icap server as well, and they are one of the best (obviously not gratis or libre but as it's ICAP it will work with Squid). Alex On 21/02/13 10:39, anita wrote: Hi Amos, Thanks for a very quick reply. I have a couple of more questions. 1. What is a WCCP setting? 2. How can I

Re: [squid-users] Can squid be a fully transparent proxy ?

On 17/01/13 20:00, Holmes, Michael A (Mike) wrote: Basically, can squid be the endpoint for TCP connections, and establish a new outgoing TCP connection to the destination server? Mike That's not really transparent if the client knows that Squid is the endpoint. Transparent means that the

Re: [squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

I have occasionally seen a couple of different problems with the SSL certificate database. One is where invalid certificates are generated somehow, such as when the signing certificate is no longer valid, and another is where the size file is empty. I think the problem with the size file has

Re: [squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

On 13/09/12 14:33, Alex Crow wrote: I have occasionally seen a couple of different problems with the SSL certificate database. One is where invalid certificates are generated somehow, such as when the signing certificate is no longer valid, and another is where the size file is empty. I

[squid-users] FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

Hi all, Amos. I've been running 3.2.1 for 2-3 of weeks in production. All was well for a couple of weeks, but over the last few days, approximately every 2 days we get people saying they have lost web access. This coincided with the above error message repeating and squid workers constantly

[squid-users] Re: Delay_pools

On 07/09/12 15:49, Landucci L. wrote: Hi, I read this discussion : http://www.squid-cache.org/mail-archive/squid-users/201006/0501.html talking about the configuration of your squid.conf. It was, i think, on squid 2. I'am interesting of delay_client_reply_access that you use in your conf

Re: [squid-users] Put all port 80, 443 http https rtmp connections from openvpn through squid?

On 11/08/12 08:20, J Webster wrote: Is there a way to push all openvpn connections using http ports through a transparent squid and how? Also, can I log which openvpn certificate/client is accessing which pages in this way? I assume I would have to use an alternative port or use firewall rules

Re: [squid-users] Put all port 80, 443 http https rtmp connections from openvpn through squid?

it decrypted? Lots of companies have VPN tunnels and then route web traffic through a proxy so it must be possible somehow. On 11/08/12 13:54, Alex Crow wrote: On 11/08/12 08:20, J Webster wrote: Is there a way to push all openvpn connections using http ports through a transparent squid and how

Re: [squid-users] External IP in access.log

On 02/08/12 15:25, Usuário do Sistema wrote: Hi, today wake up me more an doubt. 795035 112.215.36.175 TCP_MISS/200 96944 GEThttp://ads.xlxtra.com%2Ferrors%2F%3Ftype=4...@efreephoto.com/pictures/9612330624e58d492b8555.jpg -DIRECT/74.204.173.205 image/jpeg The question is, why are you even

Re: [squid-users] External IP in access.log

On 02/08/12 16:29, Usuário do Sistema wrote: Hello, The question is, why are you even allowing external IPs access to your Squid server? If this is for internal use you should firewall it appropriately sorry, I have done the Deny. now nobody is able to connect any more by Internet. I solved

  1   2   >