Re: [squid-users] New Squid prefers IPv4

[Antony Stone]

On Tuesday 06 February 2024 at 16:16:24, Rob van der Putten wrote:

> Hi there
> 
> On 05/02/2024 18:32, Antony Stone wrote:
> > 
> > I believe ping (ICMP) timings are irrelevant.  The client (squid in this
> > case) does a DNS lookup for the hostname's A and  records,
> 
> A before . Bind responds within the same millisecond.

I think the simultaneity of these lookups is unimportant.

> > then makes two simultaneous HTTP connections to the server (one IPv4, on
> > IPv6) and whichever one responds first *by HTTP* is then regarded as being
> > the best way to route traffic thereafter.
> 
> I do not see Squid opening two connections simultaneously and then
> closing one. It's just one connection.

Are you sure this is not because Squid has already made earlier connections to 
this name, decided that IPv4 is better, and continues to use that when you are 
now testing it?

I would expect you to have to start from an "undecided" Squid setup (I have no 
idea where it keeps this informatin for later use, though) to find out whether 
this is what's going on.


Antony.

-- 
1960s: Let's build a network which can withstand a nuclear war!
1970s: Hm, that looks good, we'll run it on TCP/IP.
1980s: Nice, how about letting everyone join?
1990s: Hey, you can make money out of this!
2000s: Oh, you can lose it, too.
2010s: Alright, let's just plug absolutely everything into it.
2020s: Meh, my lightswitch is now connected to my lamp via China.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] New Squid prefers IPv4

[Antony Stone]

On Monday 05 February 2024 at 17:32:51, Rob van der Putten wrote:

> Hi there
> 
> On 05/02/2024 17:16, Dieter Bloms wrote:
> > On Mon, Feb 05, Rob van der Putten wrote:
> >> After upgrading Squid from 3 to 5 the percentage of IPv6 reduced from
> >> 61% to less then 1%.
> >> Any ideas?
> > 
> > yes, since squid5 the happy eyeball algorithm as described in rfc 8305
> > is used.
> > If your ipv4 connectivity is better than ipv6 than ipv4 is used.
> 
> I'm not quite sure how this is established. It prefers IPv4 even when
> the IPv6 ping is slightly smaller.

I believe ping (ICMP) timings are irrelevant.  The client (squid in this case) 
does a DNS lookup for the hostname's A and  records, then makes two 
simultaneous HTTP connections to the server (one IPv4, on IPv6) and whichever 
one responds first *by HTTP* is then regarded as being the best way to route 
traffic thereafter.

So, if you want to understand how this is doing what it is, I suggest you 
perform a packet capture of HTTP traffic and look at the requests and the 
response timings.


Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid: blocking all requests to plain ip addresses

[Antony Stone]

On Monday 06 November 2023 at 12:35:33, Francesco Chemolli wrote:

> Hi Christian,
>   What you're aiming to do should be easily doable via an url_regex ACL

https://wiki.squid-cache.org/ConfigExamples/Chat/Skype contains an example of a 
regex to match IP addresses which may also point you in a helpful direction.


Antony.

> On Mon, Nov 6, 2023 at 10:45 AM Christian Metzger wrote:
> > Hello,
> > is the above feature available, if yes how to configure it?
> > This feature should be available in all modi of no-, white- and
> > blacklisting.
> > This feature is important for security and it's available in big
> > commercial proxies.
> > Best regards, Chris

-- 
Is it venison for dinner again?  Oh deer.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Vey slow navigation

[Antony Stone]

On Thursday 12 October 2023 at 13:42:41, Andre Bolinhas wrote:

> Hi
> 
> I'm using Squid and sometimes my users are unable to access to internet
> or the internet access is very slow.

Have you tried accessing the same sites (preferably at the same time) from a 
machine which does not use Squid?

I would start from there to identify whether Squid is causing the problem.


Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compile error in squid v6.1

[Antony Stone]

On Monday 31 July 2023 at 17:26:38, botp wrote:

> Hi All,
> 
> ' been  compiling

It might help to tell us what sort of system you're compiling it on:

 - operating system
 - version
 - compiler name
 - compiler version


Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Help with squid Proxy

[Antony Stone]

On Wednesday 12 July 2023 at 18:11:08, Andrés Leandro Regalado wrote:

> I implemented squid proxy in a small office to filter the internet and now it
> blocks the communication of the mail client with the mail server, I need to
> know how I can allow outlook or thunderbird to work through squid.

I'm strongly tempted simply to say that you need to change your Squid or 
router configuration in order to fix this problem.

For further details, please give us further details of what you have configured 
so far, otherwise we're just guessing in the dark.

You tell us enough about your setup that we would be able to reproduce it on 
our own networks, and we might be able to suggest to you what needs changing.


Don't forget to include details of how Outlook and Thunderbird are connecting 
(or at least trying to) to your mail server.


Antony.

-- 
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] acl follow_x_forwarded_for

[Antony Stone]

On Monday 03 July 2023 at 11:46:20, robert k Wild wrote:

> hi all,
> 
> im reading this acl
> 
> http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
> 
> is this to fool the dst server to think its coming from the client pc
> instead of squid proxy

No; it tells Squid to accept connection requests from other proxies which 
present the correct X-Forwarded-For header:

"If a request reaches us from a source that is allowed by this directive, then 
we trust the information it provides regarding the IP of the client it 
received from (if any)."


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Getting ping to work via proxy

[Antony Stone]

On Saturday 01 July 2023 at 23:15:28, robert k Wild wrote:

> So you can't get clients that go through the proxy server to ping to
> destination servers

That depends entirely on whether the clients have a route to send ICMP echo 
requests ("pings") to the destination servers, and whether the replies are 
routed back to the clients.

This routing could be quite different from the routing of HTTP/S requests, 
which is what Squid is (mostly) used for,

> On Sat, 1 Jul 2023, 23:10 Antony Stone wrote:
>
> > On Saturday 01 July 2023 at 22:59:43, robert k Wild wrote:
> > > Hi all,
> > > 
> > > Is there a way to get ping to work via the proxy.
> > 
> > There is no such thing as an ICMP proxy.

On Saturday 01 July 2023 at 23:29:03, robert k Wild wrote:

> Will it work if I make my squid into a intercept proxy instead like below
> 
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> 
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermedia
> teCA

Squid is (primarily) an HTTP/S proxy (it can also do a few other protocols 
such as FTP and Gopher), but it does not proxy ICMP (which is what "pings" 
use).

So, setting up Squid as an intercepting proxy will allow it to intercept 
HTTP/S requests for clients which are not explicitly configured to use a proxy.

It will not make Squid able to proxy ICMP.


What are you trying to achieve here?


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Getting ping to work via proxy

[Antony Stone]

On Saturday 01 July 2023 at 22:59:43, robert k Wild wrote:

> Hi all,
> 
> Is there a way to get ping to work via the proxy.

There is no such thing as an ICMP proxy.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Disable IPV6 for certain destinations only?

[Antony Stone]

On Tuesday 18 April 2023 at 14:53:31, Alex Rousskov wrote:

> On 4/18/23 03:38, Ralf Hildebrandt wrote:
> > We're using squid-6, currently v4 only. The use case for us is mostly
> > our users using our proxy to retrieve full text publications of
> > several thousand medical journals... via IPv4.
> > 
> > The publishers "know" our IPv4 range for the proxies and allow us to
> > download freely. What they don't (yet) know is our ipv6 range.
> > 
> > Thus arises the need to "fall back" to ipv4 in the unlikely case some
> > publisher already has ipv6, we connect via ipv6 and suddenly are not
> > allowed to download the publications.
> > 
> > Is there an acl for that kind of need?
> 
> I will rephrase your question to avoid the distraction of "acl":
> 
>How can I configure Squid to try IPv4 if IPv6 fails?

I don't think that's the same question.

"How can I configure Squid to try IPv4 if IPv6 fails" deal with a network-level 
failure to connect to something.

I think the OP is looking for a way to tell Squid "for this destination 
hostname, don't even try to connect over IPv6, because if you do, we'll get 
rejected (not at the network level, but some application-level) so we need you 
(Squid) to connect using IPv4 only (for this destination)".


Antony.

-- 
If you can smile when all about you things are going wrong, you must have 
someone in mind to take the blame.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there any squid 4.x tested with Delay pools to work and limit well ?

[Antony Stone]

On Monday 17 April 2023 at 20:52:41, Dr.X wrote:

> Could you please explain why the developers are upgrading Squid from
> version 4 to 5 and 6, while ignoring a critical built-in feature like
> Delay Pools that has been reported as a bug since Squid 4.x?

I am not a Squid developer, and I do not even pretend to speak for those who 
are, but as someone familiar with Open Source Software in general, I would 
suggest that:

a) Squid is an Open Source project
b) most Open Source projects are developed (at least at the start) by people 
who have a personal need for whatever it is they set out to do
c) people work on the things they find most important and/or interesting
d) people work on the things they are best at (and can therefore make good 
progress with)
e) people work on things they get paid to work on
f) your idea of "critical" may not match other peoples' priorities

So, if nobody is working on something that you think is rather important:

1. they might not have have a personal use for it, and therefore don't feel 
inclined to spend time on it
2. they may not have the expertise to solve whatever the problems with it are
3. they may not have the time to make good progress on it, compared to any of 
the other things that are on the list of "things to do"

Most Open Source projects (I believe Squid is included in this) offer to 
develop specific features, or work on specific bugs, in return for payment from 
anyone who thinks they should be worked on (or worked on more quickly).

So, if something is important to you (that's a generic "you"), you can pay for 
someone to work on it.

You're also perfectly welcome to work on it yourself in order to improve the 
code which everyone uses, and which you got for free to start with.


It's a basic tenet of Open Source Software that if you think it could be 
better, you can improve it, or pay for someone else to improve it for you.  
You're not forced to accept whatever "upgrades" some closed-source development 
company decides they want to release, with no chance at all on your side to 
make changes to the code.

Many Open Source projects have been completely forked (meaning that someone, 
or some group, decides "we don't like the way this team of developers is 
taking things, so we're going to start from the code base and take it in a 
different direction") and in many cases both the original and the fork have 
long and successful lives from that point onward.  There's no way that could 
happen with proprietary (closed-source) code.


Antony.

-- 
Why are they called "The Rocky Mountains"?
What are other mountains made of?

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid proxy errors - support

[Antony Stone]

On Friday 07 April 2023 at 13:00:09, Alessio Ballarini (External) wrote:

> Hi Squid Support,
> we are facing a problem with Squid proxy

Which version of Squid, and running on which version of which operating 
system?


Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL based DNS server list

[Antony Stone]

On Wednesday 26 October 2022 at 03:27:01, Sneaker Space LTD wrote:

> Hello,
> 
> Is there a way to use specific DNS servers based on the user or connecting
> IP address that is making the connection by using acls or any other method?
> If so, can someone send an example.

What problem are you trying to solve by asking if this is possible?

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] regex for normal websites

[Antony Stone]

On Tuesday 02 August 2022 at 17:23:51, robert k Wild wrote:

> mmm... so i just want to know and really sorry for the dumb question, so
> 
> adobe\.com$
> 
> works but then again if a website was eg
> 
> hackadobe\.com$
> 
> that would work as well probably, so i want to do something like this
> 
> \.adobe\.com$
> 
> ie put a dot . infront of adobe so
> 
> www.adobe.com or
> account.adobe.com
> 
> would work but then
> 
> hackadobe\.com$
> 
> would no longer work

... and neither would plain "adobe.com", missing the leading dot.


Antony.

-- 
All generalisations are inaccurate.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] regex for normal websites

[Antony Stone]

On Tuesday 02 August 2022 at 14:14:58, robert k Wild wrote:

> ok i have tested and this works
> 
> adobe\.com$
> 
> i found it weird this didnt work
> 
> \.adobe\.com
> 
> just curious thats all

Please define "works" and "didn't work" - I've pretty much lost track of 
exactly what you want to match here :(


Antony.

> On Tue, 2 Aug 2022 at 13:05,  wrote:
> > I believe it should have been:
> > 
> > ^adobe\.com$
> > 
> > ^.*\.adobe\.com$
> > 
> > ^\*\.adobe\.com$
> > 
> > 
> > 
> > But I don’t know the code to this depth.
> > 
> > If I would have written the match I think it would have been something a
> > bit different.
> > 
> >- A match for SNI
> >- A joker match for SAN ie *.adobe.com SAN should catch both
> >www.www.adobe.com
> > 
> > But for some reason it’s not like that, I assume the browsers and the
> > libraries doesn’t implement it for an unknown reason.
> > 
> > 
> > 
> > If Alex or anyone else from Factory knows the details of the ACL they can
> > answer more then me.
> > 
> > 
> > 
> > Thanks,
> > 
> > Eliezer
> > 
> > 
> > 
> > 
> > 
> > Eliezer Croitoru
> > 
> > NgTech, Tech Support
> > 
> > Mobile: +972-5-28704261
> > 
> > Email: ngtech1...@gmail.com
> > 
> > Web: https://ngtech.co.il/
> > 
> > My-Tube: https://tube.ngtech.co.il/
> > 
> > 
> > 
> > *From:* robert k Wild 
> > *Sent:* Tuesday, 2 August 2022 14:51
> > *To:* Eliezer Croitoru 
> > *Cc:* Squid Users 
> > *Subject:* Re: [squid-users] regex for normal websites
> > 
> > 
> > 
> > thanks Eliezer
> > 
> > 
> > 
> > so it should be
> > 
> > 
> > 
> > adobe\.com
> > 
> > 
> > 
> > not
> > 
> > 
> > 
> > .adobe.\com or
> > 
> > 
> > 
> > ^.*adobe.com
> > 
> > 
> > 
> > as the ^.* could include
> > 
> > 
> > 
> > blahadobe.com
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Thu, 28 Jul 2022 at 08:14,  wrote:
> > 
> > Hey Robert,
> > 
> > The docs at http://www.squid-cache.org/Doc/config/acl/  states:
> > acl aclname ssl::server_name_regex [-i] \.foo\.com ...
> > 
> >   # regex matches server name obtained from various sources
> >   [fast]
> > 
> > Which and I do not know exactly what it means but it will not work with a
> > helper in most cases.
> > 
> > I have found the in the git the next sources:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/bf95c10aa95bf8e56d9d8d1545cb5a3
> > aafab0d2c/doc/release-notes/release-3.5.sgml#L414
> > 
> > New types ssl::server_name  and ssl::server_name_regex
> > 
> >to match server name from various sources (CONNECT
> > 
> > authority name,
> > 
> >TLS SNI domain, or X.509 certificate Subject Name).
> > 
> > Which means that there is a set of checks which the acl does and not just
> > a domain name.
> > 
> > It’s also even possible that the domain name is not know in the CONNECT
> > state of the connection.
> > 
> > If I remember correctly there is a possibility for browsers to use the
> > same exact connection for multiple domains but
> > I have not seen this yet in production.
> > 
> > With Squid once you bump the connection to HTTP/1.x you can make 100%
> > sure the features of the Host header request.
> > 
> > 
> > 
> > At Servername.cc ie:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b
> > 4ef5688a0/src/acl/ServerName.cc#L81
> > 
> > 
> > 
> > There is a specific logic of what is done and what is matched but I am
> > not sure what would be used in the case of:
> > 
> > *.adobe.com
> > 
> > 
> > 
> > Certificate SAN.
> > 
> > 
> > 
> > Specifically This part of the Common Names ie SAN:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/aee3523a768aff4d1e6c1195c4a401b
> > 4ef5688a0/src/acl/ServerName.cc#L105
> > 
> > 
> > 
> > which to my understanding points to:
> > 
> > 
> > https://github.com/squid-cache/squid/blob/d146da3bfe7083381ae7ab38640cbfd
> > 0d2542374/src/ssl/support.cc#L195
> > 
> > 
> > 
> > doesn’t make any sense to me.( didn’t tried that much to understand)
> > 
> > 
> > 
> > If someone might be able to make sense of things in a synchronic fashion
> > it would help.
> > 
> > (I do not see any debugs usage there or any helping comment )
> > 
> > 
> > 
> > Thanks,
> > 
> > Eliezer
> > 
> > 
> > 
> > 
> > 
> > Eliezer Croitoru
> > 
> > NgTech, Tech Support
> > 
> > Mobile: +972-5-28704261
> > 
> > Email: ngtech1...@gmail.com
> > 
> > Web: https://ngtech.co.il/
> > 
> > My-Tube: https://tube.ngtech.co.il/
> > 
> > 
> > 
> > *From:* squid-users  *On
> > Behalf Of *robert k Wild
> > *Sent:* Wednesday, 27 July 2022 13:52
> > *To:* Squid Users 
> > *Subject:* Re: [squid-users] regex for normal websites
> > 
> > 
> > 
> > that's the weird thing, when i try this in  "ssl::server_name_regex"
> > 
> > .adobe.com
> > 
> > 
> > 
> > it doesnt work
> > 
> > 
> > 
> > you mean escape ie the \ character
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Wed, 27 Jul 2022 at 11:05, Matus UHLAR - fantomas 
> > wrote:
> > 

Re: [squid-users] regex for normal websites

[Antony Stone]

On Wednesday 27 July 2022 at 19:25:46, robert k Wild wrote:

> nice one thanks Amos
> 
> i dont understand as in regex the terms
> 
> ^ - start of line
> . - any single character
> * - repetition of character before

Correction: zero or more instances of the character before

> $ - end of line
> 
>  so going by this it should be
> 
> ^.*adobe.com$

Well, that means "start of line, something or nothing, then 'adobe.com' and 
end of line".

So, it basically just means, "adobe,com at the end of the line"


Thus, the same as "adobe.com$"


Antony.

-- 
This space intentionally has nothing but text explaining why this space has 
nothing but text explaining that this space would otherwise have been left 
blank, and would otherwise have been left blank.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] pros/cons squid vs next generation firewall

[Antony Stone]

On Monday 25 July 2022 at 13:22:23, Dieter Bloms wrote:

> Hello,
> 
> I run some Squid proxy servers in conjunction with ICAP virus scanners
> and I'm very happy with them. Our company now wants to replace them with
> a checkpoint next generation firewall. Do you have some arguments that
> speak for the further operation of the Squid proxies?

I would always start by asking what the justification for changing is, and see 
whether you can show that it's not valid (or has drawbacks the people 
advocating the change haven't thought of).


Antony.

-- 
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] fool windows into thinking it has internet access

[Antony Stone]

On Wednesday 20 July 2022 at 19:19:22, robert k Wild wrote:

> ok i have realised something, my client cant resolve this address
> 
> C:\Users\rkw>ping dns.msftncsi.com
> Ping request could not find host dns.msftncsi.com. Please check the name
> and try again.
> 
> is there anyway i can enable ICMP/ping via the proxy so this works?

No, but you could add that name, either to the machine which wants to contact 
it, or to your local DNS server, so that it resolves to something on your 
network (or localhost if you prefer).

Out of interest, what is the purpose for making a Windows computer think it 
has Internet access when it doesn't?  What useful difference does that make?


Antony.

-- 
"Tannenbaumschmuck" is a perfectly reasonable German word
meaning Christmas tree decorations, and is not a quote from Linus Torvalds.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logrotate question

[Antony Stone]

On Thursday 16 June 2022 at 11:26:37, robert k Wild wrote:

> Cool, so I will rotate daily and delete after 91 days, thanks guys

Why did you change the recommended 92 days into 91?

Consider June, July and August:

June has 30 days
July has 31 days
August has 31 days

So, on September 1st, June 1st is 92 days ago, and you can delete the logs for 
May 31st, which are older than 92 days.

If you deleted older than 91 days, you would be deleting June 1st on September 
1st, and one day this might be significant to someone.


Antony.

> On Thu, 16 Jun 2022, 11:14 Matus UHLAR - fantomas wrote:
> > On 16.06.22 10:54, robert k Wild wrote:
> > >Basically I want to keep logs for 3 months then rotate so it overwrites
> > >them with another 3 months, if that makes sense
> > 
> > in fact, it does not.
> > 
> > I guess you are supposed to keep 3 months of logs, which mean, you always
> > need to have 3 months of logs available.
> > 
> > Each day, you can delete log files over 3 months old.
> > 
> > If you rotated lof once in 3 months, you would have single file with 3
> > months of logs in it, and could remove it 3 months after rotating, when
> > first logs would be 6 months old.
> > 
> > As we already told you, rotate daily and remove old logs after 92 days.
> > and use logrotate config.

-- 
I just got a new mobile phone, and I called it Titanic.  It's already syncing.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logrotate question

[Antony Stone]

On Thursday 16 June 2022 at 09:53:02, robert k Wild wrote:

> Hi Antony,
> 
> All I know is I need to keep a record of up to 3 months, worth of logs, due
> to gdpr, how would you say I go about this

Here's the standard logrotate file for Squid3 which is installed on Debian (I 
doubt that CentOS should be significantly different):

-
/var/log/squid/*.log {
daily
compress
delaycompress
rotate 2
missingok
nocreate
sharedscripts
prerotate
test ! -x /usr/sbin/sarg-reports || /usr/sbin/sarg-reports 
daily
endscript
postrotate
test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || 
/usr/sbin/squid -k rotate
endscript
}
-

I suggest modifying this for your needs to:

-
/var/log/squid/*.log {
monthly
rotate 4
missingok
nocreate
sharedscripts
prerotate
test ! -x /usr/sbin/sarg-reports || /usr/sbin/sarg-reports 
daily
endscript
postrotate
test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || 
/usr/sbin/squid -k rotate
endscript
}
-

Regards,


Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Logrotate question

[Antony Stone]

On Thursday 16 June 2022 at 09:27:32, robert k Wild wrote:

> Thanks Eliezer
> 
> I have centos 7 and I want it to rotate every 3 months as we need to keep
> logs for every 3 months.

Do you really mean you "need to keep logs for every 3 months"?

Or do you mean that you need to keep "the most recent 3 months' logs"?

I would recommend that you rotate every month, and keep 4 months' logs.

Firstly, there's no point in letting indivdual log files grow too large, and 
secondly, you then know that at all times you have the current month's logs, 
plus the previous 3 months, until the fourth one gets deleted by logrotate.


Antony.

> On Thu, 16 Jun 2022, 08:11 ,  wrote:
> > Rob,
> > 
> > It will be different how you implement and use logrotate manually or with
> > the logrotate tools.
> > 
> > What OS are you using?
> > 
> > Eliezer
> > 
> > *From:* squid-users  *On
> > Behalf Of *robert k Wild
> > *Sent:* Wednesday, 15 June 2022 20:19
> > *To:* Squid Users 
> > *Subject:* [squid-users] Logrotate question
> > 
> > Hi all,
> > 
> > ATM to clear the logs, I do this in crontab, every 3 months
> > 
> > 0 0 1 */3 * echo "" > /usr/local/squid/var/logs/access.log and do the
> > same for cache log
> > 
> > It works but I want to really use log rotate ie
> > 
> > 0 0 1 */3 * /usr/local/squid/sbin/squid -k rotate
> > 
> > I hear log rotate keeps 10 files by default so does that mean I will have
> > 10 access logs etc and also will it keep the file the same ie won't
> > change the size or compress it to save space
> > 
> > 
> > Thanks,
> > 
> > Rob
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users

-- 
The next sentence is untrue.
The previous sentence is also not true.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] acl question

[Antony Stone]

On Thursday 05 May 2022 at 11:28:13, Frank Urban wrote:

> Hi,
> 
> We created an acl list with workstation names instead of IP addresses.
> 
> e.g. acl our_networks src workstaion1.
> 
> This works as long as the hostname is resolvable over DNS. If it is
> not, the restart of squid fails.
> 
> Is this the expected result?

Yes.  How would Squid be expected to know what RandomWorkstation means if it 
can't look it up in DNS?


Antony.

-- 
The gravitational attraction exerted by a single doctor at a distance of 6 
inches is roughly twice that of Jupiter at its closest point to the Earth.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID refuses to listen on any TCP Port

[Antony Stone]

On Monday 14 March 2022 at 05:42:35, ben wrote:

> Hi Eliezer,
> 
> SQUID started listening only after I run "ip6tables -P INPUT ACCEPT".

Without seeing the rest of your iptables rules, it's not clear whether this 
really does apply to every interface and every protocol, or whether there are 
exception rules which over-ride this default policy rule.

However, there are quite a number of applications which will refuse to start, 
or not operate correctly, if you do not permit loopback traffic (IPv4 as well 
as 
IPv6), so this may be the cause of your problems.


Antony.

-- 
"Once you have a panic, things tend to become rather undefined."

 - murble

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] transparent or intercept keyword stops the service

[Antony Stone]

On Wednesday 12 January 2022 at 11:29:15, Daniel Sanchidrian wrote:

> First of all I'm and new to squid, recently installed it to use in my
> company network. I want to configure it as a transparent proxy.

Out of interest - why?

What is your objective here - what are you trying to achieve by setting up an 
intercepting proxy for the company?

I'm just curious as to the use case and what you expect to gain from doing 
this, especially given how the world has gone significantly HTTPS in recent 
years.


Antony.

-- 
All matter in the Universe can be placed into one of two categories:

1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with 
them.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] RES: Squid 4.13 does not access Facebook

[Antony Stone]

On Friday 07 January 2022 at 22:39:41, Graminsta wrote:

> Now I have to change the pw of about 200 VPSs, hell.

I have to question the wisdom of using the same root PW on multiple servers, 
even when that PW has not been posted on a public mailing list.


Antony.

-- 
I bought a book on memory techniques, but I've forgotten where I put it.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] MITM the MITM

[Antony Stone]

On Tuesday 04 January 2022 at 01:19:28, Will BMD wrote:

> Hey all,
> 
> I currently have the following network topology, it's emulating a real
> world environment. The proxy is running ssl_bump.
> 
> LAN <-> Squid Proxy <-> Firewall <-> Internet
> 
> From the Firewall's perspective all client connections are originating
> as the proxy server.

Okay, that makes good sense.

> We're wanting to use the https inspect feature of the firewall,

Please give more details?

 - What sort of firewall is this?
 - What does "HTTPS inspect" actually mean?
 - How does the firewall "inspect" HTTPS traffic, which by design is encrypted 
between client and server (neither of which is the firewall)?
 - What does "inspect" mean?  What information is revealed from the inspection 
of the encrypted communication?

> but according to our firewall documentation it appears due to the location of
> our proxy servers we would be unable to do so.

Why?  Where would the proxy servers need to be instead, in order for this 
inspection to work?

Alternatively, how does/would it work if the proxy were not there, and clients 
communicated directly to the Internet through the firewall?

> My question is, if the proxy is behaving as a MITM between itself and
> the client, can't the Firewall do the same thing between itself and the
> proxy?

I agree.  Have you asked the suppliers / authors / vendors of the firewall?

> I suspect it is possible, but might potentially involve a lot of headaches
> and a big hit on performance?

Who knows?

If it's the firewall telling you there's a problem, this doesn't entirely feel 
like a Squid question.


Antony.

-- 
If you can smile when all about you things are going wrong, you must have 
someone in mind to take the blame.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is active but not working

[Antony Stone]

On Wednesday 18 August 2021 at 16:50:20, Peter Thesing wrote:

> Because I have a multi port modem/router that connects to the internet.

Sorry, I'm not sure I follow which question that is an answer to.

But anyway, why don't you just plug your two machines (the "client" and the 
"server") each into a separate port of the router, then they can both access 
the Internet, and they can both see each other?

That would seem to me to be the simplest way of getting communication between 
everything.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is active but not working

[Antony Stone]

On Monday 16 August 2021 at 19:28:55, Peter Thesing wrote:

> Because I have a multi port modem/router
> a fritz.box 7581

I have a Fritz.Box 6360, not so different.

> My ISP does not support samba on their network
> 
> Samba can be used for remote printer support among others

Yes, I am familiar with Samba, but why would you want to run that over your 
ISP's network?

Please tell me:

a) where is the computer you want to print from?

b) where is the printer you want to print to?

> It would be nice if I can http support thrown in the mix so I can use
> internet.

So, you want your client computer to be able to access websites?

> On your question using 1 internet and one server and multiple clients:
> 
> It is my wish to have  1 internet access point
> 
> using one server
> 
> using multiple computers who connect to one server who connect to one
> internet access

Okay, I am going to question the word "connect"...

Are you *just* talking about wanting your client computer to connect to 
*websites* on the Internet, or would you like to be able to use SSH to log in 
to remote machines, maybe have streaming audio for things like Deezer or 
Spotify. or perhaps other things than simply HTTP and HTTPS?

I ask because it sounds to me as though you have a classic Network Address 
Translation router situation:

 - one machine (your "server") which has a public IP address on its external 
interface (the one connected to the Fritz.Box), and a private address 
192.168.1.1 on its internal interface

 - another machine (your "client") which gets an IP address by DHCP from your 
server, and which is also presumably given the server's IP address 192.168.1.1 
as its gateway router address

So, if you *do* want all traffci from your client machine to pass through your 
server machine, I think you should configure this server to:

1. forward network packets between the two interfaces

2. apply Network Address Translation to packets leaving the external 
interface, so that they appear to come from its own address and not that of 
the client machine.

If you need further guidance with setting up something like this, there are 
many tutorials and guides on the Internet about setting up a "NAT Router" 
using Linux.

I think this will be a far more useful and appropriate solution for you than 
using Squid.


However, I do have a further question for you.  The Fritz.Box 7581 has 4 
gigabit ethernet ports on it for internal equipment.

Why do you not simply connect your "server" to one port and your "client" to 
another port, so that they can both connect to the Internet, and also to each 
other?

That would, to me, seem to be the simplest solution to what I think you are 
trying to do.


If my suggestions so far do not seem to help with your problem, then please 
answer some of my earlier questions about how you are testing Squid from the 
client computer and what appears in Squid's log files when you do so.


Regards,


Antony.

-- 
"Good health" is merely the slowest rate at which you can die.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is active but not working

[Antony Stone]

On Monday 16 August 2021 at 18:09:12, Peter Thesing wrote:

> Hi,
> 
> English is not my native tongue so I am sorry for any mistakes that I've
> made or will make in the future.

That's not problem - I just wanted to make sure I understood your meaning 
(which I did).

> Both apache and squid are running of the same machine. This I like to
> call the server.

Sounds good to me.

> Then on another machine, lets call it the client,  there is also
> opensuse 15.1 but with another purpose. When this client is directly
> connected to the internet is cannot connect to the server.

I do not understand that part.  Why can you not have two machines on one 
network which can both connect to the Internet and also connect to each other?

How does each machine connect to the Internet?

> The relevance of apache is that on some mysterious way I would be able
> to check if squid is working but I just installed it and I have to
> figure this one out.

I would suggest that the best way to find out whether Squid is working is 
either to use Squid itself, or to check whether it is listening on port 3128, 
or perhaps even use something like Icinga2 (although that's prbably going a 
bit far just to "find out whether Squid is working").

> DHCP and DNS are working. The client machine gets an IP address from the
> server.

So, the client machien gets an IP address from the server by DHCP, and it gets 
told to ask the server for DNS queries (which the server then performs and 
returns the results)?

> On the second card i have designated an ip address which is 192.168.1.1
> and the range on which the client computers can connect 192.168.1.20
> through 192.168.1.50.

So, it sounds as though you are using the server as a router, with a public 
address on one interface and a private address on the other.  This doesn't 
explain to me why the client cannot access the Internet through the server, 
acting as a router.

> When using squid in firefox it should connect to http://192.168.1.1:3128
> but it does not...

You mean, it does not even connect to the proxy, or it does connect and the 
proxy does not work correctly, so you get no content from Internet websites?

> Question:
> 
> Where are the log files?

Usually, /var/log/squid/*.log

> How do I read the log files?

less?  cat?  vim?  grep?

> What log-files are relevant to answer the mystery of not connecting?

I would start with access.log.

> the firewall is off and stays off. I have only the ports 21, 80 and 443
> open.

Oh, that is far from my definition of "off".  It means your firewall is active, 
and blocking connections other than FTP (why???), HTTP and HTTPS.

Is this firewall running on your "server" or on some modem/router which the 
server uses to connect to the Internet?

If these firewall rules are on your "server", is there a rule allowing the 
client machine/s to connect to Squid on port 3128?

Further questions:

1. How are you testing from the client machine?  What exactly happens when you 
try?

2. What shows up in Squid's access.log when you attempt to connect from the 
client machine?

3. What changes have you made to the default Squid configuration file?

And, while we're at it:

4. Are you trying to implement Squid purely in order to give the client 
machine access to the Internet, simply because otherwise it cannot?  If that 
is the case, why not simply route the client machine through the server so 
that the client can access the Internet directly?


Antony.

-- 
I thought of going into banking, until I lost interest.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid is active but not working

[Antony Stone]

On Monday 16 August 2021 at 17:03:57, Peter Thesing wrote:

> Hi,
> 
> If there is a a need for additional information please let me know?!

Some additional information would be good, and a lot less HTML would be good 
too :)  Just a comment "I got the expected content" is sufficient...

> I am using opensuse 15.1 with 2 network interface cards and apache is
> working squid is active , but giving me the results I need.

Are you using Squid to connect to Apache on that machine, or using Squid to 
connect out to the Internet in general?

In other words, what is the relevance of Apache running on this machine?

Also, I do not understand the word "but" in your sentence (but maybe this is 
just a language thing).  It makes it sound to me as though something is not 
quite right, but then you say "giving you the results you need", so it's 
working nicely?

> On my second machine also fitted with opensuse 15.1 but with no internet
> would be able via a proxy e.g. squid to connect to the internet but
> despite all my efforts to no avail.

Tell us a little about your network arrangement:

1. What's the IP address of the client machine (the one with no direct 
Internet connection)?

2. What's the internal IP address of the machine running Squid (no need to 
tell us its public IP address)?

> When I installed windows 10 it works but on opensuse not?

On the same physical server?

> This I got when using squidclient:
> 
> server:/home/peter #squidclient http://peterspretpaleis.xs4all.nl

Is "server" the machine with Squid running on it?

> HTTP/1.1 200 OK

Okay, so it works - no need to show us hundreds of lines of web page source 
code :)

What we do need to see though is:

1. How are you testing from the machine that does not work?

2. What shows up in Squid's log files when you try to access a site from the 
machine that does not work?

3. What changes have you made to the default Squid configuration file (please 
do 
not send us the entire file - at most please just show us the non-comment 
lines)?

On Monday 16 August 2021 at 17:06:39, Peter Thesing wrote:

> By the way the firewall is off

Which firewall?

Do you have a public IP address on your Squid server?  If so I strongly 
recommend that you turn your firewall back on again.


Regards,


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] about logformat

[Antony Stone]

On Monday 16 August 2021 at 00:25:45, Pavel Serrat wrote:

> I'm trying to customize my squid log format and I have the following
> question:

See http://www.squid-cache.org/Doc/config/logformat/

% [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]

width   minimum and/or maximum field width:
[width_min][.width_max]
When minimum starts with 0, the field is zero-padded.
String values exceeding maximum width are truncated.

> What is the difference between %6tr and %tr ???

%tr gives you the millisecond response time.
%6tr gives you the millisecond response time padded with spaces to at least 6 
characters.

> What does %03>Hs mean?

It means the HTTP status code sent to the client, padded with zeroes to 3 
characters.

> Is the same %03tu as %tu?

No.

The former is zero-padded to at least three characters, the latter is 
unpadded.

042 is not the same as 42.


Antony.

-- 
Why is "dyslexia" so difficult to spell, and why can I never remember "aphasia" 
when I want to?

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Proxy Authentication optional

[Antony Stone]

On Saturday 24 July 2021 at 09:23:52, Dieter Bloms wrote:

> Hello,
> 
> I want to implement user authentication (kerberos) on an already existing
> proxysystem without user authenticaion. But I know that there are clients,
> which can't do any authentication.

Can you identify these clients in some way, such as IP address, so that they 
can pass an ACL before authentication is requested?

> So is it possible to configure squid, that it ask for proxy
> authentication credentials, but if the client can't authenticate skip
> this acl and go on with the next acls ?

Sounds like a recipe for people bypassing authentication by simply refusing to 
authenticate, and getting allowed through.

What is your purpose in implementing authentication, if you also want some 
clients to get access without authenticating?  What advantage does 
authenticating give the ones who do?


Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problems with HTTPS on Squid

[Antony Stone]

On Monday 12 July 2021 at 20:12:03, Marcio B. wrote:

> I have the following problem on my Squid 4.6 on Debian 10.
> 
> Squid does not redirect the user to the error page when blocking an HTTPS
> url. On HTTP it works correctly.

Short answer - it can't.

Longer answer - browser requests https://thing.example.com

Squid won't allow connection to thing.example.com, and wants to send the 
browser to an error page instead.

The error page cannot possibly have the correct certificate for 
https://thing.example.com (because that's signed by some genuine CA), so the 
browser won't accept the error page as being valid.

Squid cannot even send an HTTP 302 redirect back to the browser, because that 
also is HTTPS content, and would need to have the correct certification for the 
browser to accept it and follow the redirect.

So, what you want is understandable, but not possible.

The only option I can think of is to add a CA certificate to all your browsers, 
and get Squid (somehow; sorry, I don't know how) to issue either a redirect or 
a substitute web page, claiming to tbe the original web server, and with a 
certificate signed by that CA that your browsers now trust.

I suspect that involves transparent interception, but someone might know how / 
whether it can be done.


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] issues with old version of TLS/SSL certificate

[Antony Stone]

On Monday 12 July 2021 at 18:58:43, Alex Irmel Oviedo Solis wrote:

> Hello all, I'm trying to download a file from
> https://prodcont.seace.gob.pe

> SSLLabs review shows that server supports only TLS 1.0

> Any solution please?

If you're trying to download a specific file from a specific server, which 
doesn't support current encryption protocols, is it absolutely essential to 
you that you download it via Squid?

In other words, I suggest you just connect to the machine directly, download 
the file, and then either forget about the server's outdated encryption 
capabilities, or inform the website maintainers (if there are any?) and see 
whether they care enough to bring it up to date.

Either way, you have your file, and you don't have to work out how to persuade 
Squid to do somethng that's really not a good idea to start with.


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TPROXY Error

[Antony Stone]

On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:

> I'm trying to configure squid as a transparent proxy using TPROXY.
> The machine I'm using has 2 NICs, one for input and the other one for
> output traffic.
> The TPROXY iptables rules are configured on the input NIC.

1. Which version of Squid are you using?

2. Please show us the TPROXY rules you have.

3. Please show us the relevant lines for intercept proxying from your 
squid.conf


Regards,


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Wednesday 23 June 2021 at 00:44:44, Arctic5824 wrote:

> I want to run an open proxy and replace google adverts w/my adverts.

You might want to be aware that this is illegal in many countries, and a 
number of Internet Service Providers have been sued and/or fined for 
manipulating the content of websites as they pass through their systems.

Anyway, just for the sake of technical discussion, let me repeat my original 
questions:

On Tuesday 22 June 2021 at 21:41:22, Antony Stone wrote:

> On Tuesday 22 June 2021 at 21:32:10, Arctic5824 wrote:
> > Hello, Recently I setup my first squid proxy,
> > 
> > I want it when users try to acces a website via https, they get
> > redirected to the http version
> 
> 1. What makes you believe that sites *have* an HTTP version?
> 
> 2. What do you think should happen when sites *do* have an HTTP version,
> and that consists solely of a 301 Permanent Redirect to the HTTPS version,
> which contains the content?
> 
> (In other words, the actual web server is never going to provide the
> content you want to see if you only speak HTTP to it.)
> 
> 
> Antony.

-- 
This email was created using 100% recycled electrons.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Wednesday 23 June 2021 at 00:06:21, Coenraad Loubser wrote:

> I'm sure there are many other ways to do this too... again, what's your
> real use case here?

My _guess_ now that I know Arctic 5824 is deliberately running an open web 
proxy on the Internet (with co-operation from the hosting provider or not) is 
that the objective is to convert all HTTPS connections into HTTP so that the 
content can be cached / scraped / captured on the way past, and the 
"interesting bits" used later, perhaps by some of Artic5824's "customers" 
without the people who chose to browse the Internet through an open proxy 
realising that this is even possible.

It's possibly even being advertised / promoted / sold as an "anonymising 
service", where people can browse the sort of websites they would prefer not 
to do directly through their own connectivity providers, comfortable in the 
knowledge that the IP address hitting those sites is not theirs, but not 
realising that the HTTP traffic they are then using can be intercepted and 
examined not only by Artic5824 but also by their connectivity provider's 
transparent interception proxy.

I'd be happy to entertain any less dubious explanation of what the real 
purpose in setting up such a system might be.


Antony.

-- 
There's a good theatrical performance about puns on in the West End.  It's a 
play on words.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Tuesday 22 June 2021 at 23:13:19, Antony Stone wrote:

> On Tuesday 22 June 2021 at 23:05:20, Arctic5824 wrote:
> > On Tuesday, June 22nd, 2021 at 1:56 PM, Antony Stone wrote:
> > > Please do not test and report problems with one configuration, and then
> > > tell us you have a different one.
> > 
> > Sorry, I shouldnt have done that.
> > my config(but the only change is allowing all instead of localhost):
> > https://paste.gg/p/anonymous/e660bab698224e1aa1fd320b1bf22081
> 
> So, as Alex already said, the lines:
> 
> http_access allow all
> http_access deny CONNECT
> 
> mean that anyone, from anyway, can connect.  That's it.

Correction: "anyone, from anywhere".  That means anywhere on the planet.  
Please turn this off now.

> I recommend you turn this off now and hope your ISP doesn't block you for
> running an open proxy.
> 
> > here is a snippet (as the file is very large due,i can send full if you
> > would like) of the acces log when I was doing testing:
> > https://termbin.com/vj7t
> 
> No, please send us *only* the lines relating to a _single_ request which
> you think should have been blocked.
> 
> > the ip i tested from was 73.189.239.235
> 
> What!?
> 
> That is not even one of your listed IP addresses.
> 
> Are you *really* running an open proxy on the Internet!?
> 
> Please turn it off _now_ until you understand the advice Alex and I are
> giving you, and you understand the default settings in the standard Squid
> configuration file, some of which you have changed.
> 
> 
> Antony.

-- 
Perfection in design is achieved not when there is nothing left to add, but 
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Tuesday 22 June 2021 at 23:05:20, Arctic5824 wrote:

> On Tuesday, June 22nd, 2021 at 1:56 PM, Antony Stone wrote:
> > 
> > Please do not test and report problems with one configuration, and then
> > tell us you have a different one.
> 
> Sorry, I shouldnt have done that.
> my config(but the only change is allowing all instead of localhost):
> https://paste.gg/p/anonymous/e660bab698224e1aa1fd320b1bf22081

So, as Alex already said, the lines:

http_access allow all
http_access deny CONNECT

mean that anyone, from anyway, can connect.  That's it.

I recommend you turn this off now and hope your ISP doesn't block you for 
running an open proxy.

> here is a snippet (as the file is very large due,i can send full if you
> would like) of the acces log when I was doing testing:
> https://termbin.com/vj7t

No, please send us *only* the lines relating to a _single_ request which you 
think should have been blocked.

> the ip i tested from was 73.189.239.235

What!?

That is not even one of your listed IP addresses.

Are you *really* running an open proxy on the Internet!?

Please turn it off _now_ until you understand the advice Alex and I are giving 
you, and you understand the default settings in the standard Squid 
configuration file, some of which you have changed.


Antony.

-- 
The Magic Words are Squeamish Ossifrage.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Tuesday 22 June 2021 at 22:53:08, Arctic5824 wrote:

> Hey, yes this is actually the case, for testing instead of
> 
> > http_access allow localhost
> 
> im running with
> 
> > http_access allow all

Please do not test and report problems with one configuration, and then tell us 
you have a different one.

Please post the actual configuration file (without comments) which you are 
using, show us the log entry which occurs when you can successfully do 
something which you expected to be blocked, and please tell us the IP address 
of the client machine you performed the test from.


Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used a 
third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Tuesday 22 June 2021 at 22:54:42, Arctic5824 wrote:

> On Tuesday, June 22nd, 2021 at 1:44 PM, Antony Stone wrote:
> > 
> > #http_access deny !Safe_ports
> > 
> > Has that been consciously and deliberately commented-out?
> > 
> > #http_access allow localnet
> > 
> > http_access allow localhost
> > 
> > Is that a typo? Did you mean to allow access from your local networks,
> > rather than just from localhost?
> > 
> > #http_access deny all
> > 
> > Has that been consciously and deliberately commented-out?
> 
> Hey, all of those where deliberately done, although I have only been using
> this program for a short amount of time, so they might be incorrect/dumb,
> I am not sure,

I would strongly advise *against* commenting out:

http_access deny !Safe_ports
http_access deny all

Also, since you do not have (at least in the configuration file you showed us)

http_access allow localnet

I do not see how you expect any machine other than the one Squid is running on 
to be able to connect.

However, as in my last posting, please show us the configuration you are 
actually using to carry out these tests.


Antony.

-- 
People say that nothing is impossible, so I try to do the impossible every 
day.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Tuesday 22 June 2021 at 22:37:16, Alex Rousskov wrote:

> On 6/22/21 4:28 PM, Arctic5824 wrote:
> > 
> > Hey! thanks for the info, I just tried that but it seems https is still
> > being allowed, and I can see it in the logs as well "TCP_TUNNEL/200 717
> > CONNECT s.youtube.com:443 -"
> > my config is https://pastebin.com/8txzkEnG
> > and a version of the config without comments:
> > https://pastebin.com/zuJYQpXW

> Squid bugs notwithstanding, either your Squid is not running with the
> configuration that you have shared with us OR that logged request comes
> from localhost. If you are not sure, I suggest shutting down Squid,
> making sure that nobody listens on port 3128 and then restarting Squid.
> Due to the first http_access rule, the test request must not come from
> the same machine Squid runs on.

I would also comment on:

#http_access deny !Safe_ports

Has that been consciously and deliberately commented-out?

#http_access allow localnet
http_access allow localhost

Is that a typo?  Did you mean to allow access from your local networks, rather 
than just from localhost?

#http_access deny all

Has that been consciously and deliberately commented-out?


Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Newbie question, How to fully disable/disallow https?

[Antony Stone]

On Tuesday 22 June 2021 at 21:32:10, Arctic5824 wrote:

> Hello, Recently I setup my first squid proxy,
> 
> I want it when users try to acces a website via https, they get redirected
> to the http version

1. What makes you believe that sites *have* an HTTP version?

2. What do you think should happen when sites *do* have an HTTP version, and 
that consists solely of a 301 Permanent Redirect to the HTTPS version, which 
contains the content?

(In other words, the actual web server is never going to provide the content 
you want to see if you only speak HTTP to it.)


Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Testing eCap module

[Antony Stone]

On Sunday 06 June 2021 at 16:09:24, Ben Goz wrote:

> I have an eCap module code that should block traffic on certain cases
> and passthru traffic on other cases.
> What is the most easy and efficient way to test that module's code is
> working as expected?

1a. Test some of the cases where traffic should be blocked, and make sure that 
it is.

1b. Then test some of the cases where it should be passed through, and make 
sure that it is.

2. Tell us what "certain cases" and "other cases" are, so that we might be 
able to think of some other way of testing whatever it is you're trying to do.


Summary - the more information you provide, the more readily we can help.


Antony.

-- 
Some mistakes are too much fun to make only once.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] manual proxy configuration ...

[Antony Stone]

On Saturday 29 May 2021 at 11:45:07, Albretch Mueller wrote:

> cat "/etc/squid/squid.conf" | grep http_port | grep --invert-match "^#"
> http_port 3128

That could more briefly be done as "grep ^http_port /etc/squid/squid.conf"

> The value 3128 you enter on your network browser settings
> 
> what I need now is the name of the running listening service which
> you can get via:
> 
> netstat -tl

It's the same thing: 3128.

> but I couldn't get squid running apparently due to problems related
> to using a prefix other than its default:
> 
> $ which squid
> /media/knoppix/squid3/4.15/sbin/squid

>  how can I fix such problems?

I think this is a question for the Knoppix packagers; we don't know what they 
did to break Squid in this way.


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (possibly dynamic?) multiple port forwarding in the same internal Network ...

[Antony Stone]

On Tuesday 25 May 2021 at 07:51:21, Albretch Mueller wrote:

>  As part of a teaching and learning (TaL)/school software, I need squid:
> 
>  a) to detect one of the connected computers in an internal network
> comprising wirelessly connected and wired computers as the "master"
> (operated by the teacher);
> 
>  b) when that master reach out to an outside URL, the response should
> be replicated in that master's and all other internal computers; but
> 
>  c) responses to requests originating in the non master ("slave"?)
> ends, return to their corresponding ends;
> 
>  d) at times the master should be able to switch off that replicating
> feature;
> 
>  e) more than one or all computers should be able to play "master";
> 
>  f) all other "slave" should operate in a "transparent proxy" mode;
> 
>  g) on a single computer, someone could use different
> browsers/versions to do a-f ...

I've returned to your original question here, after discussing several points 
already in some detail, and I can't help wondering - why are you trying to do 
all this in browsers and web proxies, by manipulating network communications 
in ways that were not indended?

Why not give the students a video conferencing / screen sharing application 
such as MS Teams, Jitsi, Zoom, etc and then block them from accessing websites 
during lessons?

They are required to use the screen sharing application in order to see what 
the teacher is showing them during the lesson (are the days of video 
projectors and intelligent whiteboards already over?), and they are not 
allowed to play around on their own (are these devices their own personal 
equipment, or are they supplied and managed by the school?) using the school's 
networking resources.

That would seem to me to be a far simpler solution to your requirement, 
assuming I have now correctly understood that you essentially want a teacher 
to share their screen with the students, and for the students not to be able 
to "wander off on their own" into the general Internet.


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] (possibly dynamic?) multiple port forwarding in the same internal Network ...

[Antony Stone]

On Tuesday 25 May 2021 at 14:36:09, Albretch Mueller wrote:

> On 5/25/21, Antony Stone  wrote:
> > On Tuesday 25 May 2021 at 07:51:21, Albretch Mueller wrote:
> >>  As part of a teaching and learning (TaL)/school software, I need squid:
> >>  
> >>  a) to detect one of the connected computers in an internal network
> >> comprising wirelessly connected and wired computers as the "master"
> >> (operated by the teacher);
> > 
> > What information is available to Squid in order to "detect" that this is
> > the "master" machine?
> 
> I think a combination of cookies,

What system generates / checks the cookies?

What URL are the cookies associated with in the browser?

> its mac address and, when both fail, authentication.

Ah, some form of authentication, where the master user has to log in to 
something, would certainly be effective.  It was just the way you used the word 
"detect" that made me think this should be some action on the part of Squid 
independently of what the master machine user was doing.

> Wouldn't that be enough?, perhaps with an extra proxy server?

Perhaps with an extra *web* server (for authentication), yes, but where would 
an extra proxy server point to?

> My main problem is that I don't want for students boxes to be prompted for
> or trying to initiate an authentication and I don't know of a fool proof way
> of achieving that.

How about the teacher accesses a URL that the students don't know, or at least 
are not supposed to access, and it is that URL which prompts the teacher to 
authenticate?

If the students go to that URL then they will also be prompted to 
authenticate, but in general they will not.

> If possible, all students' business should let go through with squid serving
> as transparent proxy.

That's just down to your networking configuration.

> Probably squid could cache that request as local files to the extent
> that it can and just redirect the requests of students' clients as
> references to that file using an ICAP server somehow?

So, the student asks for the Wikipedia article on Amethyst and finds that their 
browser shows them the web page the teacher is looking at instead?

I think there's no way you're going to achieve this sort of thing with the 
current popularity of SSL/TLS.

> >>  b) when that master reach out to an outside URL, the response should
> >> be replicated in that master's and all other internal computers; but
> > 
> > What do you mean by "the response should be replicated in ... all other
> > internal computers"?
> 
>  that the initial request by the teacher should be received as
> response by all students

Response to what?

> > Are you assuming that these computers are already running a browser,
> 
> Well, technically, I think we could assume that, why would that be
> problematic? How bad would if be if they are not running a browser,
> you could interrupt an initiated request, you could even shot down
> your computer in the middle of a download or transaction without a
> problem. Why would that be that difficult? or, was is it exactly I am
> not getting right?

I'm asking "what application is going to receive this "response" sent by 
Squid, and be expecting it so that it can process it and display it to the 
user?"

You can't just send a chunk of HTML to a computer over the network and expect 
a browser window to suddenly appear and display it.

Aside from anything else, you have to get a TCP session going in the first 
place.

> > that they should suddenly get some (apparently) web server response via
> > Squid and display it, even though they did not make any request?
> > 
> > If so, I would say this is impossible - you can't get a computer to show
> > a response to a request it did not make.
> 
> Yes, this is what I meant, why is that so hard?

a) the client (user's computer) did not open a TCP session to anything (either 
Squid, or a web server), so it's not going to accept TCP "replies"

b) the client did not send an HTTP request to anything, so it's not going to 
accept some HTML which simply turns up on its network port

> Again, my forte is not networking, but I could see how the requested file
> could be cached and forwarded to all student boxes. Perhaps using an ICAP
> server.

You can modify a request sent from the client, or you can modify a response 
sent back from a sever, but you cannot simply send a response to a machine 
which did not make a request.

> >>  c) responses to requests originating in the non master ("slave"?)
> >> ends, return to their corresponding ends;
> > 
> > So, any computer other than the "master" simply makes requests and gets
> > standard re

Re: [squid-users] (possibly dynamic?) multiple port forwarding in the same internal Network ...

[Antony Stone]

On Tuesday 25 May 2021 at 07:51:21, Albretch Mueller wrote:

>  As part of a teaching and learning (TaL)/school software, I need squid:
> 
>  a) to detect one of the connected computers in an internal network
> comprising wirelessly connected and wired computers as the "master"
> (operated by the teacher);

What information is available to Squid in order to "detect" that this is the 
"master" machine?

>  b) when that master reach out to an outside URL, the response should
> be replicated in that master's and all other internal computers; but

What do you mean by "the response should be replicated in ... all other 
internal computers"?

Are you assuming that these computers are already running a browser, and that 
they should suddenly get some (apparently) web server response via Squid and 
display it, even though they did not make any request?

If so, I would say this is impossible - you can't get a computer to show a 
response to a request it did not make.

If I have misunderstood, please explain which this does mean.

>  c) responses to requests originating in the non master ("slave"?)
> ends, return to their corresponding ends;

So, any computer other than the "master" simply makes requests and gets 
standard responses as usual.  Fie.

>  d) at times the master should be able to switch off that replicating
> feature;

What times?  How?  I really think you need to explain this "replicating 
feature" in more detail (and preferably in network terms, from the point of 
view of the software running on the master, and the software running on a non-
master.

>  e) more than one or all computers should be able to play "master";

I repeat my first question - what information is available to Squid in order to 
"detect" that this is the "master" machine?

>  f) all other "slave" should operate in a "transparent proxy" mode;

Are you including SSL in this?

>  g) on a single computer, someone could use different
> browsers/versions to do a-f ...
> 
>  I have seen that partially implemented one way or the other, however
> I need to integrate/manage all parts as part of an integrated whole.


>  So, my questions could be reduced to: which exactly are the
> configuration lines that should be changed in both squid and the
> browsers on the connected computers or the different browsers in the
> same computer?

I think this request is (a) a *lot* more complicated than this, and probably a 
lot more complicated than you think it is, and (b) in parts, impossible.


Regards,


Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid ftp list files problem

[Antony Stone]

On Thursday 25 March 2021 at 12:53:09, maurizio wrote:

> Hello
> I have a squid 4.14 version installed recently. I have a problem when we use
> that like ftp proxy(via port 21): when a client use that and try to use the
> ftp command ls(list) in a directory with a lot files (in my test 250 files)
> the list command freezing(list partial list files).

Is this passive or active FTP?

> I have tried with a very old proxy ftp(frox) and the list command doesn't
> free, it's return the list correctly.
> Please, is it a bug or misconfiguration?

1. We don't know whether it's a misconfiguration until you show us your 
configuration.

2. What is displayed in Squid's log files at the time this occurs?


Antony.

-- 
What do you call a dinosaur with only one eye?  A Doyouthinkesaurus.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to automatically Restart Squid on Ubuntu?

[Antony Stone]

On Monday 22 March 2021 at 15:59:37, Angelo Wang wrote:

> Hi,
> 
> I have a /22 subnet on a server and sometimes Squid crashes when there are
> too many connections. Can someone help me create a script/command to
> automatically restart squid if this happens?

I would use http://manpages.ubuntu.com/manpages/xenial/man1/monit.1.html

On the other hand, I'd try to identify what's causing the crash and prevent it 
instead.


Antony.

-- 
The best time to plant a tree is 20 years ago.
The second best time is now.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Protecting squid

[Antony Stone]

On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:

> I tried to open squid with some special port other than the default 3128
> port.

Obscurity is not equivalent to security.

> But after a while I saw that my squid was being abused by unknown IP
> addresses

I'm assuming this means your Squid proxy is accessible from the Internet.

Why?

> so I decided to password protect my squid so that only authorized
> users could use it.
> But it's pretty annoying for the users to enter user/password repeatedly.

What authentication method are you using?  At the very least, a user should 
not have to authenticate more than once per browser session - are they saying 
that even that is excessive?

> Is there any other solution than password protection that only authorized
> users can have access to my squid server?

Depends what "authorised" means.  Can you define the network range they are 
expected to come from, and restrict access only to those IPs?

Tell about your network setup and what you are trying to achieve - we might be 
able to suggest solutions.


Antony.

-- 
The best time to plant a tree is 20 years ago.
The second best time is now.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

[Antony Stone]

On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:

> If I set up on a device connected to the access point a proxy manually
> ie 10.3.141.1 on port 8080, I can access the internet. If I put the
> following rules for iptables to use in files rules.v4 :
> 
> *nat
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> 10.3.141.1:3128
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
> 10.3.141.1:3129
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
> -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE

Try removing the DNAT rules above.  You should be using REDIRECT for intercept 
mode to work correctly.


Antony.

-- 
If you can smile when all about you things are going wrong, you must have 
someone in mind to take the blame.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid writes to /var/log/messages

[Antony Stone]

On Thursday 24 December 2020 at 18:44:21, Song & Movie wrote:

> Can any one help me to create http proxy ?

1. Please do not hijack an unrelated thread on the list.  Please start a new 
thread by posting to squid-users@lists.squid-cache.org with an appropriate 
subject.

2. Please give us at least *some* information about:

a) what you're trying to achieve
b) what system you want to install it on
c) what you've done already
d) what problems you've run into

Regards,


Antony,

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used a 
third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] authorized by pcname

[Antony Stone]

On Saturday 12 December 2020 at 14:03:23, sampe...@tiscali.it wrote:

> What Squid mechanism do you suggest me to identify the “computer name” ?
> What solution/corretion can I make to my environment to apply my idea?

A few suggestions:

1. Why not get your DHCP server to allocate IP addresses according to MAC 
address; then your clients will get fixed addresses again and you can use those 
in your ACLs.

2. Alternatively, get your DHCP server to update a local DNS server, and point 
Squid at that so that it can look up the names of the PCs in DNS (without 
needing to know about NetBIOS) and you can use those.

3. Get your users to authenticate to Squid as people, not as computers; then 
you can apply the appropriate rules for who is trying to do stuff instead of 
assuming who is using which computer.

4. Why have you switched from static addressing to DHCP?  If you need DHCP to 
cater for machines which "temporarily visit" your network, how about just 
allocating a subnet range for those and continue to use static addresses for 
the machines you know about?


Regards,


Antony.

-- 
A good conversation is like a miniskirt;
short enought to retain interest,
but long enough to cover the subject.

 - Celeste Headlee


   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with more than 128 ports?

[Antony Stone]

On Thursday 10 December 2020 at 13:02:19, roee klinger wrote:

> Hello,
> 
> We have a few Squid proxy servers with a total of around 400 ports

What do you mean by that?  What are you using 400 ports for?

> We have decided that we want to add a cloud instance in the middle of the
> connections, that will authenticate users and only then send them to the
> squid instance.

What authentication method / protocol do you want to use?

> Is it a smart idea to use Squid for this use case or just use a different
> proxy software that doesn't have this limitation?

I think the best starting point is to ask what sort of authentication you want 
to perform (ie: what is the authoritative system which holds the information 
about who can authenticate and who cannot), then you can decide on the best 
software to use to do that in front of Squid.


Antony.

-- 
Under UK law, no VAT is charged on biscuits and cakes - they are "zero rated".  
Chocolate covered biscuits, however, are classed as "luxury items" and are 
subject to VAT.  McVitie's classed its Jaffa Cakes as cakes, but in 1991 this 
was challenged by Her Majesty's Customs and Excise in court.

The question which had to be answered was what criteria should be used to 
class something as a cake or a biscuit.  McVitie's defended the classification 
of Jaffa Cakes as a cake by arguing that cakes go hard when stale, whereas 
biscuits go soft.  It was demonstrated that Jaffa Cakes become hard when stale 
and McVitie's won the case.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sqlite3 with Squid

[Antony Stone]

On Thursday 10 December 2020 at 12:49:48, Eliezer Croitor wrote:

> Hey,
> 
> I am wondering what can I use Sqlite3 with squid?
> 
> I was thinking about holding some of the config dynamic parts inside sqlite
> db (in a specific setup)

Can you give some examples of such "config dynamic parts"?

> And then generate the config file from sqlite.
> 
> What do you think?

I'm not sure I can see what I might want to be dynamic about a Squid 
configuration.

However, you also say "generate the config file from sqlite".

Any reasonable scripting language can do that for you, and then just tell 
Squid to reload the new config file.  Squid doesn't need to know where it came 
from.


Regards,


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FTP proxy

[Antony Stone]

On Sunday 06 December 2020 at 16:56:10, Andrea Venturoli wrote:

> On 12/6/20 4:44 PM, Antony Stone wrote:
> > Where is the firewall, compared to your Squid proxy, in the network?
> 
> Squid runs on the firewall itself.
> 
> > I'm just wondering how you plan to use Squid's native FTP mode to bypass
> > a firewall, which is therefore presumably blocking FTP...?
> 
> It's not blocking FTP for itself, but it's blocking FTP to internal
> clients.

Oh, so you're in charge of both?

That would make sense, then - otherwise I was wondering how a client would get 
FTP out to the Internet via Squid if they weren't allowed to through the 
firewall...

Thanks,


Antony.

-- 
If you were ploughing a field, which would you rather use - two strong oxen or 
1024 chickens?

 - Seymour Cray, pioneer of supercomputing

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] FTP proxy

[Antony Stone]

On Sunday 06 December 2020 at 16:26:26, Andrea Venturoli wrote:

> Hello.
> 
> I'm trying to evaulate FTP proxying with squid and I have a couple of
> questions.
> To be clear, I'm not talking about FTP through HTTP, but about the
> ftp_port option.
> I've used frox (http://frox.sourceforge.net/) in the past for this.
> 
> I see this feature was introduced in 3.5 as an experimental one; at 4.13
> is it still so or is it considered stable and dependable?

I can't answer your detailed questions above personally; however I'm sure 
someone else here can, but the following point intrigued me...

> (For now I'm not interested in logging, interception, etc..., I just
> need to bypass a firewall easily).

Where is the firewall, compared to your Squid proxy, in the network?

I'm just wondering how you plan to use Squid's native FTP mode to bypass a 
firewall, which is therefore presumably blocking FTP...?

> Is there a way to restrict the port range of the additional connections
> (e.g. to 4-5)?
> 
>   bye & Thanks
>   av.


Regards,


Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there a worker option in the source build?

[Antony Stone]

On Wednesday 14 October 2020 at 11:29:58, m k wrote:

> hi Antony,
> 
> 4.13 is a compiler from source.

Show us the command you use to compile it.

> workers just write in squid.conf.

I don't think you understood what I meant by "details" - show us exactly what 
you have put into the config file so that we might be able to try the same 
thing 
on another machine, or perhaps spot a syntax error, or otherwise help to 
identify the problem.

As it is, you've basically said "I've done something, and the result doesn't 
work."  You haven't shown us what the "something" is, and you haven't shown us 
any output of the way in which it fails, so we have no real information to go 
on to help resolve the problem.

> If it doesn't work, it starts for a moment when you start squid and then
> stops immediately.

What is written into the log file?

> Workers squid works fine with the 4.4 package.

Good.


Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Is there a worker option in the source build?

[Antony Stone]

On Wednesday 14 October 2020 at 11:19:54, m k wrote:

> hi all,
> 
> I have installed squid 4.13.

How?  Package?  Compiled from source?

What O/S have you installed it on?

> When I set workers,

Give us a clue how you're doing that?

> squid doesn't work.

In what way?  Doesn't start?  Gives an error in the log file?  Starts but 
doesn't process requests?  Let us know details.

> Do you need any options at compile time?

I do not believe so, but someone else may know better than I.


Antony.

-- 
I still maintain the point that designing a monolithic kernel in 1991 is a 
fundamental error.  Be thankful you are not my student.  You would not get a 
high grade for such a design :-)
 - Andrew Tanenbaum to Linus Torvalds

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to select parent proxy based on user password

[Antony Stone]

On Tuesday 22 September 2020 at 22:35:36, Ajb B wrote:

> how can you map the user password to a parent proxy?
> 
> so that
> 
> testuser1:qvmgPUJ5xW-121@18.234.74.214:3292
> testuser1:qvmgPUJ5xW-122@18.234.74.214:3292
> testuser1:qvmgPUJ5xW-123@18.234.74.214:3292
> map to a different parent proxy?

It makes no sense to me to have one username with multiple passwords.

The username is the identifier - this tells the system who this "user" is and 
the system can then find out what this "user" can do, provided they are 
authenticated.

The password is the authenticator - this tells the system that the entity 
trying to connect really is that user.

If you want one entity (person, script, application, whatever) to have access 
to different upstream proxies (presumably for different purposes), you should 
give them different identities (usernames) in order to access those proxies.

They then use the appropriate username for the access they require at the 
time.


What would be the use case for one username with multiple passwords?


Antony.

-- 
Neurotics build castles in the sky;
Psychotics live in them;
Psychiatrists collect the rent.


   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Strange Squid SSL Interception Behavior

[Antony Stone]

On Tuesday 25 August 2020 at 00:21:31, Mathew Brown wrote:

> I set up the necessary iptables forwarding ports

Please show us what those iptables rules are.


Antony.

-- 
"It wouldn't be a good idea to talk about him behind his back in front of 
him."

 - murble

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can squid proxy pass the SMTP port 587

[Antony Stone]

On Thursday 20 August 2020 at 21:41:20, santosh panchal wrote:

> Hi Team
> 
> How to configure squid to pass my smtp traffic on port 587

Install sendmail, exim, postfix or any other MTA of your choice and configure 
it 
to relay your outbound email.

Squid is not an MTA.


Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Need squid latest version 4.12 RPM packaged files for centos7 and x86_64 architecture

[Antony Stone]

On Thursday 20 August 2020 at 12:25:04, rahul.n...@orange.com wrote:

> Hi Team,
> 
> I am looking for a urgent support on squid latest version 4.12 RPM files
> based on CentOS7 and x86_64 architecture.

"Urgent" is all very well, but we can't help until you tell us what the 
problem is.

> Also, I tried to install  it via source code and make it running but after
> every restart squid service is failing.

Please define "failing" - give us some information, otherwise we have no clue 
what you did or what the results are.

> So, Could you please help me on the same.

Only if you help us - tell us what you've done, what the problem is, and what 
information you have in the log files etc.


Antony.

-- 
"The problem with television is that the people must sit and keep their eyes 
glued on a screen; the average American family hasn't time for it."

 - New York Times, following a demonstration at the 1939 World's Fair.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid and multipart form decode

[Antony Stone]

On Thursday 23 July 2020 at 15:33:01, Ryan Le wrote:

> sorry not decode, just parse to send headers to icap as well.

Aha, icap - sorry, I can't help you there, but I'm pretty sure there are 
others here who have used it.

> On Thu, Jul 23, 2020 at 9:27 AM Antony Stone wrote:
> > On Thursday 23 July 2020 at 15:22:56, Ryan Le wrote:
> > > I have been trying to configure squid to decode and send multipart form
> > > data to another service.
> > 
> > What do you mean by "decode"?
> > 
> > > Is there an acl or build parameter needed for multipart form data
> > > support?
> > 
> > No; Squid sends on what it gets from the client.

Antony.

-- 
I bought a book on memory techniques, but I've forgotten where I put it.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid and multipart form decode

[Antony Stone]

On Thursday 23 July 2020 at 15:22:56, Ryan Le wrote:

> I have been trying to configure squid to decode and send multipart form
> data to another service.

What do you mean by "decode"?

> Is there an acl or build parameter needed for multipart form data support?

No; Squid sends on what it gets from the client.


Antony.

-- 
The next sentence is untrue.
The previous sentence is true.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] try and reslove domain via local DNS and not squid

[Antony Stone]

On Wednesday 24 June 2020 at 17:36:34, robert k Wild wrote:

> hi all,
> 
> i want squid not to try and resolve our domain name ie so it resolves
> internally on our local DNS server and not go out squid to try and resolve

What is in /etc/resolv.conf on your squid server?

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Server monitoring

[Antony Stone]

On Wednesday 10 June 2020 at 21:08:35, Ronan Lucio wrote:

> Hi guys,
> 
> How do you suggest to monitor service availability?
> A know that some people use to monitor a few URLs through the proxy,
> but, I'd like to know if there is any way to remotly monitor squid service.

Do you mean "is it running?"

Or do you mean "how busy is it?"

Or do you mean "is it working and supplying the content it's expected / 
supposed to ?"

Or... maybe something else?

So, what it is you want to monitor?


Next question: do you already have some monitoring system such as Icinga, 
Zabbix, Nagios, etc., which you use for other systems and services, or is 
Squid the first thing you're thinking of keeping a watchful eye on?


Given that information, we might have some ideas, or else pointers to where 
else it's worth asking the question.


Regards,


Antony.

-- 
"In fact I wanted to be John Cleese and it took me some time to realise that 
the job was already taken."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Switch cache peer Parent server for every 30 minutes

[Antony Stone]

On Wednesday 10 June 2020 at 18:11:03, Prem Chand wrote:

> Hi Alex,
> 
> Thanks for responding to my issue  . I didn't get how the math was done(why
> it's multiplied by 2) to get 16 slots if possible could you please elaborate
> with an example.

I believe what Alex meant was:

You want 30 minute timeslots for each of 3 peers, which is 48 half-hour 
timeslots throughout the day.

However, you only need to define 48/3 of these for peer A, and 48/3 of them for 
peer B, and then let peer C deal with anything not already handled (so it 
doesn't need its own definitions).

48/3 = 16, therefore you define 16 half-hour periods when you want peer A to do 
the work, 16 half-hour periods for peer B, and then just say "peer C, handle 
anything left over".


Regards,


Antony.

> On Wed, Jun 10, 2020 at 7:12 PM Alex Rousskov wrote:
> > On 6/10/20 6:09 AM, Prem Chand wrote:
> > > My squid cache peer has 3 parent IP’s configured. I need to send HTTPS
> > > requests to the first parent IP for 30 minutes and after to the 2nd
> > > parent IP for 30 minutes and then to 3rd IP for 30 minutes and this
> > > switching needs to happen continuously .Could you please let us know
> > > how I can achieve this?
> > 
> > If you are OK with hard-coded usage time slots for each peer, then I
> > would use two[1] "time" ACLs and cache_peer_access rules. Look for
> > "aclname time" in squid.conf.documented. You will have to generate a
> > list of (24*2/3=16) staggered time slots for each of the two ACLs, but
> > it should work. This may be the simplest solution.
> > 
> > [1] You need two ACLs for three peers because the third peer should get
> > the requests that the first two peers were not allowed to get.
> > 
> > 
> > 
> > With a modern Squid, you could also implement this using a more flexible
> > (and more expensive, on several layers!) architecture with two ACLs:
> > 
> > 1. An external ACL that returns the right cache peer name to use via a
> > keyword=value annotation API. This always-matching ACL should be
> > attached to http_access or a similar directive that supports slow ACLs.
> > Its goal is to annotate the request. You will need to write a
> > script/program that will compute the right annotations based on time or
> > some other factors. This is where the flexibility of this solution is
> > coming from.
> > 
> > 2. A "note" ACL attached to cache_peer_access directives, allowing
> > access to peer X if the external ACL in item 1 returned
> > use_cache_peer_=X. The "note" ACL is a fast ACL and, hence, can be
> > reliably used with cache_peer_access.
> > 
> > If you already have another external ACL, you may be able to piggyback
> > annotations in item 1 to whatever that ACL is already doing.
> > 
> > For more information, search for "keyword=value" and "acl aclname note"
> > in your squid.conf.documented and see
> > https://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.
> > 29
> > 
> > 
> > HTH,
> > 
> > Alex.

-- 
Neurotics build castles in the sky;
Psychotics live in them;
Psychiatrists collect the rent.


   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID PROBLEM WITH SITES THAT HAVE MORE THAN ONE IP ADDRESSES

[Antony Stone]

On Monday 11 May 2020 at 11:53:15, leomessi...@yahoo.com wrote:

> Hi againthank you for your reply.
> sorry but I didn't yell only asked for help!

Writing in all capital letters (see your Subject line, for example) in online 
communications is generally interpreted as shouting.


Regards,


Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please don't CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Let Squid use SSL certificate for a parent cache peer

[Antony Stone]

On Tuesday 05 May 2020 at 12:21:19, mariolatif741 wrote:

> The purpose of proxy A is that its the proxy that will be given to my
> clients. The purpose of all what I am doing is to let my clients use proxy
> B indirectly through proxy A (so they can use proxy B without installing
> the CA certificate)

Won't work.

If you are doing HTTPS / SSL / TLS interception *at any point* in the chain 
between the client and the real server, then the machine doing the 
interception is going to have to generate a fake certificate for what it sends 
back to the client (no matter whether that passes through an intermediate 
proxy or not), therefore the client needs to have the fake CA certificate 
installed in order to trust what it receives.

There is no way for the client to get the "real" certificate from the "real" 
server if a machine in between intercepts and decrypts the communication.  If 
there were, TLS security would be meaningless.

Regards,


Antony.

-- 
"Measuring average network latency is about as useful as measuring the mean 
temperature of patients in a hospital."

 - Stéphane Bortzmeyer

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Let Squid use SSL certificate for a parent cache peer

[Antony Stone]

On Tuesday 05 May 2020 at 11:48:12, mariolatif741 wrote:

> Since you said "If the client is participating in the TLS handshake it
> *always* requires the CA to be installed.", then I guess what I want to do
> is not possible.
> 
> Can I make Squid send the requests received from the client to the cache
> peer? (so the cache peer would see the requests coming from the Squid
> server and not from the client), I think if this is possible then it'd
> help in my case.

What are you trying to achieve?

It sounds as though you want the client to talk to proxy A, which talks to 
proxy B, which sends requests to the Internet, and you want to do content 
inspection / filtering on proxy B.

What is the purpose of proxy A?

Regards,


Antony.

-- 
"Remember: the S in IoT stands for Security."

 - Jan-Piet Mens

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Using a Baltimore root certificate in transparent ssl proxying

[Antony Stone]

On Monday 27 April 2020 at 23:44:41, Lei Wen wrote:

> The issue we are having right now is the certificate installed on the
> container is a self signed cert, we were trying to migrate this cert to a
> real trusted CA cert, or a Baltimore root cert.

That will not work for an intercepting ("transparent") proxy.

> I do notice that it is illegal for a trusted CA to issue official cert to
> squid because squid itself is man-in-the-middle, so Squid can only accept
> self signed cert and squid as root CA?

This is correct.

Squid is acting as a man-in-the-middle for *any* web request your users choose 
to pass through it, therefore it has to present a certificate to their browser 
which is valid for whatever domain they have requested.

In effect, it would need a wildcard certificate for the entire Internet.

No CA is going to give you that.


Regards,


Antony.

-- 
"How I managed so long without this book baffles the mind."

 - Richard Stoakley, Group Program Manager, Microsoft Corporation,
   referring to "The Art of Project Management", O'Reilly press

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Configure A Native FTP proxy on Squid

[Antony Stone]

On Sunday 26 April 2020 at 08:42:11, Amos Jeffries wrote:

> On 26/04/20 8:26 am, Antony Stone wrote:
> > On Saturday 25 April 2020 at 19:27:51, Dawood Aijaz wrote:
> >> 
> >> Currently, I am developing a Data Loss Prevention Tool. One of the
> >> requirements is to monitor FTP traffic. So can someone help me set up an
> >> FTP native proxy is squid and how will I be able to monitor FTP traffic
> > 
> > Why do you want to use Squid for this purpose when Squid is not a native
> > FTP proxy?
> 
> As of v3.5 the latest Squid actually can do native FTP relay.
> 
> <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.6>

Oh!

Thanks for the correction, Amos.

Apologies to Dawood for giving outdated information.


Regards,


Antony.

-- 
Most people have more than the average number of legs.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Configure A Native FTP proxy on Squid

[Antony Stone]

On Saturday 25 April 2020 at 19:27:51, Dawood Aijaz wrote:

> Hi,
> 
> Currently, I am developing a Data Loss Prevention Tool. One of the
> requirements is to monitor FTP traffic. So can someone help me set up an
> FTP native proxy is squid and how will I be able to monitor FTP traffic

Why do you want to use Squid for this purpose when Squid is not a native FTP 
proxy?

Squid can handle FTP traffic when it is proxied by an HTTP-proxy-aware client.

It will not "transparently" intercept and proxy standard FTP traffic without 
the 
client being specifically configured to use Squid.

In my opinion you are trying to use the wrong tool for the job.

Also, if you are developing a Data Loss Prevention Tool, then in my opinion 
one of the first things you should do is to stop people using FTP and make them 
use something secure instead.

Good luck in your endeavours.


Antony.

-- 
Was ist braun, liegt ins Gras, und raucht?
Ein Kaminchen...

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] setup FTP proxy and FTP content monitoring (Antony Stone)

[Antony Stone]

On Wednesday 22 April 2020 at 15:48:57, Dawood Aijaz wrote:

> "a*ll I want from squid proxy is to intercept FTP and expose all the FTP
> data "*

I think you're looking at the wrong tool for a job like this.

When you say "intercept" it sounds like you want something which will act in 
between an FTP client and an FTP server, without either of them being 
configured to use it or knowing that it is there.

Squid is not such a thing.  It *can* be made work in intercept mode for HTTP, 
but not (as far as I know) for FTP.

When you say "expose all the FTP data", the simplest approach to this might be 
a packet capture application on your router (such as tshark), getting data 
from ports 20 and 21 (although active FTP mode would make this considerably 
more challenging).

Maybe you want to look at a tool such as frox.  It's an old project, but then 
FTP is an old protocol (and frankly I'm surprised that anyone wants to use 
something so insecure these days).


Best wishes,


Antony.

-- 
I bought a book on memory techniques, but I've forgotten where I put it.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] setup FTP proxy and FTP content monitoring

[Antony Stone]

On Tuesday 21 April 2020 at 17:26:05, Dawood Aijaz wrote:

> Hi,
> I am currently working on a task to monitor FTP traffic and analyze it.
> So can somebody help me to set up FTP proxy for squid and to analyze FTP
> data

Squid supports FTP natively.  You don't need to configure anything special 
provided your FTP setup is operating on standard ports etc.

Have you tried telling your client/s to use Squid for FTP and run into 
problems?

If so, give us details of your network arrangement, what configuration you have 
done, and what problems you run into, and we can try to help.

If you haven't tried yet, give it a go and see if it "just works" :)

Regarding the data analysis, this is not really a Squid question - we'd need 
to know what sort of analysis you want to do and what sort of results you're 
looking to get out of the end of it, and that question may be more suited to 
another forum such as Icinga or Grafana, for example.

Squid will do the proxying, but it's not a data analysis tool.


Regards,


Antony

-- 
The next sentence is untrue.
The previous sentence is true.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid-announce] [ADVISORY] SQUID-2019:4 Multiple Issues in HTTP Request processing

[Antony Stone]

On Sunday 19 April 2020 at 11:47:41, Dmitry Melekhov wrote:

> 19.04.2020 12:37, Amos Jeffries пишет:
> > On 19/04/20 8:22 pm, Dmitry Melekhov wrote:
> >
> > > 4.10 does not contain fix :-)
> > 
> > Which fix are you talking about?
> > 
> > The bug this advisory is talking about definitely is fixed in Squid
> > 4.10 code. The patch was added way back in 4.8 release.
> 
> Affected versions:  Squid 3.5.18 -> 3.5.28
>  Squid 4.0.10 -> 4.7

You omitted the next line:

Fixed in version:   Squid 4.8

> Well, this announcement is extremely misleading then...

What's misleading?

It's a standard security advisory telling us what the vulnerability is, which 
versions are affected, and which version it is fixed from.


Regards,


Antony.

-- 
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Confirmation page not working

[Antony Stone]

On Friday 17 April 2020 at 15:32:38, TarotApprentice wrote:

> Trying to visit the confirmation page at
> http://lists.squid-cache.org/confirm/squid-users/ but it doesn’t seem to
> be responding. I’ve tried over a couple of days.

When you say "not responding", do you mean you get no page content shown in 
your browser, or do you mean that you fill in the confirmation string and click 
on 'submit' but it then doesn't accept your confirmation?

The page itself loads fine for me here, and I've only ever confirmed mailman 
subscriptions by email - just reply to the email you got asking you to visit 
the confirmation page, making sure you reply from the address you asked to 
subscribe to the list.

No need to change anything about the email you get, just do a "reply" and 
"send" exactly as it is.


Antony.

-- 
Success is a lousy teacher.  It seduces smart people into thinking they can't 
lose.

 - William H Gates III

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up proxy with private to public

[Antony Stone]

Sorry, replying to the list this time - for some reason my previous reply went 
to your private address.


On Wednesday 15 April 2020 at 15:08:36, Chris Bidwell - NOAA Federal wrote:

> So after looking further.  It looks like when I'm trying to wget from my
> squid server, which has the two nics (internal and public), it's trying to
> send it through the internal connection.  It doesn't seem to want to route
> through the external nic.

Okay, so not currently a Squid problem, then.

What does "route -n" tell you, and what do you think your default gateway 
address to the Internet should be (ie: what's the address of the router which 
you think Squid should be using from its external interface to get to the 
Internet)?


Antony.

-- 
Python is executable pseudocode.
Perl is executable line noise.

   Please reply to the list;
 please don't CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up proxy with private to public

[Antony Stone]

On Tuesday 14 April 2020 at 16:03:19, Chris Bidwell - NOAA Federal wrote:

> Okay, so I think I'm starting to get somewhere but the connection isn't
> completing. I can see the connection come through my firewall, but the
> handshake doesn't appear to be happening.

Tell us more about your network setup.  Is the firewall between the clients and 
Squid, between Squid and the Internet, or do you have both?

Can you do a simple Ping test from a client machine to the Squid server (and 
get replies)?

Can you do the same from the Squid server to some Internet-based web server 
(making sure it's one which replies to pings - some machines are badly 
configured and don't do this).

> My squid access log is saying:  TCP_MISS/503.

I'm sure it says a lot more than that, but at least it's an indication that 
your client is getting the request through to Squid okay.

Assuming the Ping test from Squid to an Internet web server works, what 
happens if you try wget, lynx, curl or even telnet to port 80, from the Squid 
server to some external web server?  Does it indicate that the Squid server 
has "Internet access"?


Antony.

-- 
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up proxy with private to public

[Antony Stone]

On Monday 13 April 2020 at 23:46:46, Chris Bidwell - NOAA Federal wrote:

> Sure.  So we have a few internal networks that aren't meant to have direct
> internet access without access through a proxy so that it can be better
> regulated and monitored.

Okay, that's a useful starting point.

> We've got several internal subnets that need to be able to talk through
> squid (I've chosen tcp/8080) to connect to from internally and want to
> translate that to an external IP address that does have access to the
> outside world.

That sounds perfectly straightforward, provided your Squid server has routing 
to connect back to those internal networks.

> Once again, the squid server has two IP addresses.  One internal, and one
> external.  The outbound traffic would be accessible through that external
> ip.

So, you configure your internal clients to connect to the internal address of 
the Squid machine, and tell them that the proxy is listening on port 8080.

Add the subnet definitions (if they are not 10.0.0.0/8, 172.16.0.0/12 or 
192.168.0.0/16) to Squid's configuration file.  If you *are* using such RFC1918 
addresses, these are automatically supported by Squid and you do not need to 
configure for your internal network ranges.

You don't need to do anything special to get Squid to use its external address 
for the connections out to the Internet - that's handled by the Linux 
networking stack.

> I hope I'm making *some* sense.  :)

I think so.

My suggestion from here on is: install Squid, configure a test client to use 
it, and see if it works.

If not, give us enough information to understand what you've done (both the 
setup and the testing) so we could reproduce it for ourselves, and we'll try 
to help further.


Best wishes,


Antony.

-- 
Warum können Seeräuber nicht den Umfang eines Kreises berechnen?
Weil sie Piraten...


   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up proxy with private to public

[Antony Stone]

On Monday 13 April 2020 at 21:19:04, Chris Bidwell - NOAA Federal wrote:

> Hi all,
> 
> Very new to squid and am looking to setup several internal subnets to
> access external network (internet) through squid on a separate interface.

What are you trying to achieve by using Squid?  What is your objective, 
compared to giving clients direct access to the Internet?

> Server has two IP's.  One private internal and one public.  Can someone
> point me in the right direction to get this setup?  Running RHEL7.

Firstly, install Squid and look at its configuration file.  It is *very* well 
commented / documented, and there is *very* little you need to change in order 
to get it working on your network.

For more details, see:

https://wiki.squid-cache.org/SquidFaq/BinaryPackages

https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid
https://wiki.squid-cache.org/SquidFaq
https://wiki.squid-cache.org/ConfigExamples

https://www.packtpub.com/squid-proxy-server-31-beginners-guide/book
http://www.oreilly.com/catalog/squid/

(All the above available from http://www.squid-cache.org )


> Do I need to create static routes?

Provided the machine you want install Squid on can reach (a) arbitrary web 
servers on the Internet, and (b) the client machines on your internal 
networks, then no.

If not, then yes, you will need to add suitable routes so that the Squid 
server can find both origin servers and clients.

> Do I need firewalld rules in place?

A firewall is always a good idea, however Squid imposes no special requirement 
of its own here.

A very good starting point for firewalls is "allow the traffic you know you 
want, 
block the traffic you know you do not want, and log and block the traffic 
you're 
not sure about - then look at the logs and adjust the rules as necessary to 
keep the log entries minimal".


Finally, if you run into problems, come back here and tell us:

 - what you want to achieve
 - what you did to try to achieve it
 - how you tested whether it worked
 - what you found which told you it didn't work

Basically, give us enough information to understand what you're trying to do, 
what you've done to get there, and what went wrong (such that we could 
reproduce the problem for ourselves if need be), and people here will happily 
help out.


Regards,


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid transparent not caching apt requests from deb.debian.org

[Antony Stone]

On Friday 03 April 2020 at 22:26:13, zrm wrote:

> Greetings! Today I bring you a Squid cache mystery.

> In the first case we get TCP_MISS every time because it isn't caching
> the data, in the second case it's only the first time and after that we
> get TCP_REFRESH_UNMODIFIED. But how and why is this happening?

Given that this is an intercepting proxy and you're using HTTP (not HTTPS), 
can you do a packet capture with tshark or similar on the internal interface, 
to show the full details of the HTTP request which comes in to Squid from apt, 
and the same for wget, to see what difference there is?


Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Allowing a port only to certain IP/host

[Antony Stone]

On Monday 09 March 2020 at 15:43:14, Service MV wrote:

> Hello everyone, I need to enable port 22 in squid but only to a certain
> server (host.domain.com) in particular, so that the rest of the world
> cannot be accessed via SSH.

Squid does not support SSH.

> I would like to know this is the right way to do it:

Use iptables or whatever other firewall software you use on your gateway router 
to block all TCP port 22 outbound access except destination host.domain.com


Antony.

-- 
"640 kilobytes (of RAM) should be enough for anybody."

 - Bill Gates

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About intercept https

[Antony Stone]

On Tuesday 25 February 2020 at 20:49:25, Yurii wrote:

> Hi to all. I need help.
> The task is to configure squid in intercept mode to proxy http/https
> traffic.

I cannot view any of the pastebin links you provide below.

Please just cut and paste the information into an email reply, so we can read 
it here and then hopefully advise you.

> Installed Squid 4.10 (configuration: https://pastebin.com/Gg2VPr0v) Ubuntu
> 18.04. Redirect traffic from Mikrotik to Ubuntu (ip firewall mangle & ip
> route: https://pastebin.com/5UrNcsEc), and there 80, 443 traffic to Squid
> 3129, 3130 (iptables: https://pastebin.com/kXxy8zHb).
> 
> DNS squid use the same as on client machines. In squid.conf /dns_v4_first
> on/. DNS lookup time in access.log: https://pastebin.com/zdwHjRHk
> 
> There is a problem - long loading of http/https pages.  In the case of
> https - /"Creating a secure connection"/, http - /"Waiting..."/ and so for
> 5-10 seconds.
> Please, tell me what is wrong?
> 
> /*Squid.conf* is here -  https://pastebin.com/MX5mNi5q
> *Localnet* - 10.3.198.0/24
> *Mikrotik* - 10.3.198.254
> *Squid* - 10.3.198.224/

Regards,


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[Antony Stone]

On Monday 02 December 2019 at 19:31:43, Ahmad Alzaeem wrote:

> Thank you for that .
> 
> Is it possible to run it from squid ?

I don't understand that question.

You start Squid; it listens for incoming connections and sends them on to the 
external servers (and gets the responses etc, etc...)

At the same time, you run the packet sniffer on the machine where Squid is 
running, and it collects all the traffic passing between Squid and the rest of 
the Internet.

Then you make your request/s with a browser (or wget, curl, as you wish), and 
let Squid do its thing, and let the packet sniffer capture what happened.

After it's all over, you then have a packet capture which you can analyse (eg: 
using wireshark) to find out what Squid sent to the server/s, and what came 
back again.


Antony.

> > On Dec 2, 2019, at 8:58 PM, Antony Stone
> >  wrote:
> > 
> > On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote:
> >> Hello Tem ,
> >> 
> >> How can i debug Headers that is between squid——> website request made
> > 
> > Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server,
> > looking at the external interface (ie: the one pointing to the
> > website/s).
> > 
> >> i need to see what squid send headers to website
> >> and what website reply o squid .
> > 
> > So long as you're doing HTTP (as per your example) and not HTTPS, any
> > packet sniffer and protocol analyser (wireshark is *very* good at this)
> > will show you this quite easily.
> > 
> > 
> > Antony.

-- 
"It wouldn't be a good idea to talk about him behind his back in front of 
him."

 - murble

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] debug headers between squid --> website

[Antony Stone]

On Monday 02 December 2019 at 18:34:31, Ahmad Alzaeem wrote:

> Hello Tem ,
> 
> How can i debug Headers that is between squid——> website request made

Run a packet sniffer (tcpdump, wireshark, tshark...) on the Squid server, 
looking at the external interface (ie: the one pointing to the website/s).

> i need to see what squid send headers to website
> and what website reply o squid .

So long as you're doing HTTP (as per your example) and not HTTPS, any packet 
sniffer and protocol analyser (wireshark is *very* good at this) will show you 
this quite easily.


Antony.

-- 
Atheism is a non-prophet-making organisation.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] After enabling IPv6 squid no longer responds

[Antony Stone]

On Thursday 14 November 2019 at 19:50:00, James Moe wrote:

> On 13/11/2019 12.36 pm, James Moe wrote:
> >   After adding v6 addresses to the server and hosts, and enabling an RA,
> >   squid no longer delivers anything from its cache, or is exceedingly slow
> >   about it.
> 
>   Here is a typical error message from squid:
> 
> The following error was encountered while trying to retrieve the URL:
> http://dx.doi.org/
> Connection to 2606:4700:20::681a:9ed failed.
> The system returned: (110) Connection timed out
> 
>   There is nothing in the access.log; the request is utterly ignored.
>   When I have the browser bypass the proxy, the site loads almost instantly.

Have you confirmed (for example with a network packet sniffer) that the browser 
is connecting directly to the site also using IPv6?


For that matter, have you used a packet sniffer to find out what Squid is 
doing, 
in terms of requests sent and possible responses received?


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Unsuccessful at using Squid v4 with intercept

[Antony Stone]

On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:

> Hello, I would like to use squid as a transparent proxy for my users.

> "Clients" are behind a Debian "Router" which MASQUERADE them (as they use
> RFC 1918 ips).
> 
> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
> server which is outside my network.
> 
> I read a lot of tutorials and examples from squid site...

Did that include the links I've given below?

> I Applied a DNAT to trafic coming from Clients thru Router to Proxy.
> 
> iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination :3129

Have you put this rule onto the firewall you mention, or the Squid box itself?

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy
#Requirements_and_methods_for_Interception_Caching

states "NAT configuration will only work when used *on the squid box* ."

So, you *must* put that rule on the Squid machine itself, not on the firewall.

It goes on to say "To intercept from a gateway machine and direct traffic at a 
separate squid box use policy routing." with a link to 
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> HTTP is coming to squid successfully but squid logs show a request coming
> from proxy himself and a request coming from Router (as Clients are NATed
> by Router)

Ah, so you *are* doing the NAT on the router :)  Don't :)

> if I allow in squid.conf the Proxy IP, I end up with a Forward loop...
> 
> 
> I also tried the tproxy scenario with no success.

Well, give us some details of what you tried, how you configured it, what 
worked, and what didn't work, and we might be able to help, otherwise we can 
only say "well, tproxy does work if set up properly, so if yours doesn't work, 
it isn't set up properly", which isn't a very helpful answer...


Antony.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Multiple LDAP authentication server for Squid

[Antony Stone]

On Monday 16 September 2019 at 12:17:12, Antonino Sanacori wrote:

> Thanks Amos but I have a 3.x version.

Try http://www.squid-cache.org/Versions/v3/3.5/manuals/basic_ldap_auth.html 
then.

Antony.

> On 13/09/2019 11:17, Amos Jeffries wrote:
> > On 12/09/19 10:41 pm, Antonino Sanacori wrote:
> >> Hi.
> >> 
> >> I use one ldap server for authentication of my users but now i have new
> >> users on another branch of same ldap server.
> >> 
> >> How can I configure squid.conf for support ldap authentication of my
> >> users on different branches?
> > 
> > Squid does not do LDAP itself.
> > 
> > Find out instead whether the helper you are using for auth is capable of
> > it.
> > 
> > The Basic auth can use a search filter instead of an absolute UID
> > parameter.
> > 
> > 
> > Amos

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid email using curl/smtp using squid

[Antony Stone]

On Sunday 08 September 2019 at 17:35:24, --Ahmad-- wrote:

>  ?

It might be that:

a) we don't quite understand what you have done: "i enabled port port in squid 
for mailing in squid ssl ports 587" is not easy to understand

or

b) Squid is not designed to be an email proxy, so why are you try to use it as 
one?


Antony.

> > On 7 Sep 2019, at 23:24, --Ahmad-- wrote:
> > 
> > Hello Team
> > 
> > i enabled port port in squid for mailing  in squid ssl ports 587.

I do not understand what that means.

> > curl  --url 'smtp://smtp.gmail.com:587' --ssl-reqd --mail-from
> > '@gcom' --mail-rcpt 'y...@gmail.com'  --upload-file mail.txt
> > --user '...@gmail.com:mm' --insecure  -x  5.5.152.44:32000 -U
> > xpostfix:xpostfix -vv
> > 
> > here what i get in squid  error :
> > 
> > 07/Sep/2019:16:23:59 -0400  0 1.1.124.243 - 2.2.152.44 32000
> > TCP_DENIED_REPLY/403 290 PUT ://smtp.gmail.com:587/mail.txt - HIER_NONE/
> > - - -
> > 
> > if i remove squid section :
> > 
> > -x  5.5.152.44:32000 -U xpostfix:xpostfix
> > 
> > im able to send the email .
> > 
> > 
> > anything else do i need to do in squid ?

Don't use it as a mail proxy?


Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SQUID proxy to access web application from another subnet

[Antony Stone]

On Friday 23 August 2019 at 00:21:48, jagadeesh am wrote:

> Hello,
> 
> I have one query. Could you please suggest me what to do.

Read the documentation :)

> I have a requirement to access a web application running on Server 1 which
> is connected to Private network 192.168.2.2 network , from Client machine
> which is connected to Public network (16.x.x.x) using SQUID PROXY.
> 
> Is it possible to browse the web application running on server 1 from
> Client using SQUID?

Yes.

> If yes, could you please guide / suggest me how do I accomplish using
> SQUID.

https://wiki.squid-cache.org/SquidFaq/ReverseProxy

> Note: SQUID system is connected to both Public and Private network.

Good.

> SQUID is configured on Windows Server 2016.

Oh well, that'll probably work.


Antony.

-- 
What do you get when you cross a joke with a rhetorical question?

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid.config

[Antony Stone]

On Tuesday 13 August 2019 at 21:18:51, Sérgio Vieira wrote:

> Hello,
> Regarding squid config file, on MacOS, I can’t add the following parameter:
> strip_query_terms off
> 
> I can access the file and edit it, but after restart the file removes the
> added line...
> 
> I have the config file at /Users/sergiovieira/Library/Preferences

My first questions would be: How did you install Squid on this machine?  What 
instructions did you follow?

That looks like a really unusual path to the squid.conf file to me, but then 
again I don't use a Mac, so maybe it's entirely reasonable.

However, a bit more information would probably be helpful:

 - which version of OSX are you installing on?

 - which version of Squid are you installing?

 - as asked before, how are you installing it?

 - how do you start / stop the Squid process?

Regards,


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + OpenSSL w/FIPS

[Antony Stone]

On Tuesday 02 July 2019 at 23:05:27, Cody Cushing wrote:

> Hello, I would like to use Squid as a forward proxy to ensure traffic
> leaving my VM is using a TLS connection negotiated through a client using
> FIPS certified encryption. I have OpenSSL w/FIPS configured on my VM, and
> Squid properly configured as a forward proxy.

So, surely all you need is a firewall to block any direct traffic which 
attempts 
to bypass the TLS client?

> What I do not know is:
> • is this sufficient (does Squid use any available OpenSSL crypto on the
> system)
> • or do I need to compile a custom Squid build referencing the OpenSSL fips
> "modules" (two C libraries)
> • or does Squid reference completely different crypto libraries and neither
> of the above two considerations are even valid

You say you want to use "a TLS connection negotiated through a client using 
FIPS certified encryption".  What's at the other end of that connection (ie: 
what is your VM talking to to create this link)?

Are you saying that you want HTTPS connections from your VM to go only to 
remote servers which support this FIPS-certified TLS method, and no other 
websites should be accessible?

Or, are you trying to tunnel HTTP and HTTPS traffic from your VM to some 
trusted 
endpoint - if so, what happens to it from there?

Basically, given a connection from your VM to some random website, what part 
of the connection are you trying to encrypt in this specific way?


Regards,


Antony.

-- 
"Life is just a lot better if you feel you're having 10 [small] wins a day 
rather than a [big] win every 10 years or so."

 - Chris Hadfield, former skiing (and ski racing) instructor

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Useragent request/reply headers with squid .

[Antony Stone]

On Saturday 15 June 2019 at 11:37:29, --Ahmad-- wrote:

> Guys im just trying to understand HTTP protocol and squid as GW for
> internet .

Hm, "understand" or "break" :) ?

> i just want to know how can squid deal with headers .

You *have* read the warning / advice at
http://www.squid-cache.org/Doc/config/request_header_access/
"Doing this VIOLATES the HTTP standard.  Enabling this feature could make you 
liable for problems which it causes." ?

> i just want to know how can squid prevent useragent from browser being sent
> to website

Why?  What is your purpose for this?


Antony.

-- 
I still maintain the point that designing a monolithic kernel in 1991 is a 
fundamental error.  Be thankful you are not my student.  You would not get a 
high grade for such a design :-)
 - Andrew Tanenbaum to Linus Torvalds

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid auth helpers aren't installing

[Antony Stone]

On Thursday 23 May 2019 at 09:37:44, amlgp wrote:

> Hi, I am using Centos 6 and for some reason the Squid helpers aren't
> installing. I go to /usr/lib64 after installing squid and there is no auth
> helpers in there at all. I am on a 64bit computer and I have checked
> /usr/lib and they both don't have any auth helpers at all. I am using
> "Squid 7:3.5.28-1.el6".
> 
> What could be wrong? Thank you in advance.

Well, firstly, please show us the commands you are using to install Squid and 
its helpers, plus any output which doesn't look encouraging (warnings, error 
messages, comments about something not being found, etc...)

If you're installing from packages, please also tell us which package 
repositories you are using.


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid proxy in Azure

[Antony Stone]

On Monday 20 May 2019 at 09:43:56, Peter Spencer wrote:

> Good morning
> 
> Was hoping you could please advise.. we are looking to put a squid proxy in
> Azure. Reason being, we have two sites with network resilience. At the
> moment, we have one squid proxy on one of our local site DCs, and would
> ideally like to place this in Azure. So if either site goes down, internet
> traffic is routed via Azure and is still monitored. Does the squid proxy
> work over WAN?

Squid doesn't care how the requests get routed to it, or how its requests get 
routed to the origin servers, or how the replies work, so long as they do.

You can use LAN, WAN, VPN, private addresses, public addresses, IPv4, IPv6, 
anything to get the packets where they need to be.  Squid doesn't care.


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] youtube restriction.

[Antony Stone]

Hi.

I'm replying in the original thread, to keep this conversation together in the 
archives etc.

On Monday 08 April 2019 at 11:15:00, Wegner Michaël wrote:

> Hi Antony,
> 
> The video is Ok, if i not used squid v3.5.

So, it's not Youtube blocking that particualr video in your country etc.

> If on the squid.conf file I disabled rediretion on squidgaurd the problem
> is the same.

Okay, we can disregard SquidGuard as being the problem, then.

> If squid is actived, somme videos are blocked, (the videos in
> restricted mode)

That tells us it's your Squid configuration which is causing the problem.

> With a old version of squid (2.6) there are no problems

There are a *lot* of differences between Squid 2.6 and 3.5, especially for 
HTTPS.  You *have* made suitable adjustments to the configuration file, I hope?


Antony.

> Date: Fri, 5 Apr 2019 15:39:08 +0200
> From: Antony Stone 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] youtube restriction.
> Message-ID: <201904051539.08777.antony.st...@squid.open.source.it>
> Content-Type: Text/Plain;  charset="iso-8859-15"
> 
> On Friday 05 April 2019 at 15:06:00, Wegner Michaël wrote:
> > Hi,
> > 
> > I install squid + squidguard, and I can't play youtube video.
> > For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ;
> > https://m.youtube.com/watch?v=jbBUQ-uvlRU
> > 
> > Error : video not available access to this video is limited
> 
> 1. Does it work if you do not go via Squid and SquidGuard?
> 
> 2. Can you play any other Youtube videos?
> 
> 3. Given that this is an HTTPS connection, how are you restricting HTTPS
> content with SquidGuard?
> 
> > I have Ubuntu server 18.04 and squid v 3.5.27
> > 
> > Can' you help me please
> 
> Regards,
> 
> 
> Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] youtube restriction.

[Antony Stone]

On Friday 05 April 2019 at 15:06:00, Wegner Michaël wrote:

> Hi,
> 
> I install squid + squidguard, and I can't play youtube video.
> For example : https://m.youtube.com/watch?v=Hmj3LToi4W8 ;
> https://m.youtube.com/watch?v=jbBUQ-uvlRU
> 
> Error : video not available access to this video is limited

1. Does it work if you do not go via Squid and SquidGuard?

2. Can you play any other Youtube videos?

3. Given that this is an HTTPS connection, how are you restricting HTTPS 
content with SquidGuard?

> I have Ubuntu server 18.04 and squid v 3.5.27
> 
> Can' you help me please

Regards,


Antony.

-- 
"Measuring average network latency is about as useful as measuring the mean 
temperature of patients in a hospital."

 - Stéphane Bortzmeyer

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users