Hello Daniel, Yuri
May be you could dump your whole squid.conf here (please remove any sensitive
details).
I still cannot understand once Squid has the target server hostname from SNI -
where is the acl/rule in squid.conf that can be used with this info present?
Best regards,
Rafael
_
I always see in access.log for the partial content
TCP_HIT_ABORTED/206
and this content eat my whole bandwidth
my conf is
range_offset_limit none partial
quick_abort_min 1840 KB
quick_abort_max 1844 KB
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/need-2
On 27/01/2015 1:38 a.m., HackXBack wrote:
> I always see in access.log for the partial content
> TCP_HIT_ABORTED/206
ABORTED means the client disconnected. There is nothing you can do about
that in Squid.
HIT means the object delivered came from cache. No upstream bandwidth
was consumed in the p
See below. Nothing else too interesting. Those four lines were the key.
http_port 3128
http_port 3180 intercept
https_port 3443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/u
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Raf,
wil be better to take a look on Squid source. My config similar
Daniel's, excluding bump options - I have 3.4.11 in production yet.
26.01.2015 19:37, Daniel Greenwald пишет:
> See below. Nothing else too interesting. Those four lines were the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://bugs.squid-cache.org/index.cgi
26.01.2015 5:09, HackXBack пишет:
> Dear Yuri,
> how I open bug ?
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/FATAL-The-ssl-crtd-helpers-are-crashing-too-rapidly
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel,
well,
but AFAIK server-first directive is deprecated in 3.5.x.
Hmm?
26.01.2015 19:37, Daniel Greenwald пишет:
> See below. Nothing else too interesting. Those four lines were the key.
>
> http_port 3128
> http_port 3180 intercept
> ht
call it what you want, it works :)
---
Daniel I Greenwald
On Mon, Jan 26, 2015 at 10:51 AM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Daniel,
>
> well,
>
> but AFAIK server-first directive is deprecated in 3.5.x.
>
> Hmm?
>
> 26.01.2015 19:37, Dani
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm not about it.
server-first keyword deprecated in 3.5.x.
AFAIK, keywork "bump" now has yet another meaningful.
And also: in your example can only use acl "all". Any other ACL's
leading "Bungled config line" error.
I.e, for example,
acl net_bu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
who know, what this log messages mean:
2015/01/26 22:02:34 kid1| fwdNegotiateSSL: Error negotiating SSL
connection on FD 20: error::lib(0):func(0):reason(0) (5/-1/131)
2015/01/26 22:02:41 kid1| fwdNegotiateSSL: Error negotiating S
On 27/01/2015 5:37 a.m., Yuri Voinov wrote:
>
> I'm not about it.
>
> server-first keyword deprecated in 3.5.x.
>
> AFAIK, keywork "bump" now has yet another meaningful.
>
> And also: in your example can only use acl "all". Any other ACL's
> leading "Bungled config line" error.
>
> I.e, for ex
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It's mistype. :)
Of course, I mean
acl net_bump src 192.168.101.0/24
Yep, sure - when I change "all" to another ACL - row bungled.
26.01.2015 23:33, Amos Jeffries пишет:
> On 27/01/2015 5:37 a.m., Yuri Voinov wrote:
>>
>> I'm not about it.
>>
>
Hi all,
Working on squid 3.5.1 with HTTPS interception.
Trying to make a peek/splice configuration to work and avoid bank bumping.
Until now bumping is working fine but can't avoid to bump sites on acl. All are
bumped.
Can anybody share a working configuration or take a look at mine to find why i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
After a bit Google-Fu ;)
I found this:
http://stackoverflow.com/questions/14770100/libssl-read-error-131-causing-an-application-crash
Is that it?
26.01.2015 23:22, Yuri Voinov пишет:
>
> Hi gents,
>
> who know, what this log messages mean:
>
> 20
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You can't use dstdomain ACL for disable bumping.
Only dst with IP's.
You don't know site FQDN before bump. :)
26.01.2015 23:48, Josep Borrell пишет:
>
> Hi all,
>
>
>
> Working on squid 3.5.1 with HTTPS interception.
>
> Trying to make a peek/spl
Thank you Amos, I have updated to bump. Working well just the same..
Even chrome doesn't complain for google properties. Very nice.
---
Daniel I Greenwald
On Mon, Jan 26, 2015 at 12:35 PM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> It's mistype. :)
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Still not working.
Every HTTPS-site produces error like that:
1422297291.318 0 192.168.100.5 TAG_NONE_ABORTED/000 0 GET
https://r5---sn-h
xb54vo-304l.googlevideo.com/videoplayback?gir=yes&mm=31&signature=CF822B36D7CA4B
43B8D1244FFF568777CDFB7B
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
With this:
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step2 all
ssl_bump bump step3 all
it does'nt produce errors, but also doesn't bump.
No mimicked certificates created. No one.
Yep, permissions are ok. Yep, owner is ok
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel,
you really sure you configuration makes bumping?
/var/lib/ssl_db/certs/ remains empty, Squid cannot bump without
mimicked certs, which is not produces.
I've seen only tunneling CONNECT with your configuration (of course, you
browser glad
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
No one ssl_bump combination did not work.
With your config I see only:
1422299531.482 18722 192.168.100.5 TCP_TUNNEL/200 99418 CONNECT
128.121.22.133:
443 - ORIGINAL_DST/128.121.22.133 -
and connection does'nt established.
No errors - no bump. C
hmm acc to how I read this page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
The following *should* work, however in my test it bumps all and does not
splice.
Yuri- I believe, the domain name should be available at step2 after peeking
in step1.
Someone correct me?
acl domains_nobump dst
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In theory.
I don't see any 3.5.x bump working yet.
In 3.4.x bumping not chunked to stages and only IP-based dst acls will
working.
27.01.2015 1:54, Daniel Greenwald пишет:
> hmm acc to how I read this page:
> http://wiki.squid-cache.org/Features/
when you know tell me because i asked this question before here and i didnt
get any answer
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Error-negotiating-SSL-connection-on-FD-20-error--lib-0-func-0-reason-0-5-1-131-tp4669338p4669351.html
Sent from
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I suggest we are asking in wrong place :)
This is OpenSSL error stack, not squid.
Also, man, which root CA bundle you are use in your installation?
27.01.2015 2:49, HackXBack пишет:
> when you know tell me because i asked this question before here
Well the documentation says
# SslBump1: After getting TCP-level and HTTP CONNECT info.
# SslBump2: After getting SSL Client Hello info.
# SslBump3: After getting SSL Server Hello info.
So that means SslBump1 only works for direct proxy (ie CONNECT)
sessions, it's SslBump2 that peeks into
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
who knows - what does it mean below?
2015/01/27 04:11:42.289 kid1| SECURITY ALERT: Host header forgery
detected on local=192.168.200.3:80 remote=192.168.200.5:9909 FD 18
flags=33 (intercepted port does not match 443)
2015/01/27 04:11:42.2
Wasn't somebody saying that you'd need write an External ACL to evaluate
the SNI host because dstdomain isn't hooked into that code (yet? ever?)?
On 27 January 2015 at 08:33, Jason Haar wrote:
>
> Well the documentation says
>
> # SslBump1: After getting TCP-level and HTTP CONNECT info.
> #
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 27/01/2015 11:13 a.m., Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>
> Hi gents,
>
> who knows - what does it mean below?
>
> 2015/01/27 04:11:42.289 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.168
28 matches
Mail list logo
