date:20150528

Re: [squid-users] New server_name acl causes fatal error starting Squid 3.5.4

2015-05-28 Thread Stanford Prescott

I have to ask...what version of Squid are you using?

On Wed, May 27, 2015 at 1:41 PM, Mike mmone...@2keys.ca wrote:

 Stanford Prescott stan.prescott at gmail.com writes:

 
 
  Never mind. I figured the acl out. I was using someone else's
 instructions who accidentally left out the double :: ssl::server_name
 using just a single :.


 I am getting the same thing as you except I don't have the mistake you
 did. I literally copied your line into my config and it's still bombing
 out.

 2015/05/27 14:38:25| FATAL: Invalid ACL type 'ssl::server_name'
 FATAL: Bungled /etc/squid/squid.conf line 52: acl nobumpSites
 ssl::server_name .wellsfargo.com
 Squid Cache (Version 3.5.4): Terminated abnormally.
 CPU Usage: 0.006 seconds = 0.002 user + 0.004 sys
 Maximum Resident Size: 24112 KB
 Page faults with physical i/o: 0

 I'm about to just give up on squid..losing my mind. Any ideas?


 
 
  On Wed, May 20, 2015 at 12:36 PM, Stanford Prescott stan.prescott
 at gmail.com wrote:
 
 
  After a diversion getting SquidClamAV working, i am back to trying to
 get peek and splice working. I am trying to put together information
 from previous recommendations I have received. Right now, I can't get
 the server_name acl working. When I put this in my squid.confacl
 nobumpSites ssl:server_name .example.com
  I get a fatal error starting squid  using that acl saying the acl is
 Bungled.
  Is the form of the acl incorrect?
 
 
 
 
 
 
 
  ___
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users
 


 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Ssl-bump deep dive (testing)

2015-05-28 Thread James Lay

So I took the advice of those here to get explicit working first, so
here's my first attempt.  My test environment is Ubuntu 15.04 Server as
the squid server with virtualbox running on it with Kali linux as the
client.  Here's my Squid 3.5.4 configure line:

/configure --prefix=/opt --enable-icap-client --with-openssl
--enable-ssl --enable-ssl-crtd --enable-linux-netfilter
--enable-follow-x-forwarded-for --with-large-files
--sysconfdir=/opt/etc/squid --enable-external-acl-helpers=none



Full squid.conf:
#
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

acl CONNECT method CONNECT

http_access allow all

sslproxy_cert_error allow all
sslproxy_cert_error deny all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER 
sslproxy_options ALL

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3129 ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
key=/opt/etc/squid/certs/sslsplit_ca_key.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE

external_acl_type sni ttl=30 concurrency=10 children-max=20
children-startup=5 %ssl::sni /opt/etc/squid/bumphelper.py

acl sni_exclusions external sni
acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2

ssl_bump peek tcp_level all
ssl_bump splice client_hello_peeked sni_exclusions
ssl_bump bump all

logformat mine %a %[ui %[un [%tl] %rm %ru HTTP/%rv %Hs %st %Ss:%Sh
%ssl::bump_mode %ssl::sni %ssl::cert_subject

access_log syslog:daemon.info mine

refresh_pattern -i (cgi-bin|\?) 0   0%  0
refresh_pattern .   0   20% 4320

coredump_dir /opt/var
#


bumphelper.py:
#
#!/usr/bin/python

import sys

while True:
req = sys.stdin.readline()

if not req:
break

id, sni = req.split()

sys.stderr.write('request %r\n' % req)
sys.stderr.flush()

if sni == 'google.com':  # bypass
sys.stdout.write('{} OK\n'.format(id))
sys.stdout.flush()
else:
sys.stdout.write('{} ERR\n'.format(id))
sys.stdout.flush()
#

The tests:
root@kali:~/test# wget -d https://www.google.com
##
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
URI encoding = `UTF-8'
--2015-05-28 17:44:31--  https://www.google.com/
Connecting to 192.168.1.6:3129... connected.
Created socket 4.
Releasing 0x092c6730 (new refcount 0).
Deleting unused 0x092c6730.

---request begin---
CONNECT www.google.com:443 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)

---request end---
proxy responded with: [HTTP/1.1 200 Connection established

]

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: www.google.com
Connection: Close
Proxy-Connection: Keep-Alive

---request end---
Proxy request sent, awaiting response... 
---response begin---
HTTP/1.1 503 Service Unavailable
Server: squid/3.5.4
Mime-Version: 1.0
Date: Thu, 28 May 2015 23:44:33 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3899
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 32
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from analysis
Via: 1.1 analysis (squid/3.5.4)
Connection: close

---response end---
503 Service Unavailable
URI content encoding = `utf-8'
2015-05-28 17:44:32 ERROR 503: Service Unavailable.


access.log entry for the above wget:
#
May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33
-0600] CONNECT www.google.com:443 HTTP/1.1 200 0 TAG_NONE:HIER_DIRECT
peek www.google.com -
May 28 17:44:33 analysis squid: 192.168.1.91 - - [28/May/2015:17:44:33
-0600] GET https://www.google.com/ HTTP/1.1 503 4242
TAG_NONE:HIER_NONE - www.google.com -
#



sudo /opt/sbin/squid -d 1 -N -f /opt/etc/squid/squid.conf
##
2015/05/28 17:44:33| Error negotiating SSL on FD 14:
error::lib(0):func(0):reason(0) (5/-1/32)
##


I see the same type of thing for apple.com and yahoo.com.  I'm assuming
this is HSTS, but I could be wrong.  MSN however works fine with the
above:
root@kali:~/test# wget -d https://www.msn.com
##
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
URI encoding = `UTF-8'
--2015-05-28 18:24:50--  https://www.msn.com/
Connecting to 192.168.1.6:3129... connected.
Created socket 4.
Releasing 0x0a6493c0 (new refcount 0).
Deleting unused 0x0a6493c0.

---request begin---
CONNECT www.msn.com:443 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)

---request end---
proxy responded with: [HTTP/1.1 200 Connection established

]

---request begin---
GET / HTTP/1.1

Re: [squid-users] Logformat tag for a specific ACL

2015-05-28 Thread FredB


 Yes, but not to the same log file. Like this:
 
  access_log daemon:/var/log/squid/access.log squid !test
 
  access_log daemon:/var/log/squid/access_test.log fred test
 
 
 Amos
 
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users
 

Thank Amos,

This should be a great feature, for debugging or tag the web filtering (ports, 
website, mp3, etc)
Fo example, actually with many complex rules the return code 403 is not enough 
explicit, which rules or acl ?, and create a log file for each ACL is not a 
great solution (but in my case yes :) thank again )  

Fred


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.4 OpenBSD workers registration timed out

2015-05-28 Thread Henri Wahl

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
after having trouble with rock storage I try to run squid without
cache_dir but with workers enabled. I run into the same kidx
registration timed out trouble as before [1].

I just enabled workers 2 which works perfectly on a Linux box but
fails on OpenBSD. Is there anything OS-specific to consider? Which
Information do you need for debugging?

In the log I find this:

May 28 10:59:22 squid02 squid[12204]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:22 squid02 squid[32101]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:22 squid02 squid[12204]: Service Name: squid
May 28 10:59:22 squid02 squid[32101]: Service Name: squid
May 28 10:59:22 squid02 squid[12204]: Process ID 12204
May 28 10:59:22 squid02 squid[32101]: Process ID 32101
May 28 10:59:22 squid02 squid[32101]: Process Roles: worker
May 28 10:59:22 squid02 squid[12204]: Process Roles: coordinator
May 28 10:59:22 squid02 squid[32101]: With 8192 file descriptors available
May 28 10:59:22 squid02 squid[12204]: With 8192 file descriptors available
May 28 10:59:22 squid02 squid[16324]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:22 squid02 squid[16324]: Service Name: squid
May 28 10:59:22 squid02 squid[16324]: Process ID 16324
May 28 10:59:22 squid02 squid[16324]: Process Roles: worker
May 28 10:59:22 squid02 squid[16324]: With 32768 file descriptors
available
May 28 10:59:22 squid02 squid[12204]: Squid plugin modules loaded: 0
May 28 10:59:22 squid02 squid[32101]: Squid plugin modules loaded: 0
May 28 10:59:22 squid02 squid[16324]: Squid plugin modules loaded: 0
May 28 10:59:28 squid02 squid[32101]: Closing HTTP port 127.0.0.1:3128
May 28 10:59:28 squid02 squid[32101]: Closing HTTP port 172.19.13.3:3128
May 28 10:59:28 squid02 squid[32101]: kid2 registration timed out
May 28 10:59:28 squid02 squid[16324]: Closing HTTP port 127.0.0.1:3128
May 28 10:59:28 squid02 squid[16324]: Closing HTTP port 172.19.13.3:3128
May 28 10:59:28 squid02 squid[16324]: kid1 registration timed out
May 28 10:59:31 squid02 squid[10011]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:31 squid02 squid[10011]: Service Name: squid
May 28 10:59:31 squid02 squid[10011]: Process ID 10011
May 28 10:59:31 squid02 squid[10011]: Process Roles: worker
May 28 10:59:31 squid02 squid[10011]: With 8192 file descriptors available
May 28 10:59:31 squid02 squid[10011]: Squid plugin modules loaded: 0
May 28 10:59:34 squid02 squid[3647]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:34 squid02 squid[3647]: Service Name: squid
May 28 10:59:34 squid02 squid[3647]: Process ID 3647
May 28 10:59:34 squid02 squid[3647]: Process Roles: worker
May 28 10:59:34 squid02 squid[3647]: With 32768 file descriptors available
May 28 10:59:34 squid02 squid[3647]: Squid plugin modules loaded: 0
May 28 10:59:37 squid02 squid[10011]: Closing HTTP port 127.0.0.1:3128
May 28 10:59:37 squid02 squid[10011]: Closing HTTP port 172.19.13.3:3128
May 28 10:59:37 squid02 squid[10011]: kid2 registration timed out
May 28 10:59:40 squid02 squid[3647]: Closing HTTP port 127.0.0.1:3128
May 28 10:59:40 squid02 squid[3647]: Closing HTTP port 172.19.13.3:3128
May 28 10:59:40 squid02 squid[3647]: kid1 registration timed out
May 28 10:59:40 squid02 squid[14886]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:40 squid02 squid[14886]: Service Name: squid
May 28 10:59:40 squid02 squid[14886]: Process ID 14886
May 28 10:59:40 squid02 squid[14886]: Process Roles: worker
May 28 10:59:40 squid02 squid[14886]: With 8192 file descriptors available
May 28 10:59:40 squid02 squid[14886]: Squid plugin modules loaded: 0
May 28 10:59:43 squid02 squid[11132]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:43 squid02 squid[11132]: Service Name: squid
May 28 10:59:43 squid02 squid[11132]: Process ID 11132
May 28 10:59:43 squid02 squid[11132]: Process Roles: worker
May 28 10:59:43 squid02 squid[11132]: With 32768 file descriptors
available
May 28 10:59:43 squid02 squid[11132]: Squid plugin modules loaded: 0
May 28 10:59:46 squid02 squid[14886]: Closing HTTP port 127.0.0.1:3128
May 28 10:59:46 squid02 squid[14886]: Closing HTTP port 172.19.13.3:3128
May 28 10:59:46 squid02 squid[14886]: kid2 registration timed out
May 28 10:59:49 squid02 squid[11132]: Closing HTTP port 127.0.0.1:3128
May 28 10:59:49 squid02 squid[11132]: Closing HTTP port 172.19.13.3:3128
May 28 10:59:49 squid02 squid[11132]: kid1 registration timed out
May 28 10:59:49 squid02 squid[2527]: Starting Squid Cache version
3.5.4 for x86_64-unknown-openbsd5.7...
May 28 10:59:49 squid02 squid[2527]: Service Name: squid
May 28 10:59:49 squid02 squid[2527]: Process ID 2527
May 28 10:59:49 squid02 squid[2527]: Process Roles: worker
May 28 10:59:49 squid02 squid[2527]: With 8192 file descriptors available
May 28

Re: [squid-users] Ssl-bump deep dive (self-signed certs in chain)

2015-05-28 Thread James Lay

Thanks for this AmosI will try and do more experimenting this week
with more results.

James

On Tue, 2015-05-26 at 19:46 +1200, Amos Jeffries wrote:

 On 26/05/2015 4:26 a.m., James Lay wrote:
  So following advice and instructions on this page:
  
  http://wiki.squid-cache.org/Features/DynamicSslCert
  
  I have set up my lab with explicit proxy by exporting http_proxy and
  https_proxy.  After creating the self-signed root CA certificate above
  and creating the .der file for the client, here are my results:
  
  From the squid side:
  2015/05/25 10:02:20.161| Using certificate
  in /opt/etc/squid/certs/SquidCA.pem
  2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain:
  Certificate is self-signed, will not be chained
  I get the below when I don't specify a CA with curl, otherwise when I do
  I get no error:
  2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12:
  error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
 
 If that error is displayed by Squid about the clients connection. Then I
 believe it means the client is attempting to perform TLS authentication
 to Squid using the CA you installed there. Which is not possible as the
 CA is supposed to make the client trust Squid generated certs, not the
 other way around.
 
 
  
  And from the client side:
  root@kali:~/test# curl -v https://mail.slave-tothe-box.net
  * About to connect() to proxy 192.168.1.9 port 3129 (#0)
  *   Trying 192.168.1.9...
  * connected
  * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
  * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
  CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
  Host: mail.slave-tothe-box.net:443
  User-Agent: curl/7.26.0
  Proxy-Connection: Keep-Alive
 
  * Easy mode waiting response from proxy CONNECT
   HTTP/1.1 200 Connection established
   
  * Proxy replied OK to CONNECT request
  * successfully set certificate verify locations:
  *   CAfile: none
CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS alert, Server hello (2):
  * SSL certificate problem: self signed certificate in certificate chain
  * Closing connection #0
  
  And testing with specifying the .der file:
  root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v
  https://mail.slave-tothe-box.net
  * About to connect() to proxy 192.168.1.9 port 3129 (#0)
  *   Trying 192.168.1.9...
  * connected
  * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
  * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
  CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
  Host: mail.slave-tothe-box.net:443
  User-Agent: curl/7.26.0
  Proxy-Connection: Keep-Alive
 
  * Easy mode waiting response from proxy CONNECT
   HTTP/1.1 200 Connection established
   
  * Proxy replied OK to CONNECT request
  * error setting certificate verify locations:
CAfile: /etc/ssl/certs/SquidCA.der
CApath: /etc/ssl/certs
  
  * Closing connection #0
  curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/SquidCA.der
CApath: /etc/ssl/certs
  
  
  I can confirm that the server is using a bona-fide certificate issued
  from StartSSL and works, so at this point I'm open to suggestions.
  Thank you.
 
 curl is complaining that the CA chain for the Squid-generted cert has a
 self-signed CA. This is expected and desired behaviour if the
 self-signed CA was sent by Squid.
 
 The errors only occur when the self-signed CA is not sent by Squid, but
 using the one installed on the client.
 
 
 For that I believe you need to configure Squid to sign/generate using
 the intermediate certificate. The self-signed root CA not configured in
 Squid at all.
 
 Like so:
 
 A)
  client Trust DB installed with self-signed root CA
 
  squid.conf cert= configured with intermediary CA certificate
 
  squid.conf cafile= configured with any other intermediary CA
 certificates (in order back to root CA, but excluding it).
 
  Squid generates per-connection certificate
 
 OR:
 
 B)
  client Trust DB installed with self-signed root CA
 
  squid.conf cert= configured with self-signed root CA
 
  Squid generates per-connection certificate
 
 
 Note that in (B) there is no intermediary certificate at all, and Squid
 does not emit any CA chain to the client.
 
 It works exactly the same way as the globally trusted CA do. But they
 are contractually obliged to refuse giving out intermediary CA for
 anyones use, or loose their status as trusted CA.
 
 Amos
 
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] New server_name acl causes fatal error starting Squid 3.5.4

[squid-users] Ssl-bump deep dive (testing)

Re: [squid-users] Logformat tag for a specific ACL

[squid-users] Squid 3.5.4 OpenBSD workers registration timed out

Re: [squid-users] Ssl-bump deep dive (self-signed certs in chain)

5 matches

Site Navigation

Mail list logo

Footer information