[squid-users] Remote Desktop Gateway thru Squid.

[Sebastien.Boulianne]

Hi all,

Im looking to use my Remote Desktop Gateway with my Squid.
I tried this config but it didnt work.

### SITE
cache_peer site.domain.qc.ca parent 443 0 no-query originserver ssl 
sslflags=DONT_VERIFY_PEER name=site
acl sitehttps url_regex ^https://site\.domain\.qc\.ca
http_access allow www443 sitehttps
http_access allow rdp sitehttps
cache_peer_access site allow www443 sitehttps
cache_peer_access site allow rdp sitehttps
acl sitehttp url_regex ^http://site\.domain\.qc\.ca
http_access deny sitehttp
deny_info 302:https://%H%R sitehttp

Im curious to know if someone ever did that.

Thanks you very much in advance.

1445443415.045  3  TCP_MISS/404 1580 RDG_OUT_DATA 
https://site.domain.qc.ca/remoteDesktopGateway/ - FIRSTUP_PARENT/ 
text/html
1445443415.116  2  TCP_MISS/401 450 RPC_IN_DATA 
https://site.domain.qc.ca/rpc/rpcproxy.dll? - FIRSTUP_PARENT/ 
text/plain
1445443415.182  3  TCP_MISS/401 450 RPC_OUT_DATA 
https://site.domain.qc.ca/rpc/rpcproxy.dll? - FIRSTUP_PARENT/ 
text/plain

Sébastien
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How can I change the Squid logo on an access denied page.

[Sebastien.Boulianne]

Hi again,

I would like to change the Squid'slogo that appear on an ccess denied page...
I replace the picture /usr/share/squid/icons/SN.png but it didnt work.

What did I miss ?

Thanks you very much.

Sébastien.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How can I change the Squid logo on an access denied page.

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
You miss local web-server, which must serve this picture.

22.10.15 0:52, sebastien.boulia...@cpu.ca пишет:
> Hi again,
>
> I would like to change the Squid'slogo that appear on an ccess denied
page...
> I replace the picture /usr/share/squid/icons/SN.png but it didnt work.
>
> What did I miss ?
>
> Thanks you very much.
>
> Sébastien.
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ+DlAAoJENNXIZxhPexGVzEH/2JXSTZhm8W39PKtcvd05Diu
CrpB+CoeO4KAVyo6JY/c80A1x+S1SRgEvuh/OgR8wX46/GNOG7glBA3RSF4yCtjm
2ACh+oUT9MFxSMg0AJLHz/1rGlnP9HHByVQqC5N5m4C5yQQwqgz93fBHcNU8srIw
X1Ihw9fHmRqoBPCtQzyH72zpCZeM9oUOfcVcbK7BhTdh33yheCrXROzNTboukxtE
XmOQrGJ63OzUuSfISy4lZTMBEZW7Z5n/I26Zlpm0Cjk+cangmbPTO1srkTKdeuVO
5UYZ7X172qzitCsD5qBpGYkkM7I9QFEu9ptEvCj4NaFKZT/w++wrauyRkgVHugw=
=5SM2
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
First, you should put in order configurations.

22.10.15 0:31, luizca...@gmail.com пишет:
> Hello, 
> So what I am trying to accomplish here is to basically have a
whitelist of domains that is allowed via http/https. If the UID is
squid,apache, or root then basically you will bypass squid and anything
is allowed. This was working well on 3.4.2 however once I moved to
3.5.10 it no longer works properly. I also noticed that there are “new”
features peek,slice etc which is probably my issue since I was not using
it. I have tried several combination and have only gotten it to work for
http traffic. All https traffic is currently being blocked by the
configuration. Below are my configurations.  I don’t need to "inspect"
any of the traffic just want to have a whitelist of allowed domains if
you are not UID squid,apache, or root via http/https. Any help would be
appreciated !!
>
>
> # Squid.conf
>
> sslproxy_cert_error allow all
This setting is DANGER. Don't use it in production. Completely.
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> sslcrtd_children 50
>
> https_port 4827 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
key=/etc/squid/certs/squid.key
> # HTTPS forward port
> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
key=/etc/squid/certs/squid.key
HTTPS forward port: this is SSL Bumped port, or what? Where, in this
case, ssl-bump directive? On the other hand, you don't need use cert/key
for tunneling connections. This is enabled by default long, long time.
>
>
> http_port 3401 transparent
Here must be "intercept" against transparent.
>
>
> always_direct allow all
^^It's too much.
>
> cache deny all
You really sure you want completely disable all caching?
>
> cache_dir ufs /home/squid/cache 100 16 256
Why, in this case, you define on-disk cache?
>
>
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
This is completely unnecessary. You don't use it below.
>
>
> acl http proto http
> acl https proto https
Why is it here?
>
>
> acl port_80 port 80
> acl port_443 port 443
Why is it here?
>
>
> http_access allow http port_80 nobumpSites
> http_access allow https port_443 nobumpSites
Why is it here?
>
>
> http_access deny all
>
> # allowed_domains
> .cnn.com 
> .google.com 
> .facebook.com 
> ….etc
ACL and, more, access rules order is important. As by as in firewalls.
What do you mean with "allowed_domains" and why it here?
>
>
>  squid log
> TAG_NONE/403 350 HEAD https://www.facebook.com/
 - HIER_NONE/- text/html
> TCP_MISS/200 593 GET http://www.cnn.com/ 
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85
qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U
BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg
ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV
MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL
67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M=
=Q/qX
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] big files caching-only proxy

[Leonardo Rodrigues]

Hi,

I have a running setup for proxying only 'big' files, like Windows 
Update, Apple Updates and some other very specific URLs. That's working 
just fine, no problem on that.


For avoiding caching small things on the URLs i want to have big 
files proxied, i setup the 'minimum_object_size' for 500Kb, for example. 
That's doing just fine, working flawlessly.


Now i'm looking for caching instagram data. That's seems easy, 
instagram videos are already being cached, but i really dont know how to 
deal with the small images and thumbnails from the timetime. If i lower 
too much the minimum_object size, those will be cached as well as not 
wanted data from the other URLs.


Question is: can the minimum_object_size be paired with some ACL ? 
Can i have a minimum_object globally and another one for specific URLs 
(from an ACL) for example?


i'm running squid 3.5.8.


--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] deny rep_mime_type

[HackXBack]

hello ,
can we deny rep_mime_type for specific domain ?
if yes then how 
if no then why
thank you ..



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How can I change the Squid logo on an access denied page.

[Rafael Akchurin]

It is also possible to use the in place image like we do for our “403 blocked 
page” – see http://docs.diladele.com/faq/filtering/logo.html

Best regards,
Rafael Akchurin
Diladele B.V.


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri Voinov
Sent: Wednesday, October 21, 2015 9:01 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] How can I change the Squid logo on an access denied 
page.


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

You miss local web-server, which must serve this picture.

22.10.15 0:52, sebastien.boulia...@cpu.ca 
пишет:
> Hi again,

  >

  > I would like to change the Squid'slogo that appear on an
  ccess denied page...

  > I replace the picture /usr/share/squid/icons/SN.png but it
  didnt work.

  >

  > What did I miss ?

  >

  > Thanks you very much.

  >

  > Sébastien.

  >

  >

  >

  >

  > ___

  > squid-users mailing list

  > 
squid-users@lists.squid-cache.org

  > http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWJ+DlAAoJENNXIZxhPexGVzEH/2JXSTZhm8W39PKtcvd05Diu
CrpB+CoeO4KAVyo6JY/c80A1x+S1SRgEvuh/OgR8wX46/GNOG7glBA3RSF4yCtjm
2ACh+oUT9MFxSMg0AJLHz/1rGlnP9HHByVQqC5N5m4C5yQQwqgz93fBHcNU8srIw
X1Ihw9fHmRqoBPCtQzyH72zpCZeM9oUOfcVcbK7BhTdh33yheCrXROzNTboukxtE
XmOQrGJ63OzUuSfISy4lZTMBEZW7Z5n/I26Zlpm0Cjk+cangmbPTO1srkTKdeuVO
5UYZ7X172qzitCsD5qBpGYkkM7I9QFEu9ptEvCj4NaFKZT/w++wrauyRkgVHugw=
=5SM2
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Show as access.log/cache.log for denied HTTPS sites.

All others confir quirks will remain onto your responsibility - Amos
come and explain when I/you wrong. ;)

22.10.15 1:52, luizca...@gmail.com пишет:
> I answered your questions below. However https traffic is still always being 
> denied even though
the site is on the allowed_list via nobumpSites.
> I want to control http/https traffic using the “allowed_domains” list.
This current configuration works for HTTP but not HTTPS traffic.
>
> If there is an easier way to do this I am open for suggestion. This
configuration minus the peek/splice part works fine in 3.4.2. Not sure
what changed in
> 3.5 that causes this to fail.
>
>
>> Date: Thu, 22 Oct 2015 00:59:36 +0600
>> From: Yuri Voinov 
>> To: squid-users@lists.squid-cache.org
>> Subject: Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains
>> issue
>> Message-ID: <5627e098.1000...@gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>>
> First, you should put in order configurations.
>
> 22.10.15 0:31, luizca...@gmail.com пишет:
> >>> Hello,
> >>> So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https. If the UID is
> squid,apache, or root then basically you will bypass squid and anything
> is allowed. This was working well on 3.4.2 however once I moved to
> 3.5.10 it no longer works properly. I also noticed that there are “new”
> features peek,slice etc which is probably my issue since I was not using
> it. I have tried several combination and have only gotten it to work for
> http traffic. All https traffic is currently being blocked by the
> configuration. Below are my configurations.  I don’t need to "inspect"
> any of the traffic just want to have a whitelist of allowed domains if
> you are not UID squid,apache, or root via http/https. Any help would be
> appreciated !!
> >>>
> >>>
> >>> # Squid.conf
> >>>
> >>> sslproxy_cert_error allow all
> This setting is DANGER. Don't use it in production. Completely.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> >>>
> >>> sslproxy_flags DONT_VERIFY_PEER
> >>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> >>> sslcrtd_children 50
> >>>
> >>> https_port 4827 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
> key=/etc/squid/certs/squid.key
> >>> # HTTPS forward port
> >>> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
> key=/etc/squid/certs/squid.key
> HTTPS forward port: this is SSL Bumped port, or what? Where, in this
> case, ssl-bump directive? On the other hand, you don't need use cert/key
> for tunneling connections. This is enabled by default long, long time.
> >>>
> >>>
> >>> http_port 3401 transparent
> Here must be "intercept" against transparent.
> >>>
> >>>
> >>> always_direct allow all
> ^^It's too much.
> >>>
> >>> cache deny all
> You really sure you want completely disable all caching?
> >>>
> >>> cache_dir ufs /home/squid/cache 100 16 256
> Why, in this case, you define on-disk cache?
> > Removed
> >>>
> >>>
> >>> acl step2 at_step SslBump2
> >>> acl step3 at_step SslBump3
> This is completely unnecessary. You don't use it below.
> > Removed
> >>>
> >>>
> >>> acl http proto http
> >>> acl https proto https
> Why is it here?
> > To only allow http and https proto
> >>>
> >>>
> >>> acl port_80 port 80
> >>> acl port_443 port 443
> Why is it here?
> > To only allow port 80 and 443
> >>>
> >>>
> >>> http_access allow http port_80 nobumpSites
> >>> http_access allow https port_443 nobumpSites
> Why is it here?
> > To only allow access to nobumpSites on port 80 and 443
> >>>
> >>>
> >>> http_access deny all
> >>>
> >>> # allowed_domains
> >>> .cnn.com 
> >>> .google.com 
> >>> .facebook.com 
> >>> ….etc
> ACL and, more, access rules order is important. As by as in firewalls.
> What do you mean with "allowed_domains" and why it here?
> >>>
> >>>
> >>>  squid log
> >>> TAG_NONE/403 350 HEAD https://www.facebook.com/
>  - HIER_NONE/- text/html
> >>> TCP_MISS/200 593 GET http://www.cnn.com/ 
> >>>
> >>>
> >>> ___
> >>> squid-users mailing list
> >>> squid-users@lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ+7zAAoJENNXIZxhPexGjrkH/ihm3ZhfpjGXb23Dte0ssSr6
CTJGmZtpT9oX8avFxHJhOPO0R8w+aleMChKIKTDwSTBk1+Mq24J9NC9D+Nut48/p
gJqr+uyY5TseVghneDAxWtMsuxXFGeErbDaOwsBsxxyJDDsSJ51QTbDJ2tocHM6I

[squid-users] How can I change the Squid logo on an access denied page.

[Sebastien.Boulianne]

My question wasnt that.
I want to change the Squid’s logo…

Nothing else…
Im sure I need to change something else if I want the Squid’s logo replaced…

Did you ever replace the Squid logo ?

Thanks.

Sebastien.

De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part 
de Yuri Voinov
Envoyé : 21 octobre 2015 15:01
À : squid-users@lists.squid-cache.org
Objet : Re: [squid-users] How can I change the Squid logo on an access denied 
page.


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

You miss local web-server, which must serve this picture.

22.10.15 0:52, sebastien.boulia...@cpu.ca 
пишет:
> Hi again,
  >
  > I would like to change the Squid'slogo that appear on an
  ccess denied page...
  > I replace the picture /usr/share/squid/icons/SN.png but it
  didnt work.
  >
  > What did I miss ?
  >
  > Thanks you very much.
  >
  > Sébastien.
  >
  >
  >
  >
  > ___
  > squid-users mailing list
  > 
squid-users@lists.squid-cache.org
  > http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWJ+DlAAoJENNXIZxhPexGVzEH/2JXSTZhm8W39PKtcvd05Diu
CrpB+CoeO4KAVyo6JY/c80A1x+S1SRgEvuh/OgR8wX46/GNOG7glBA3RSF4yCtjm
2ACh+oUT9MFxSMg0AJLHz/1rGlnP9HHByVQqC5N5m4C5yQQwqgz93fBHcNU8srIw
X1Ihw9fHmRqoBPCtQzyH72zpCZeM9oUOfcVcbK7BhTdh33yheCrXROzNTboukxtE
XmOQrGJ63OzUuSfISy4lZTMBEZW7Z5n/I26Zlpm0Cjk+cangmbPTO1srkTKdeuVO
5UYZ7X172qzitCsD5qBpGYkkM7I9QFEu9ptEvCj4NaFKZT/w++wrauyRkgVHugw=
=5SM2
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How can I change the Squid logo on an access denied page.

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
You are talking about logo, which is hosted on external web-site.

You can:

1. Use your own local web-server with another picture and point ERR_PAGE
to this location.
2. Use Rafael's method as descrubed.
3. As Amos to get administrative rights on squid-cache.org, upload your
own picture and point your ERR_PAGE onto it. ;)

22.10.15 2:09, sebastien.boulia...@cpu.ca пишет:
> My question wasnt that.
> I want to change the Squid’s logo…
>
> Nothing else…
> Im sure I need to change something else if I want the Squid’s logo
replaced…
>
> Did you ever replace the Squid logo ?
>
> Thanks.
>
> Sebastien.
>
> De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De
la part de Yuri Voinov
> Envoyé : 21 octobre 2015 15:01
> À :
squid-users@lists.squid-cache.org
> Objet : Re: [squid-users] How can I change the Squid logo on an access
denied page.
>
>
> You miss local web-server, which must serve this picture.
>
> 22.10.15 0:52,
sebastien.boulia...@cpu.ca пишет:
> > Hi again,
>
>   > I would like to change the Squid'slogo that appear on an
>   ccess denied page...
>   > I replace the picture /usr/share/squid/icons/SN.png but it
>   didnt work.
>
>   > What did I miss ?
>
>   > Thanks you very much.
>
>   > Sébastien.
>
>
>
>
>   > ___
>   > squid-users mailing list
>   >
squid-users@lists.squid-cache.org
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ/JLAAoJENNXIZxhPexGBbcIAMB4G/0vntf78PUEpnJOxD2W
RYkzPP5+/Z1WNpmx1ls7NoiFjdiCo6/aRQgmN8G580nwj+lzyhxA2mpNkelvnXcH
4VoLQSDmgN7nYLj892mnk397NQjpm+CvcYJHRBrCwculyJ/DPNkFDJiWWMaZEpT9
8vpf9wwUgXISWt55ts4WSTNkB6hzOsCZ0akzmmxDNengmdo/Vd/Pf0xXXObMREqB
ukXOe02P2pN+dn7uLOy/XXoxUW8c9Wkq/Ahc55DC8HOW9Uf3W8+4ahzbKNwFS17e
w8WwaPP0ykENVlwqnp3Tk+vaW2Uk0/RGnKcDfhV/Qeg5vCmIg7zx0ysnGSz1utU=
=hyIw
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Show piece of

allowed_domains

file.

22.10.15 2:29, luizca...@gmail.com пишет:
> Could you suggest a configuration that you think should be working ? I would 
> like both
HTTP/HTTPS domains whitelisted via file all other domains blocked. What
am I missing ? My assumption here is the acl nobumpSites
ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” part
is not working for https but does work for http.
>
>  LOG
> 21/Oct/2015:16:24:45 -0400.062 28 X.X.X.X TCP_MISS/200 907 HEAD
http://www.cnn.com/ - ORIGINAL_DST/23.235.39.73 text/html
> 21/Oct/2015:16:25:12 -0400.515  0 X.X.X.X TAG_NONE/403 350 HEAD
https://www.facebook.com/ - HIER_NONE/- text/html
>
>  etc/squid/git_allowed_domains/allowed_domains"
> .facebook.com
> .cnn.com
>
>  Squid.con
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> sslcrtd_children 50
>
> https_port 4827 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt
key=/etc/squid/certs/squid.key
> http_port 3401 intercept
>
> logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs % access_log /var/log/squid/access.log squid
>
> cache deny all
>
> acl step1 at_step SslBump1
> acl nobumpSites ssl::server_name
"/etc/squid/git_allowed_domains/allowed_domains”
> # I even tried the follow just for https test and it still failed
> # acl nobumpSites ssl::server_name  .facebook.com
> # 21/Oct/2015:16:27:45 -0400.733  0 10.159.3.194 TAG_NONE/403 350
HEAD https://www.facebook.com/ - HIER_NONE/- text/html
>
> ssl_bump peek step1 all
> ssl_bump splice nobumpSites
> ssl_bump bump
>
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl port_443 port 443
>
> http_access allow http port_80 nobumpSites
> http_access allow https port_443 nobumpSites
>
> http_access deny all
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ/ZVAAoJENNXIZxhPexGI/8H/0vLr5F4ejnNmJ55oUeGb2wv
YIs/gIW73DEdcTidPYSPWnfz25VQ5rStfejrkWWoPDdHTQNwUWi8vd45TptxFXtK
3r6xnL9+f+2JLMXjrRB8buQW7i3B8xmvWHniMzMh9EWwicGJIPRzowz8ijaIyoYx
ZpEh00NBLlHBJhu9EP81TVJauwqexbeRjjOmR8VLp7rEoeuWYXvR7D7Pcs5eNrKT
XnzwNKI6ZWRYSq9rfRObMRL5EIkbXqAcvh6+2KaYYUFVy87zm5bojrJqgbM6NGXS
7AwydX4ef5jRsvmt9lgYZJ/fjdggRxUsN+EvdccvhYQrD/6Coec/H1L84MKLfqY=
=2y9A
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Remote Desktop Gateway thru Squid.

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
https://www.google.com/search?q=RDP+via+Squid

Some results:

http://superuser.com/questions/713359/i-want-to-rdp-to-my-server-that-is-behind-a-squid3-proxy
http://sengstar2005.hubpages.com/hub/How-to-Remote-Desktop-to-a-Terminal-Server-via-a-Web-Proxy
http://www.experts-exchange.com/Networking/Linux_Networking/Q_21944375.html

and so on :)

Hope this helps ;)

22.10.15 0:43, sebastien.boulia...@cpu.ca пишет:
> Hi all,
>
> Im looking to use my Remote Desktop Gateway with my Squid.
> I tried this config but it didnt work.
>
> ### SITE
> cache_peer site.domain.qc.ca parent 443 0 no-query originserver ssl
sslflags=DONT_VERIFY_PEER name=site
> acl sitehttps url_regex ^https://site\.domain\.qc\.ca
> http_access allow www443 sitehttps
> http_access allow rdp sitehttps
> cache_peer_access site allow www443 sitehttps
> cache_peer_access site allow rdp sitehttps
> acl sitehttp url_regex ^http://site\.domain\.qc\.ca
> http_access deny sitehttp
> deny_info 302:https://%H%R sitehttp
>
> Im curious to know if someone ever did that.
>
> Thanks you very much in advance.
>
> 1445443415.045  3  TCP_MISS/404 1580 RDG_OUT_DATA
https://site.domain.qc.ca/remoteDesktopGateway/ -
FIRSTUP_PARENT/ text/html
> 1445443415.116  2  TCP_MISS/401 450 RPC_IN_DATA
https://site.domain.qc.ca/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/ text/plain
> 1445443415.182  3  TCP_MISS/401 450 RPC_OUT_DATA
https://site.domain.qc.ca/rpc/rpcproxy.dll? -
FIRSTUP_PARENT/ text/plain
>
> Sébastien
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ+HVAAoJENNXIZxhPexGxkMH/3kczZtmI9uQZLg6aBd//qDG
GftM9oNAwmMxfdU86Wp8Na4dadAIqhvrdm5gDo299r+W4qyyu+O9pUx7e/sC/ORI
PS+laz9vx2hdyuymUVNRR2iJhuHr5Pusgriqk18vO+vNb9CRPRnT20abbtFil3W/
n7/5oDOTMaE1/nzJurzU54SBfgQuJPHAGTMpUXW4w48igfgzfq7pPAk687jBac1E
8oZlKAIr0roXJmZ+TdtGAdpYy/7Qf4PM9X5+m52/HFAM6FPsalQ7z3efRb0VGE7D
qAegqD2bbpjeXNsNrfGaQM6JRxTwiAStwpLp5bk6zKISMlCRVDRBDPRN4M3Sdjg=
=kFAz
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid/NTLM Auth

[Keith White]

I have squid running on Centos 7 and am trying to setup AD authentication.  I 
have samba/winbindd installed and the system was added to the domain with 
authconfig.  I have tested authentication with auth_ntlm and that works. I have 
also tested group membership with auth_ntlm and that works as well.  When 
attempting to access squid with either IE or Firefox I am presented with the 
authentication dialog box.  Manually entering credentials does not work.  What 
debugging can I enable to see what is going on?  Squid is built with the 
following

Squid Cache: Version 3.5.9-20150917-r13917
Service Name: squid
configure options:  '--prefix=/usr' '--includedir=/usr/include' 
'--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' 
'--localstatedir=/varsquid' '--sysconfdir=/etc/squid' '--enable-auth' 
'--enable-auth-ntlm' '--enable-external-acl-helpers' '--enable-auth-negotiate' 
'--enable-auth-basic' '--enable-auth-digest'


relevant section from squid.conf

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --diagnostics 
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow localnet
http_access allow AuthorizedUsers
http_access allow localhost


Thanks,

Keith





This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, 
Spanish and Portuguese versions of this disclaimer.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

I answered your questions below. However https traffic is still always being 
denied even though the site is on the allowed_list via nobumpSites.
I want to control http/https traffic using the “allowed_domains” list. This 
current configuration works for HTTP but not HTTPS traffic.

If there is an easier way to do this I am open for suggestion. This 
configuration minus the peek/splice part works fine in 3.4.2. Not sure what 
changed in
3.5 that causes this to fail.


> Date: Thu, 22 Oct 2015 00:59:36 +0600
> From: Yuri Voinov 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains
>   issue
> Message-ID: <5627e098.1000...@gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> First, you should put in order configurations.
> 
> 22.10.15 0:31, luizca...@gmail.com пишет:
>> Hello, 
>> So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https. If the UID is
> squid,apache, or root then basically you will bypass squid and anything
> is allowed. This was working well on 3.4.2 however once I moved to
> 3.5.10 it no longer works properly. I also noticed that there are “new”
> features peek,slice etc which is probably my issue since I was not using
> it. I have tried several combination and have only gotten it to work for
> http traffic. All https traffic is currently being blocked by the
> configuration. Below are my configurations.  I don’t need to "inspect"
> any of the traffic just want to have a whitelist of allowed domains if
> you are not UID squid,apache, or root via http/https. Any help would be
> appreciated !!
>> 
>> 
>> # Squid.conf
>> 
>> sslproxy_cert_error allow all
> This setting is DANGER. Don't use it in production. Completely.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>> 
>> sslproxy_flags DONT_VERIFY_PEER
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
>> sslcrtd_children 50
>> 
>> https_port 4827 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
> key=/etc/squid/certs/squid.key
>> # HTTPS forward port
>> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
> key=/etc/squid/certs/squid.key
> HTTPS forward port: this is SSL Bumped port, or what? Where, in this
> case, ssl-bump directive? On the other hand, you don't need use cert/key
> for tunneling connections. This is enabled by default long, long time.
>> 
>> 
>> http_port 3401 transparent
> Here must be "intercept" against transparent.
>> 
>> 
>> always_direct allow all
> ^^It's too much.
>> 
>> cache deny all
> You really sure you want completely disable all caching?
>> 
>> cache_dir ufs /home/squid/cache 100 16 256
> Why, in this case, you define on-disk cache?
Removed
>> 
>> 
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
> This is completely unnecessary. You don't use it below.
Removed
>> 
>> 
>> acl http proto http
>> acl https proto https
> Why is it here?
To only allow http and https proto 
>> 
>> 
>> acl port_80 port 80
>> acl port_443 port 443
> Why is it here?
To only allow port 80 and 443 
>> 
>> 
>> http_access allow http port_80 nobumpSites
>> http_access allow https port_443 nobumpSites
> Why is it here?
To only allow access to nobumpSites on port 80 and 443 
>> 
>> 
>> http_access deny all
>> 
>> # allowed_domains
>> .cnn.com 
>> .google.com 
>> .facebook.com 
>> ….etc
> ACL and, more, access rules order is important. As by as in firewalls.
> What do you mean with "allowed_domains" and why it here?
>> 
>> 
>>  squid log
>> TAG_NONE/403 350 HEAD https://www.facebook.com/
>  - HIER_NONE/- text/html
>> TCP_MISS/200 593 GET http://www.cnn.com/ 
>> 
>> 
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85
> qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U
> BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg
> ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV
> MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL
> 67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M=
> =Q/qX
> -END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

Could you suggest a configuration that you think should be working ? I would 
like both HTTP/HTTPS domains whitelisted via file all other domains blocked. 
What am I missing ? My assumption here is the acl nobumpSites ssl::server_name 
"/etc/squid/git_allowed_domains/allowed_domains” part is not working for https 
but does work for http.

 LOG
21/Oct/2015:16:24:45 -0400.062 28 X.X.X.X TCP_MISS/200 907 HEAD 
http://www.cnn.com/ - ORIGINAL_DST/23.235.39.73 text/html
21/Oct/2015:16:25:12 -0400.515  0 X.X.X.X TAG_NONE/403 350 HEAD 
https://www.facebook.com/ - HIER_NONE/- text/html

 etc/squid/git_allowed_domains/allowed_domains"
.facebook.com
.cnn.com

 Squid.con
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
sslcrtd_children 50

https_port 4827 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt 
key=/etc/squid/certs/squid.key
http_port 3401 intercept

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %https://www.facebook.com/ - HIER_NONE/- text/html

ssl_bump peek step1 all
ssl_bump splice nobumpSites
ssl_bump bump

acl http proto http
acl https proto https
acl port_80 port 80
acl port_443 port 443

http_access allow http port_80 nobumpSites
http_access allow https port_443 nobumpSites

http_access deny all

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How can I change the Squid logo on an access denied page.

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Usually Squid uses in conjunction with
redirector+Apache/other_web_server, so in these setups the shortest (and
weak) way is using it...

But Rafael is right.

22.10.15 1:46, Rafael Akchurin пишет:
> It is also possible to use the in place image like we do for our “403 blocked 
> page” – see
http://docs.diladele.com/faq/filtering/logo.html
>
> Best regards,
> Rafael Akchurin
> Diladele B.V.
>
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Yuri Voinov
> Sent: Wednesday, October 21, 2015 9:01 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] How can I change the Squid logo on an
access denied page.
>
>
> You miss local web-server, which must serve this picture.
>
> 22.10.15 0:52,
sebastien.boulia...@cpu.ca пишет:
> > Hi again,
>
>
>
>   > I would like to change the Squid'slogo that appear on an
>   ccess denied page...
>
>   > I replace the picture /usr/share/squid/icons/SN.png but it
>   didnt work.
>
>
>
>   > What did I miss ?
>
>
>
>   > Thanks you very much.
>
>
>
>   > Sébastien.
>
>
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   >
squid-users@lists.squid-cache.org
>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ+9MAAoJENNXIZxhPexG4sMH/10s2zmO3Yk5TUGzOG0+Nejk
1XAWhzGQV3iEFM7r1IjVB3UkeFI5i6lmsEvOfJ/NtyHSSszA8DDY7AvKbvp8Bd/9
ZVwRnZjhmdkspMNAjPAK34f2y3In93QmlPfWvzqKBFQ6N+tv1kVwOB5P9E890J3X
5no1MzoBfl8rwbpRGr8cc9uOSOBu9NJFobut9Psm7I3kp8BCYyEifBE+S+x1UXUX
tqHeA6WR7xJOTo8BFOhyTLZtvAaGr14Mtko0SFo+/FL7UOKWmUYgX+ayHs8gwZPF
lnz/+xARNtSQZdb+LcD8hG7vmW0LZxAfSUX8BKvpkY2fmuJem7n8jsPmR4zlvM8=
=2Lve
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Remote Desktop Gateway thru Squid.

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Look more:

http://www.experts-exchange.com/Software/Anti-Virus/Q_24387982.html

and more.

More closed:

In transparent proxy setups RDP is not a problem everywhere, because of
transparent proxy utilizes only HTTP and/or HTTPS ports.

RDP is not uses this ports in case you are using mstsc.

In forwarding proxy case, the best way is use NAT/firewall to bypass RDP
connection by proxy.

Squid it is not intended to understand all of the protocols. :)

22.10.15 2:04, sebastien.boulia...@cpu.ca пишет:
> Hi Yuri,
>
> Thanks you very much for your answer.
>
> My question was Remote Desktop Gateway with my Squid.
>
> A Remote Desktop Gateway and RDP is not the same.
>
http://windows.microsoft.com/en-ph/windows7/what-is-a-remote-desktop-gateway-server
>
> Thanks.
>
> Sébastien.
> De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De
la part de Yuri Voinov
> Envoyé : 21 octobre 2015 15:05
> À : squid-users@lists.squid-cache.org
> Objet : Re: [squid-users] Remote Desktop Gateway thru Squid.
>
>
> https://www.google.com/search?q=RDP+via+Squid
>
> Some results:
>
>
http://superuser.com/questions/713359/i-want-to-rdp-to-my-server-that-is-behind-a-squid3-proxy
>
http://sengstar2005.hubpages.com/hub/How-to-Remote-Desktop-to-a-Terminal-Server-via-a-Web-Proxy
>
http://www.experts-exchange.com/Networking/Linux_Networking/Q_21944375.html
>
> and so on :)
>
> Hope this helps ;)
>
> 22.10.15 0:43,
sebastien.boulia...@cpu.ca пишет:
> > Hi all,
>
>
>
>   > Im looking to use my Remote Desktop Gateway with my Squid.
>
>   > I tried this config but it didnt work.
>
>
>
>   > ### SITE
>
>   > cache_peer site.domain.qc.ca parent 443 0 no-query
>   originserver ssl sslflags=DONT_VERIFY_PEER name=site
>
>   > acl sitehttps url_regex
^https://site\.domain\.qc\.ca
>
>   > http_access allow www443 sitehttps
>
>   > http_access allow rdp sitehttps
>
>   > cache_peer_access site allow www443 sitehttps
>
>   > cache_peer_access site allow rdp sitehttps
>
>   > acl sitehttp url_regex
^http://site\.domain\.qc\.ca
>
>   > http_access deny sitehttp
>
>   > deny_info 302:https://%H%R sitehttp
>
>
>
>   > Im curious to know if someone ever did that.
>
>
>
>   > Thanks you very much in advance.
>
>
>
>   > 1445443415.045  3  TCP_MISS/404 1580
>   RDG_OUT_DATA https://site.domain.qc.ca/remoteDesktopGateway/ -
>   FIRSTUP_PARENT/ text/html
>
>   > 1445443415.116  2  TCP_MISS/401 450
>   RPC_IN_DATA https://site.domain.qc.ca/rpc/rpcproxy.dll? -
>   FIRSTUP_PARENT/ text/plain
>
>   > 1445443415.182  3  TCP_MISS/401 450
>   RPC_OUT_DATA https://site.domain.qc.ca/rpc/rpcproxy.dll? -
>   FIRSTUP_PARENT/ text/plain
>
>
>
>   > Sébastien
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   >
squid-users@lists.squid-cache.org
>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ/GcAAoJENNXIZxhPexGsjoIAL7vXkQ9Xj0qv7B4KBjboKxm
IRNMRS4kLVv7QOB0ojuKeivYTA7Hl0IJVgIltvPsGRKk5+ZWoH/KQPwuhaiHmLAX
PQAsDHhVUm5V1aCc6iU4jh1iSZ+f4y6njgTSyC7sEdMS4kxEtjfrEE88oHBuxO1s
q7H70rUfUIm+kH1S98e4uAMikmFz3Pndv4v59nnj46+7M4HxXU7Il+TiZkQmc/hN
NcVCdo+foLUQicr0nbrXmNA3BCZ7CEfGXvGnKUDeFbHWaX4aepShbCObIwWvwrFW
csOEGRqBDsTxzO3BcOkp0PyqVwjWThFhnpfARyJF/ho1kxvt4L6PxSaInNUv5UY=
=xw1K
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Remote Desktop Gateway thru Squid.

[Sebastien.Boulianne]

Hi Yuri,

Thanks you very much for your answer.

My question was Remote Desktop Gateway with my Squid.

A Remote Desktop Gateway and RDP is not the same.
http://windows.microsoft.com/en-ph/windows7/what-is-a-remote-desktop-gateway-server

Thanks.

Sébastien.
De : squid-users [mailto:squid-users-boun...@lists.squid-cache.org] De la part 
de Yuri Voinov
Envoyé : 21 octobre 2015 15:05
À : squid-users@lists.squid-cache.org
Objet : Re: [squid-users] Remote Desktop Gateway thru Squid.


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

https://www.google.com/search?q=RDP+via+Squid

Some results:

http://superuser.com/questions/713359/i-want-to-rdp-to-my-server-that-is-behind-a-squid3-proxy
http://sengstar2005.hubpages.com/hub/How-to-Remote-Desktop-to-a-Terminal-Server-via-a-Web-Proxy
http://www.experts-exchange.com/Networking/Linux_Networking/Q_21944375.html

and so on :)

Hope this helps ;)

22.10.15 0:43, sebastien.boulia...@cpu.ca 
пишет:
> Hi all,

  >

  > Im looking to use my Remote Desktop Gateway with my Squid.

  > I tried this config but it didnt work.

  >

  > ### SITE

  > cache_peer site.domain.qc.ca parent 443 0 no-query
  originserver ssl sslflags=DONT_VERIFY_PEER name=site

  > acl sitehttps url_regex 
^https://site\.domain\.qc\.ca

  > http_access allow www443 sitehttps

  > http_access allow rdp sitehttps

  > cache_peer_access site allow www443 sitehttps

  > cache_peer_access site allow rdp sitehttps

  > acl sitehttp url_regex 
^http://site\.domain\.qc\.ca

  > http_access deny sitehttp

  > deny_info 302:https://%H%R sitehttp

  >

  > Im curious to know if someone ever did that.

  >

  > Thanks you very much in advance.

  >

  > 1445443415.045  3  TCP_MISS/404 1580
  RDG_OUT_DATA https://site.domain.qc.ca/remoteDesktopGateway/ -
  FIRSTUP_PARENT/ text/html

  > 1445443415.116  2  TCP_MISS/401 450
  RPC_IN_DATA https://site.domain.qc.ca/rpc/rpcproxy.dll? -
  FIRSTUP_PARENT/ text/plain

  > 1445443415.182  3  TCP_MISS/401 450
  RPC_OUT_DATA https://site.domain.qc.ca/rpc/rpcproxy.dll? -
  FIRSTUP_PARENT/ text/plain

  >

  > Sébastien

  >

  >

  >

  > ___

  > squid-users mailing list

  > 
squid-users@lists.squid-cache.org

  > http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWJ+HVAAoJENNXIZxhPexGxkMH/3kczZtmI9uQZLg6aBd//qDG
GftM9oNAwmMxfdU86Wp8Na4dadAIqhvrdm5gDo299r+W4qyyu+O9pUx7e/sC/ORI
PS+laz9vx2hdyuymUVNRR2iJhuHr5Pusgriqk18vO+vNb9CRPRnT20abbtFil3W/
n7/5oDOTMaE1/nzJurzU54SBfgQuJPHAGTMpUXW4w48igfgzfq7pPAk687jBac1E
8oZlKAIr0roXJmZ+TdtGAdpYy/7Qf4PM9X5+m52/HFAM6FPsalQ7z3efRb0VGE7D
qAegqD2bbpjeXNsNrfGaQM6JRxTwiAStwpLp5bk6zKISMlCRVDRBDPRN4M3Sdjg=
=kFAz
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

There really isn’t anything in there right now since I am testing.

 /etc/squid/git_allowed_domains/allowed_domains"
.facebook.com
.cnn.com
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] deny rep_mime_type

[Kinkie]

Hi,
  I suspect (unverified) that

acl dom dstdomain .example.com
acl type rep_mime_type base/type
http_reply_access deny dom type
http_reply_access allow all

will do what you need

On Wed, Oct 21, 2015 at 9:36 PM, HackXBack  wrote:
> hello ,
> can we deny rep_mime_type for specific domain ?
> if yes then how
> if no then why
> thank you ..
>
>
>
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] auto get latest release

[joe]

thank you amos was helpful 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/auto-get-latest-release-tp4673780p4673830.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] deny rep_mime_type

[HackXBack]

sorry not deny but make it miss and not hit
with
store_miss
send_hit



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/deny-rep-mime-type-tp4673816p4673829.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] NTLM Authentication Failing

[Alex Samad]

Would it be fair to say best practice  is to get kerbose working in favour
of ntlm ?
On 21/10/2015 3:18 PM, "Amos Jeffries"  wrote:

> On 2015-10-21 15:38, Ilias Clifton wrote:
>
>>
>>> On 20/10/2015 4:04 p.m., Ilias Clifton wrote:
>>> > Hi All,
>>> > I've been following the guide at this location for Active Directory
>>> integration
>>> >
>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy[http://wiki.bitbinary.com/index.php/
>>> >Active_Directory_Integrated_Squid_Proxy]
>>> >
>>> > First, some versions for sanity..
>>> > Ubuntu : 14.04.3 LTS
>>> > Squid : 3.3.8 (from ubuntu repositories)
>>> > Samba : 4.1.6-Ubuntu
>>> > DC : Windows Server 2012 R2
>>> >
>>> > I am currently testing the authentication, negotiate kerberos and
>>> basic ldap are
>>> > both working correctly. However ntlm is not and I don't seem to making
>>> any
>>> > progress on debugging further.
>>>
>>> Date: Tue, 20 Oct 2015 18:06:17 +1300
>>> From: Amos Jeffries 
>>>
>>>
>>>
>>> Your version of Squid has big problems with (4) and some with (2), and
>>> your DC server version has big problems with (1) and (3).
>>>
>>>
>>> Amos
>>>
>>>
>>>
>>>
>> Hi Amos,
>>
>> Thank you for your detailed answer.
>>
>> So what is the best way to authenticate users in a mixed environment?
>> I've got Windows domain PCs with IE/firefox/chrome. Linux PCs with
>> Firefox/chrome. Windows non-domain joined PCs with IE/firefox/chrome -
>> plus various mobile devices.
>>
>> I've tried getting rid of ntlm and just using negotiate kerberos and
>> ldap for basic, is that all I need?
>>
>
> I believe thats at least very close to the solution. The getting rid of
> NTLM is something that needs to happen at the client end though, so IE does
> not attempt to use it over Negotiate scheme.
>
>
>
>> On the non-domain joined PCs, if I disable 'Enable Integrated Windows
>> Authentication', they now correctly use basic ldap.
>>
>
> And thats the way to do it IIRC. Someone more familiar may know a better
> way.
>
>
>
>> My config now looks like..
>>
>> ### negotiate kerberos and ntlm authentication
>> auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth
>> -d -s GSS_C_NO_NAME
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive off
>>
>> ### provide basic authentication via ldap for clients not
>> authenticated via kerberos/ntlm
>> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
>> "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.domain.local
>> auth_param basic children 10
>> auth_param basic realm Internet Proxy
>> auth_param basic credentialsttl 30 minutes
>>
>> ### ldap authorisation
>> external_acl_type memberof %LOGIN /usr/lib/squid3/ext_ldap_group_acl
>> -R -K -S -b "DC=domain,DC=local" -D proxyuser at domain.local -W
>> /etc/squid3/ldappass.txt -f
>>
>> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Proxy,DC=domain,DC=local))"
>> -h dc1.domain.local
>>
>> Does that look ok?
>>
>
> Looks reasonable for a small installation. If you have a medium to large
> network you may find Squid mentioning queue issues and requesting more
> helper children be configured. Simply increasing the numbers there should
> resolve that.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Working config snippet for 3.5.x looks like this:

acl get_sni_at_step1 at_step SslBump1
ssl_bump peek get_sni_at_step1
acl spliced_hosts ssl::server_name_regex -i
"/usr/local/squid/etc/url.nobump"
ssl_bump splice spliced_hosts
ssl_bump bump net_bump

and url.nobump contains:

# Mozilla services
services\.mozilla\.com

etc.


22.10.15 2:45, luizca...@gmail.com пишет:
> There really isn’t anything in there right now since I am testing.
>
>  /etc/squid/git_allowed_domains/allowed_domains"
> .facebook.com
> .cnn.com
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWJ/pIAAoJENNXIZxhPexGknYH/2n7kI2rzHZraQ37nHxToAtE
ErNF5PIQv+zCifDcwZDx65uNMqBPDLdZLNsu4N39e5MR1M1Lqfc57akq1WCJbCSA
i1OGb58sI0g2E8lJhqvEIoyyl9KMGIuYzQBr21q7s7Kvs+uAC51OPmowFZt60LJ6
FnmYAfCqdwb95q+rMkcVIDVN0wo5aCO7ZE31ePu3PbpL5JqV1Zx3kjDG57E+H+HT
wRBZyNrRl8Vw8fbGrfm6kKccdy5hlHEcr7VQaOsi4vy6rDJdLTW55yynMHou3KNX
GM7Lm97NMR8+zJZRAXaeR5Nu9Mvzyr64IxER5x9Ozkzk8hHo4ULkki03FA69OJI=
=DcQ4
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[Alex Rousskov]

On 10/21/2015 02:49 PM, Yuri Voinov wrote:

> Working config snippet for 3.5.x looks like this:
> 
> ssl_bump peek get_sni_at_step1
> ssl_bump splice spliced_hosts
> ssl_bump bump net_bump


The above config leaves the following question unanswered:

Q: What happens if neither spliced_hosts nor net_bump match at bumping
step #2?


Leaving questions unanswered is a bad idea for ssl_bump rules because
defaults are complex (and used to be broken). To answer that question
(instead of forcing Squid to guess the answer), add a forth catch-all
rule. For example, this is how the latest Squids would guess:

  ssl_bump peek step1
  ssl_bump splice spliced_hosts
  ssl_bump bump net_bump
  ssl_bump splice all


If spliced_hosts ACL negation works reliably, then the above is
equivalent to:

  ssl_bump peek step1
  ssl_bump bump !spliced_hosts net_bump
  ssl_bump splice all

but I recommend avoiding ACL negation in the actual rules.


Finally, please make sure your http_access rules correctly handle
CONNECT requests (real for forwarded connections and fake ones for
intercepted connections). This may be difficult to do right now due to
bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340


HTH,

Alex.
P.S. I renamed get_sni_at_step1 to step1 in the above examples because
that ACL itself does not know anything about SNI and does not force
Squid to get SNI.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

[luizcasey]

Hello, 
So what I am trying to accomplish here is to basically have a whitelist of 
domains that is allowed via http/https. If the UID is squid,apache, or root 
then basically you will bypass squid and anything is allowed. This was working 
well on 3.4.2 however once I moved to 3.5.10 it no longer works properly. I 
also noticed that there are “new” features peek,slice etc which is probably my 
issue since I was not using it. I have tried several combination and have only 
gotten it to work for http traffic. All https traffic is currently being 
blocked by the configuration. Below are my configurations.  I don’t need to 
"inspect" any of the traffic just want to have a whitelist of allowed domains 
if you are not UID squid,apache, or root via http/https. Any help would be 
appreciated !!


# IPTABLES
$iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
natoutlogaccept  tcp  --  anywhere anywheremultiport 
dports http,https owner UID match squid
natoutlogaccept  tcp  --  anywhere anywheremultiport 
dports http,https owner UID match apache
natoutlogaccept  tcp  --  anywhere anywheremultiport 
dports http,https owner UID match root
REDIRECT   tcp  --  anywhere anywheretcp dpt:http redir 
ports 3401
REDIRECT   tcp  --  anywhere anywheretcp dpt:https 
redir ports 4827

Chain natoutlogaccept (3 references)
target prot opt source   destination
LOGall  --  anywhere anywhereLOG level debug 
prefix `nat out iptables accept '
ACCEPT all  --  anywhere anywhere


# Squid.conf

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
sslcrtd_children 50

https_port 4827 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt 
key=/etc/squid/certs/squid.key
# HTTPS forward port
https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt 
key=/etc/squid/certs/squid.key

http_port 3401 transparent
# HTTP forward port
http_port 127.0.0.1:6886

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %http://cnn.com/>
.google.com 
.facebook.com 
….etc 

 squid log
TAG_NONE/403 350 HEAD https://www.facebook.com/  - 
HIER_NONE/- text/html
TCP_MISS/200 593 GET http://www.cnn.com/ ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

Alex,
So what do you recommend to do here ? I just need a simple whitelist file for 
both http/https. I have a config that works on 3.4 but would like to upgrade to 
3.5 and the current config we have won't cut it. Just need a simple if you are 
in this list allow if not deny. No need for any ssl validation or anything.

> On Oct 21, 2015, at 6:49 PM, Alex Rousskov  
> wrote:
> 
>> On 10/21/2015 02:49 PM, Yuri Voinov wrote:
>> 
>> Working config snippet for 3.5.x looks like this:
>> 
>> ssl_bump peek get_sni_at_step1
>> ssl_bump splice spliced_hosts
>> ssl_bump bump net_bump
> 
> 
> The above config leaves the following question unanswered:
> 
> Q: What happens if neither spliced_hosts nor net_bump match at bumping
> step #2?
> 
> 
> Leaving questions unanswered is a bad idea for ssl_bump rules because
> defaults are complex (and used to be broken). To answer that question
> (instead of forcing Squid to guess the answer), add a forth catch-all
> rule. For example, this is how the latest Squids would guess:
> 
>  ssl_bump peek step1
>  ssl_bump splice spliced_hosts
>  ssl_bump bump net_bump
>  ssl_bump splice all
> 
> 
> If spliced_hosts ACL negation works reliably, then the above is
> equivalent to:
> 
>  ssl_bump peek step1
>  ssl_bump bump !spliced_hosts net_bump
>  ssl_bump splice all
> 
> but I recommend avoiding ACL negation in the actual rules.
> 
> 
> Finally, please make sure your http_access rules correctly handle
> CONNECT requests (real for forwarded connections and fake ones for
> intercepted connections). This may be difficult to do right now due to
> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340
> 
> 
> HTH,
> 
> Alex.
> P.S. I renamed get_sni_at_step1 to step1 in the above examples because
> that ACL itself does not know anything about SNI and does not force
> Squid to get SNI.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] POST upload splits tcp stream in many small 39byte sized pakets

[Squid admin]

 Dear Alex,

unfortunately not really fixed.

The upload speed using squid 4.0.1 with this patch has bettered significant
but is far away from squid 3.4.x performance.

The used test client can reach a maximum upload speed of 115 MBIT if the
apache server is directly reachable.
If a SQUID 3.4.X PROXY is inbetween, the speed is also 115MBIT but only
16MBIT when USING SQUID 4.0.1

TcpSegmentOffloading has been turned off for this dump:
(Note: turning off TSO to see the real packet sizes the measured speeds are
nearly the same.)

11:28:24.917866 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [S], seq
3288613551, win 29200, options [mss 1460,sackOK,TS val 104477831 ecr
0,nop,wscale 7], length 0
11:28:24.918225 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [S.], seq
2608168273, ack 3288613552, win 14480, options [mss 1460,sackOK,TS val
1398719113 ecr 104477831,nop,wscale 7], length 0
11:28:24.918256 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], ack 1, win
229, options [nop,nop,TS val 104477831 ecr 1398719113], length 0
11:28:24.922831 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [P.], seq 1:583,
ack 1, win 229, options [nop,nop,TS val 104477832 ecr 1398719113], length
582
11:28:24.923118 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [.], ack 583, win
123, options [nop,nop,TS val 1398719114 ecr 104477832], length 0
11:28:24.924689 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
583:2031, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924694 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
2031:3479, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924699 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
3479:4927, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924701 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
4927:6375, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924703 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
6375:7823, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924719 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
7823:9271, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924720 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
9271:10719, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924722 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
10719:12167, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924724 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
12167:13615, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924726 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [P.], seq
13615:15063, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719114], length 1448
11:28:24.924930 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [.], ack 7823,
win 236, options [nop,nop,TS val 1398719115 ecr 104477833], length 0
11:28:24.924949 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
15063:16511, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719115], length 1448
11:28:24.924955 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [P.], seq
16511:17477, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719115], length 966
11:28:24.924971 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [.], ack 15063,
win 275, options [nop,nop,TS val 1398719115 ecr 104477833], length 0
11:28:24.925125 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [.], ack 17477,
win 261, options [nop,nop,TS val 1398719115 ecr 104477833], length 0
11:28:24.926496 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [P.], seq
17477:17516, ack 1, win 229, options [nop,nop,TS val 104477833 ecr
1398719115], length 39
11:28:24.926586 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [.], ack 17516,
win 331, options [nop,nop,TS val 1398719115 ecr 104477833], length 0
11:28:24.928261 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
17516:18964, ack 1, win 229, options [nop,nop,TS val 104477834 ecr
1398719115], length 1448
11:28:24.928266 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
18964:20412, ack 1, win 229, options [nop,nop,TS val 104477834 ecr
1398719115], length 1448
11:28:24.928274 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [P.], seq
20412:21611, ack 1, win 229, options [nop,nop,TS val 104477834 ecr
1398719115], length 1199
11:28:24.928481 IP 10.1.1.19.81 > 10.1.1.210.49321: Flags [.], ack 21611,
win 321, options [nop,nop,TS val 1398719116 ecr 104477834], length 0
11:28:24.930037 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
21611:23059, ack 1, win 229, options [nop,nop,TS val 104477834 ecr
1398719116], length 1448
11:28:24.930041 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [.], seq
23059:24507, ack 1, win 229, options [nop,nop,TS val 104477834 ecr
1398719116], length 1448
11:28:24.930048 IP 10.1.1.210.49321 > 10.1.1.19.81: Flags [P.], seq
24507:25706, ack 1, win 229, options [nop,nop,TS 

Re: [squid-users] POST upload splits tcp stream in many small 39byte sized pakets

[Squid admin]

Dear Alex,

using squid 3.5.10 with patch the upload speed problem seems to be fixed.
Now I get 112Mbit upload speed from a possible maximum of 115Mbit.
Squid 4.0.1 still has a performance problem on unencrypted POST upload ...

BR, Toni

(TSO off)

12:10:16.343559 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [S], seq  
1106586391, win 29200, options [mss 1460,sackOK,TS val 105105687 ecr  
0,nop,wscale 7], length 0
12:10:16.343928 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [S.], seq  
2709051093, ack 1106586392, win 14480, options [mss 1460,sackOK,TS val  
1399346969 ecr 105105687,nop,wscale 7], length 0
12:10:16.343948 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], ack 1,  
win 229, options [nop,nop,TS val 105105687 ecr 1399346969], length 0
12:10:16.344092 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
1:585, ack 1, win 229, options [nop,nop,TS val 105105687 ecr  
1399346969], length 584
12:10:16.344174 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
585:2033, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 1448
12:10:16.344179 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
2033:3481, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 1448
12:10:16.344183 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
3481:4929, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 1448
12:10:16.344185 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
4929:6377, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 1448
12:10:16.344188 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
6377:7825, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 1448
12:10:16.344196 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
7825:8542, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 717
12:10:16.344217 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
8542:8581, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346969], length 39
12:10:16.344248 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
585, win 123, options [nop,nop,TS val 1399346970 ecr 105105687],  
length 0
12:10:16.344288 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
8581:10029, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 1448
12:10:16.344293 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
10029:11477, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 1448
12:10:16.344299 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
11477:12676, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 1199
12:10:16.344382 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
4929, win 191, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.344410 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [.], seq  
12676:14124, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 1448
12:10:16.344420 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
14124:14512, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 388
12:10:16.35 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
8542, win 247, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.344469 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
8581, win 247, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.344485 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
12676, win 266, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.344588 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
14512, win 285, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.344993 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
14512:14551, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 39
12:10:16.345032 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
14551:15960, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 1409
12:10:16.345105 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
15960:15999, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 39
12:10:16.345113 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
14551, win 285, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.345129 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
15999:17408, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 1409
12:10:16.345225 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
15960, win 274, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.345242 IP 10.1.1.19.81 > 10.1.1.210.49388: Flags [.], ack  
15999, win 274, options [nop,nop,TS val 1399346970 ecr 105105688],  
length 0
12:10:16.345287 IP 10.1.1.210.49388 > 10.1.1.19.81: Flags [P.], seq  
17408:17447, ack 1, win 229, options [nop,nop,TS val 105105688 ecr  
1399346970], length 39
12:10:16.345317 IP 

Re: [squid-users] Monitoring Squid using SNMP.

[Stuart Henderson]

On 2015-10-20, Brendan Kearney  wrote:
> this did not work - snmpwalk -v2c -c SecretHandShake proxy1:3401
> this did work - snmpwalk -v2c -c SecretHandShake proxy1:3401 .1.3

From snmpwalk's manual:

   "If no OID argument is present, snmpwalk will search the subtree rooted
   at SNMPv2-SMI::mib-2 (including any MIB object values from other MIB
   modules, that are defined as lying within this subtree)."

The objects in SQUID-MIB do not lie within this subtree.

http://wiki.squid-cache.org/Features/Snmp#How_can_I_query_the_Squid_SNMP_Agent


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Monitoring Squid using SNMP.

[Leonardo Rodrigues]

Em 20/10/15 16:26, sebastien.boulia...@cpu.ca escreveu:


When I try to do a snmpwalk, I got a timeout.

[root@bak ~]# snmpwalk xx:3401 -c cpuread -v 1

[root@bak ~]#

Anyone monitor Squid using SNMP ? Do you experiment some issues ?




You're not getting timeout, you're getting no data, which is 
completly different from timeout.


Try giving the initial MIB number and you'll probably get the data:

[root@firewall ~]# snmpwalk -v 1 -c public localhost:3401 
.1.3.6.1.4.1.3495.1

SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 419756
SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 96398932
SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (77355691) 8 days, 
22:52:36.91

SNMPv2-SMI::enterprises.3495.1.2.1.0 = STRING: "webmaster"
SNMPv2-SMI::enterprises.3495.1.2.2.0 = STRING: "squid"
SNMPv2-SMI::enterprises.3495.1.2.3.0 = STRING: "3.5.8"


and to make things easier, i use to configure the SNMP daemon that 
runs on UDP/161 to 'proxy' requests to squid, so i dont need to worry 
about informing the correct port:


[root@firewall snmp]# grep proxy snmpd.conf
# proxying requests to squid MIB
proxy -v 1 -c public localhost:3401 .1.3.6.1.4.1.3495.1


so i can 'snmpwalk' on the default udp/161 port: (note the lack of 
:3401 port)


[root@firewall snmp]# snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.3495.1
SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 419964
SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 96359504
SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (77370521) 8 days, 
22:55:05.21





--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users