[squid-users] Squid Queries

[Supriya Prasad]

Hi Team,

I had some queries regarding the squid configuration:


We are using squid as a cache for our CWS proxy. As we are aware of the
max-forwards header, it decrements as it goes through each of the
proxies.Currently, our CWS proxy and squid both decrement the max forwards
header value when processing options requests. So if we send a max-forwards
header of 5 from the client side, by the time is comes out of squid it
shows 3. However as our proxy and squid is seen as 1 entity, we want the
decrement to happen only once.

I went through a number of squid documentation and nowhere it mentions how
to disable the max forward header from decrementing on squid. Could you
please let us know what is to be done?


Thanks and Regards,

Supriya
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] filtering http(s) sites, transparently

[Amos Jeffries]

On 5/04/2016 4:49 a.m., Jok Thuau wrote:
> On Sun, Apr 3, 2016 at 9:59 PM, Amos Jeffries  wrote:
> 
>> On 4/04/2016 4:18 p.m., Jok Thuau wrote:
>>> I'm attempting to build a transparent proxy (policy based routing on
>>> firewall to squid proxy) with the following behavior:
>>>
>>> 1) proxies http traffic for a given set of domains, provide an message
>>> otherwise such "domain not allowed" or similar
>>> 2) proxies https traffic for a given set of domains (ideally, splicing
>>> those, so as not to break HSTS, if enabled), otherwise provide an error
>>> message (bumping and providing "domain not allowed")
>>>
>>> I'm attempting this with a 3.5.15 compiled with icap (not yet used) and
>>> ssl-bumping.
>>>
>>> Part 1 seems easy enough (and is well documented)...
>>>
>>> acl whitelist dstdomain .domain1.tld
>>> acl whitelist dstdomain .domain2.tld
>>>
>>> acl http_ok all-of whitelist !SSL_ports
>>>
>>> http_access allow http_ok
>>> http_access deny all
>>
>> This is denying the HTTPS traffic CONNECT requests (synthesized by
>> Squid), since they only have IP address no domain name.
>>
> 
> yes, this is where I started with just http.
> 
> 
>>
>>
>>>
>>> Moving onto Part 2 (the peek and splice setup) appears to be the topic
>> of a
>>> few discussions out there...
>>>
>>> acl sni_whitelist ssl::server_name .domain1.tld
>>> acl sni_whitelist ssl::server_name .domain2.tld
>>>
>>> ssl_bump peek step1
>>
>> You have omitted the definition of step1 ACL.
>>
>>
> the definition of "step1" is the same as the one on the wiki (See full
> config below)
> 
> 
>>> ssl_bump splice sni_whitelist
>>> ssl_bump bump all
>>>
>>> It appears however that when combining the two, the generated
>>> certificate(s), instead of mimic'ing the original server's certificate
>>> comes out with the CN= where  is the ip used by the "connect"
>> part
>>> of the connection. In addition, it appears that only the first entry ever
>>> matches (at this point, i've tried so many combinations, i'm no longer
>>> certain of anything).
>>
>> You have omitted the http(s)_port configuration details, and the step1
>> ACL. So its not possible to say if you have the cert generation settings
>> wrong, or if the peeking step is matching wrong, or something else.
>>
>>
> That's included in the config below.
> 
> 
>>>
>>> If i remove *all* the http_access lines, then the behavior appears
>> correct
>>> (from a "splicing/bumping" standpoint).
>>>
>>
>> Strange. Squid without any http_access lines should be denying traffic
>> 100%.
>>
>>
> I do not see this behavior. Traffic appears to be allowed, and bumped
> (though with the wrong certificate, depending on the config, as explained
> before).
> 
> 
>>> Can anyone confirm that this is indeed possible to achieve?
>>>
>>> I believe, based on experimentation that any http_access i have, because
>> of
>>> the "deny all" cause the bumping to "short circuit" and effectively send
>> an
>>> early "access denied" based on the only information it has (the ip
>> address
>>> from the "connect", rather than the SNI that would come later).
>>>
>>> Would a setup where "deny http+!whitelist" so have the allow be the
>> default
>>> allow for the bumping to work and get to step2 and match the sni* acls
>>> somehow? (with a "deny step2 !sni_whitelist").
>>>
>>> Is 3.5.15 capable of doing this? If this requires some feature/effort,
>> what
>>> would be the procedure to sponsor that work?
>>
>> It is not possible to answer any of those questsions properly without
>> full config details. You have omitted a lot.
>>
> 
> my apologies for trying to show only the relevant parts. Find below the
> current config.
> It appears to be bumping everything rather than splicing any of the config
> (which may be due to the limitations documented on the wiki)
> 
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_port 3129 intercept
> https_port 8443 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=64MB \
> cert=/etc/squid/ssl/proxy.pem \
> key=/etc/squid/ssl/proxy.key \
> cafile=/etc/squid/ssl/proxy.pem
> always_direct allow all

always_direct has not been necessary with SSL-Bump sice 3.1 series. You
should remove it.

> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl SniBypass ssl::server_name_regex \.slashdot\.org
> acl SniBypass ssl::server_name_regex \.fsdn\.com
> acl http_bypass dstdomain .slashdot.org
> acl http_bypass dstdomain .fsdn.com
> acl https_bypass all-of CONNECT SniBypass

This https_bypass ACL definition is a bit weird. It requires a single
message to match both TLS and HTTP properties simultaneously.

As you might imagine it is difficult for a TLS messages to match HTTP
properties, and vice versa. So it wont ever match.

Note: SNI is *not* equivalent to Host or URL domain name. They can
contain very different values. The only thing they have in common 

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[Amos Jeffries]

On 5/04/2016 2:44 a.m., FredB wrote:
>>
>> Thanks I will test, I confirm the problem still present after a while
>> Eg: this object seems never cleaned/fixed from cache
>>
> 
> No more success with fresh cache, after 5 minutes the messages appears again 
> and again 
> Joe is right there is a bug somewhere 

The only Vary related change between .15 and .16 was the CVE fix
.

I am suspicious of the +1 being added in src/store_swapmeta.cc. There is
a TODO next to it. Would you mind trying without it?

I expect the cache will need clearing to make that change operate
properly after the change. But if it is the problem the loops should not
return like they do now.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem to configure squid for HTTPS website (HSTS or others certificate problems)

[Amos Jeffries]

On 4/04/2016 9:25 p.m., Raph Ghost wrote:
> Hi users :)
> 
> 
> What I want to do: I have a dedicated server and I want to make it as a 
> transparent adblocker through a VPN. So I have installed and configured 
> OpenVPN and route my traffic from the VPN tun into the squid proxy.
> 
> 
> What is the problem: Websites based on http work great but those based on 
> httpS doesn't work at all.
> 
> 
> I have already tried two squid configurations and look for that problem in 
> the user mail list history but I can't find any workaround that works.
> 
> 
> My compilation options (squid 3.5.15 -with-openssl is enabled):
> 

Please upgrade to 3.5.16.


> '--with-openssl=/etc/ssl' '--enable-ssl-crtd'

 /etc is a location for config files. I somehow doubt that you have
installed the openssl binaries in there.

If you installed libssl-dev package correctly then you don't need the
"=/path" piece to be specified at all. Squid build script will find
OpenSSL in its normal place.


> My iptable conf (port 22: my ssh server/ input port 443: my OpenVPN server):
> 
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT DROP
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> -A INPUT -i tun0 -j ACCEPT
> -A FORWARD -i tun0 -j ACCEPT
> -A FORWARD -o tun0 -j ACCEPT
> -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
> -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
> -A OUTPUT -o tun0 -j ACCEPT
> -A OUTPUT -p icmp -j ACCEPT
> 
> My iptable conf (nat table):
> -P PREROUTING ACCEPT
> -P INPUT ACCEPT
> -P OUTPUT ACCEPT
> -P POSTROUTING ACCEPT
> -A PREROUTING -s 10.8.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 
> 3129
> -A PREROUTING -s 10.8.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 
> 3130
> -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
> 
> This iptables configuration works great to route vpn input trafic into squid.
> 


> 2nd conf I have tried (based on many tutorials and the official squid wiki 
> especially to configure Ssl Bump/Peek and Slice function):
> #
> # Recommended minimum configuration:
> #


> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> 
> always_direct allow all

always_direct is not relevant since 3.1. Remove.

> sslproxy_cert_error allow all

By instructing Squid to ignore all errors, you are hiding all cert
related errors. Remove the above line to see if there is some error
being encountered that is leading to your problem.

> sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> # Squid normally listens to port 3128
> http_port 10.8.0.1:3128
> http_port 10.8.0.1:3129 transparent

"transparent" is obsolete. Use "intercept" instead.

> https_port 10.8.0.1:3130 intercept ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem

... 6MB here and the 4MB on the helper. Those numbers need to be the
same IIRC.

> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> ssl_bump peek step1 all
> ssl_bump stare step2
> ssl_bump bump step3
> 
> 
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /var/spool/squid 100 16 256
> 
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
> 
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> 
> 
> Unfortunately none of these conf work.
> 
> With the first conf:
> If i try to connect to https://openclassrooms.com/ for example I get a 
> warning about that the certificate is not trust. I can overpass this warning 
> (by clicking on "continue on this website (dangerous)") but after few seconds 
> I get an error generated by squid:
> "L'erreur suivante s'est produite en essayant d'accéder à l'URL : 
> https://openclassrooms.com/
> La connexion 190.93.240.239 a échouée.
> Le système a retourné : (110) Connection timed out   < - 

Re: [squid-users] squid 3.5 vs 4.0

[Amos Jeffries]

> 04.04.16 21:06, Mike пишет:
>> Is there any list or page with any comparison information, say for the 2 
>> latest versions 3.5.16 and
> 4.0.8 beta? I understand many of the fixes coming out are being done for
> both, but so far I do not see any information that describes any benefit
> to using 4.0 over 3.5. any help would be appreciated.


On 5/04/2016 3:08 a.m., Yuri Voinov wrote:
>
> http://wiki.squid-cache.org/RoadMap
>

4.0 release notes has more up to date list of changes, with explanation.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Identifying intercepted clients

[Brendan Kearney]

On 04/03/2016 08:06 PM, Amos Jeffries wrote:

On 4/04/2016 4:22 a.m., Brendan Kearney wrote:

with fedora 24 being released in a couple months, haproxy v1.6.x will be
available, and the ability to easily intercept HTTP traffic will be in
the version (see the set-uri directive).  with v1.6 i will be able to
rewrite the URL, so that squid can process the request properly.

That does not make sense. Intercepting and URL-rewriting are completely
different actions.

The Squid-3.5 and later versions are able to receive PROXY protocol
headers from HAProxy. You may find that much better than fiddling around
with URLs and available in your current HAProxy.
i use iptables to intercept the request, and need the set-uri option in 
haproxy 1.6.x to concatenate the Host header with the GET, in order to 
have the request in the form that squid expects the request.  yes, they 
are separate actions and i should have been clearer.


i will look into the PROXY protocol additions, but that may not be an 
option until i can get all my boxes upgraded.




  my
problem is that i run authenticated access on the proxy, and will need
to exempt the traffic from that restriction.


What restriction?
the authenticated access restriction.  not much of my policy allows for 
unauthenticated access.




what mechanisms can i use to identify the fact that the client traffic
has been intercepted, so that i can create ACLs to match the traffic?  i
don't want to use things like IPs or User-Agent strings, as they may
change or be unknown.

Only the interceptor can do that traffic distinction. Once traffic gets
multiplexed the information is lost.
i tried to create / insert a header at the router/firewall/load 
balancer, and test for the existence of the header in squid, but that 
did not seem to go as well as i thought it might.



i was thinking about sending the intercepted traffic to a different
port, say 3129, and then using localport to identify the traffic. with
an ACL, i would exempt the traffic from auth, etc.  are there better
options?  how are other folks dealing with intercepted and explicit
traffic on the same box?

That would be one fairly good way to distinguish the traffic types. So
why is the URL fiddling happening?
because i need to concatenate the Host header with the GET line (URI), 
in order for squid to be able to process the request.  i dont have squid 
3.5 yet, nor do i have haproxy 1.6 yet, so i have to use the old 
interception methods to accomplish this, at this point.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
thanks for the feedback.  seems i might be able to do things, just have 
to find my way through until newer versions give me better means of 
doing it.


thanks,

brendan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error with transparent proxy configured with peek and splice

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
acl BrokenButTrustedServers2 dstdomain "/usr/local/squid/etc/dstdom2.broken"
acl UnableGetIssuer ssl_error
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
sslproxy_cert_error allow BrokenButTrustedServers2 UnableGetIssuer
sslproxy_cert_error deny all

Something like this.

04.04.16 23:11, Sébastien Damaye пишет:
> Hi community,
>
> I have setup Squid as transparent proxy (iptable is taking care of
> redirecting 80/tcp and 443/tcp traffic to Squid) with peek and splice on
> a Debian Jessie server to perform SSL inspection. Below is the
> interesting part of my squid.conf file:
>
> http_port 3130
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump \
> cert=/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB \
> options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE \
> dhparams=/etc/squid/ssl_cert/dhparam.pem
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl nobumpSites ssl::server_name "/etc/squid/domain.nobump"
>
> ssl_bump peek step1 all
> ssl_bump peek step2 nobumpSites
> ssl_bump splice step3 nobumpSites
> ssl_bump bump
>
> sslproxy_cipher
>
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> The SSL inspection works fine for the majority of the websites (I
> populate domain.nobump with some domains from time to time) but I had a
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error that I'm not able to
> fix while visiting https://blog.kaspersky.com. I have added
> ".blog.kaspersky.com" in my domain.nobump file but I still can't visit
> the website.
>
> Could you please help? Many thanks in advance for your inputs.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXAqd6AAoJENNXIZxhPexGxoMH+wVN/kjAe85+oWbn47j2dyL6
biJKM+CepVzrubilhC4uL6zjTYIsZjD1JXv3VuoY6l+vFbg2Drip76yo9qO49fjh
83afktO+o1YsfxLhbQZjByknCbuDqd5a2Udzo8dhEHTYNV0vieq2tE7QgJvHOxvP
wFC8neOwglKzDq7yD4h30nidVhP6f8gCKwv9MzlXpT+kkHAEM0rn5OnXRDc6UQxm
3mNOJJwo9y5E5gqjJAt7PulNJvqJ+crDoW+T6IgTkxQFD8+tBXy+qyqk7hrTOIF0
DQgiLFL+X5C4YKVtpmBIaxko6pxmmXZAO0LUtLjuj/qNHoc63ZZZIQYgIFvbUgw=
=b8wV
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.16-1 is available for Ubuntu 14.04 LTS (online repo ubuntu.diladele.com)

[Rafael Akchurin]

Greetings everyone,

The Squid 3.5.16-1 package for Ubuntu 14.04 LTS is now available. This version 
is recompiled using Squid DEB source from Debian Testing with some changes 
required to support SSL bump / libecap3 on Ubuntu 14.04 LTS. 

* Original release notes are at 
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.16-RELEASENOTES.html 
* The online repo is at http://ubuntu.diladele.com 
* Tutorial showing how we rebuilt Squid 3.5.16 on Ubuntu 14.04 LTS 
http://docs.diladele.com/tutorials/build_squid_ubuntu14/index.html 
* Scripts we used to build it are at 
https://github.com/ra-at-diladele-com/qlproxy_external/tree/master/src/squid.ssl/scripts.squid3

If you have installed previous version 3.5.15-1 from this repo then please run 
"sudo apt-get update && sudo apt-get upgrade".  Please also check that your 
current squid.conf file from previous version is not overwritten. 

If you are installing this version for the first time run the following 
commands:

# add repo
echo "deb http://ubuntu.diladele.com/ubuntu/ trusty main" > 
/etc/apt/sources.list.d/ubuntu.diladele.com.list

# update the apt cache
   apt-get update

   # install 
   apt-get install libecap3
   apt-get install squid-common
   apt-get install squid 
   apt-get install squidclient

All questions/comments and suggestions are welcome at supp...@diladele.com or 
here in the mailing list.

Best regards,
Rafael Akchurin
Diladele B.V. 
http://www.quintolabs.com 
http://www.diladele.com 

--
Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy at http://www.diladele.com.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error with transparent proxy configured with peek and splice

[Sébastien Damaye]

Hi community,

I have setup Squid as transparent proxy (iptable is taking care of
redirecting 80/tcp and 443/tcp traffic to Squid) with peek and splice on
a Debian Jessie server to perform SSL inspection. Below is the
interesting part of my squid.conf file:

http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB \
options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE \
dhparams=/etc/squid/ssl_cert/dhparam.pem

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/domain.nobump"

ssl_bump peek step1 all
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump bump

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

The SSL inspection works fine for the majority of the websites (I
populate domain.nobump with some domains from time to time) but I had a
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error that I'm not able to
fix while visiting https://blog.kaspersky.com. I have added
".blog.kaspersky.com" in my domain.nobump file but I still can't visit
the website.

Could you please help? Many thanks in advance for your inputs.

-- 
Cordialement/Regards,

Sébastien Damaye
PGP keyID: 0x59B1D7DE
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] filtering http(s) sites, transparently

[Jok Thuau]

Thanks James! This is really close to what I need. Comparing this to my
existing config, it looks like i'm pretty close, except that i don't want
to "terminate" the sslbump, i need to send an error notification to the
end-user.

​
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] filtering http(s) sites, transparently

[Jok Thuau]

On Sun, Apr 3, 2016 at 9:59 PM, Amos Jeffries  wrote:

> On 4/04/2016 4:18 p.m., Jok Thuau wrote:
> > I'm attempting to build a transparent proxy (policy based routing on
> > firewall to squid proxy) with the following behavior:
> >
> > 1) proxies http traffic for a given set of domains, provide an message
> > otherwise such "domain not allowed" or similar
> > 2) proxies https traffic for a given set of domains (ideally, splicing
> > those, so as not to break HSTS, if enabled), otherwise provide an error
> > message (bumping and providing "domain not allowed")
> >
> > I'm attempting this with a 3.5.15 compiled with icap (not yet used) and
> > ssl-bumping.
> >
> > Part 1 seems easy enough (and is well documented)...
> >
> > acl whitelist dstdomain .domain1.tld
> > acl whitelist dstdomain .domain2.tld
> >
> > acl http_ok all-of whitelist !SSL_ports
> >
> > http_access allow http_ok
> > http_access deny all
>
> This is denying the HTTPS traffic CONNECT requests (synthesized by
> Squid), since they only have IP address no domain name.
>

yes, this is where I started with just http.


>
>
> >
> > Moving onto Part 2 (the peek and splice setup) appears to be the topic
> of a
> > few discussions out there...
> >
> > acl sni_whitelist ssl::server_name .domain1.tld
> > acl sni_whitelist ssl::server_name .domain2.tld
> >
> > ssl_bump peek step1
>
> You have omitted the definition of step1 ACL.
>
>
the definition of "step1" is the same as the one on the wiki (See full
config below)


> > ssl_bump splice sni_whitelist
> > ssl_bump bump all
> >
> > It appears however that when combining the two, the generated
> > certificate(s), instead of mimic'ing the original server's certificate
> > comes out with the CN= where  is the ip used by the "connect"
> part
> > of the connection. In addition, it appears that only the first entry ever
> > matches (at this point, i've tried so many combinations, i'm no longer
> > certain of anything).
>
> You have omitted the http(s)_port configuration details, and the step1
> ACL. So its not possible to say if you have the cert generation settings
> wrong, or if the peeking step is matching wrong, or something else.
>
>
That's included in the config below.


> >
> > If i remove *all* the http_access lines, then the behavior appears
> correct
> > (from a "splicing/bumping" standpoint).
> >
>
> Strange. Squid without any http_access lines should be denying traffic
> 100%.
>
>
I do not see this behavior. Traffic appears to be allowed, and bumped
(though with the wrong certificate, depending on the config, as explained
before).


> > Can anyone confirm that this is indeed possible to achieve?
> >
> > I believe, based on experimentation that any http_access i have, because
> of
> > the "deny all" cause the bumping to "short circuit" and effectively send
> an
> > early "access denied" based on the only information it has (the ip
> address
> > from the "connect", rather than the SNI that would come later).
> >
> > Would a setup where "deny http+!whitelist" so have the allow be the
> default
> > allow for the bumping to work and get to step2 and match the sni* acls
> > somehow? (with a "deny step2 !sni_whitelist").
> >
> > Is 3.5.15 capable of doing this? If this requires some feature/effort,
> what
> > would be the procedure to sponsor that work?
>
> It is not possible to answer any of those questsions properly without
> full config details. You have omitted a lot.
>

my apologies for trying to show only the relevant parts. Find below the
current config.
It appears to be bumping everything rather than splicing any of the config
(which may be due to the limitations documented on the wiki)

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl SSL_ports port 443
acl CONNECT method CONNECT
http_port 3129 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=64MB \
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pem
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl SniBypass ssl::server_name_regex \.slashdot\.org
acl SniBypass ssl::server_name_regex \.fsdn\.com
acl http_bypass dstdomain .slashdot.org
acl http_bypass dstdomain .fsdn.com
acl https_bypass all-of CONNECT SniBypass
acl http_ok all-of http_bypass Safe_ports
ssl_bump peek step1
ssl_bump splice SniBypass step2
ssl_bump bump all
sslproxy_cert_sign_hash sha256
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
always_direct allow all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
http_access allow http_ok
http_access allow CONNECT
no_cache allow all
cache deny all
shutdown_lifetime 3 seconds
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can Squid send the response time information to icap?

[Alex Rousskov]

On 04/04/2016 08:52 AM, Giray Simsek wrote:
> Hi,
> 
> Can Squid send the response time information to icap by passing a header
> and a value pair to icap?

Yes, Squid can do that via adaptation_meta, but true "response time" may
not be the information you actually want.

  http://www.squid-cache.org/Doc/config/adaptation_meta/


> I am trying to get the duration for the http responses within the icap
> module. That is, the time it takes to get the response from the external
> web server after the initial http get request is sent. 
> 
> I am hoping there is a way to pass this information from squid to c-icap.
> 
> I see that it is possible to log this information in squid using the
> format code:
> 
>  tr Response time (milliseconds)

You might be assuming (incorrectly) that the ICAP transaction starts
when the HTTP transaction with the origin server ends. In reality, the
two transactions may overlap. They usually do overlap for large
responses. Thus, the response time is often not yet known at the ICAP
transaction start time.

Furthermore, %tr includes Squid-to-client delivery delays so it is
especially inappropriate at pre-cache RESPMOD time. Use % [http::] when the last request byte is sent to the next hop
> and stops when the last response byte is received.
> [http::] starts with the first connect request (or write I/O)
> sent to the first selected peer. The timer stops
> with the last I/O with the last peer.



I have not checked whether %tr or % tS  Approximate master transaction start time in 
> . format.
> Currently, Squid considers the master transaction
> started when a complete HTTP request header initiating
> the transaction is received from the client. This is
> the same value that Squid uses to calculate transaction
> response time when logging %tr to access.log. Currently,
> Squid uses millisecond resolution for %tS values,
> similar to the default access.log "current time" field
> (%ts.%03tu).

Ideally, you need a new logformat codes with Squid-to-origin request
start time (to pair with the already supported %http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.5 vs 4.0

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
http://wiki.squid-cache.org/RoadMap

04.04.16 21:06, Mike пишет:
> Is there any list or page with any comparison information, say for the 2 
> latest versions 3.5.16 and
4.0.8 beta? I understand many of the fixes coming out are being done for
both, but so far I do not see any information that describes any benefit
to using 4.0 over 3.5. any help would be appreciated.
>
> Mike
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXAoOJAAoJENNXIZxhPexGNnIH/it1hZt9ohuAtwNwPfNoeufL
pVOFPHlkUtIoPYUDvKU27nmfmrxB8GnrEx4ECSbxIWUysl7gvKSYj2RNNhFv66Pd
IOLLhE3cIkHMsUw73od0a1ISdMVqD1KXn71W4v6Or9+66gbSoH72J3Hlg+0TtB3V
RVrp8TAHSKhuOMbCw/XHYKZQnGjuRi+y9iqayNQ9nR8BadmaTeZD8kPGASEdCMLL
dvxWGajs9+0XokS1cpYaM3gX++ohRbBMu4e/0ASY4happl1ESx0rWDNlyRnQGPnt
VgLHRRwokoR/SeEmrlupvgkzuuL97hi+SJcuanG374WFMEpFXDdMCx2XocaSSJU=
=PITA
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.5 vs 4.0

[Mike]

Is there any list or page with any comparison information, say for the 2 
latest versions 3.5.16 and 4.0.8 beta? I understand many of the fixes 
coming out are being done for both, but so far I do not see any 
information that describes any benefit to using 4.0 over 3.5. any help 
would be appreciated.


Mike
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Can Squid send the response time information to icap?

[Giray Simsek]

Hi,

Can Squid send the response time information to icap by passing a header and a 
value pair to icap?

I am trying to get the duration for the http responses within the icap module. 
That is, the time it takes to get the response from the external web server 
after the initial http get request is sent. 

I am hoping there is a way to pass this information from squid to c-icap.

I see that it is possible to log this information in squid using the format 
code:

 tr Response time (milliseconds)

Thanks in advance,
Giray ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

> 
> i can provide testing patchjust for testing  .. not for
> production until
> they find the right cause
> but   make shurr the header ar  public for those link might be your
> situation ar diff...

I will, but later on a platform test 
Now I will fallback to a previous release 


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

> 
> Thanks I will test, I confirm the problem still present after a while
> Eg: this object seems never cleaned/fixed from cache
> 

No more success with fresh cache, after 5 minutes the messages appears again 
and again 
Joe is right there is a bug somewhere 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[joe]

the convertion they did might has bug im using the latest trunk
try my patch if it work so i may can fix it or they  .
im using my patch on production for testing so fare its ok   but as i sayd 
it need to be done in correct way




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-16-and-vary-loop-objects-bug-tp4676901p4676911.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] filtering http(s) sites, transparently

[James Lay]

On Sun, 2016-04-03 at 21:18 -0700, Jok Thuau wrote:
> I'm attempting to build a transparent proxy (policy based routing on
> firewall to squid proxy) with the following behavior:
> 
> 
> 
> 1) proxies http traffic for a given set of domains, provide an message
> otherwise such "domain not allowed" or similar
> 2) proxies https traffic for a given set of domains (ideally, splicing
> those, so as not to break HSTS, if enabled), otherwise provide an
> error message (bumping and providing "domain not allowed")
> 
> 
> 
> I'm attempting this with a 3.5.15 compiled with icap (not yet used)
> and ssl-bumping.
> 
> 
> Part 1 seems easy enough (and is well documented)...
> 
> 
> acl whitelist dstdomain .domain1.tld
> 
> acl whitelist dstdomain .domain2.tld
> 
> 
> acl http_ok all-of whitelist !SSL_ports
> 
> 
> http_access allow http_ok
> http_access deny all
> 
> 
> Moving onto Part 2 (the peek and splice setup) appears to be the topic
> of a few discussions out there...
> 
> 
> acl sni_whitelist ssl::server_name .domain1.tld
> acl sni_whitelist ssl::server_name .domain2.tld
> 
> 
> ssl_bump peek step1
> ssl_bump splice sni_whitelist
> ssl_bump bump all
> 
> 
> It appears however that when combining the two, the generated
> certificate(s), instead of mimic'ing the original server's certificate
> comes out with the CN= where  is the ip used by the "connect"
> part of the connection. In addition, it appears that only the first
> entry ever matches (at this point, i've tried so many combinations,
> i'm no longer certain of anything). 
> 
> 
> If i remove *all* the http_access lines, then the behavior appears
> correct (from a "splicing/bumping" standpoint).
> 
> 
> Can anyone confirm that this is indeed possible to achieve?
> 
> 
> I believe, based on experimentation that any http_access i have,
> because of the "deny all" cause the bumping to "short circuit" and
> effectively send an early "access denied" based on the only
> information it has (the ip address from the "connect", rather than the
> SNI that would come later). 
> 
> 
> Would a setup where "deny http+!whitelist" so have the allow be the
> default allow for the bumping to work and get to step2 and match the
> sni* acls somehow? (with a "deny step2 !sni_whitelist").
> 
> 
> Is 3.5.15 capable of doing this? If this requires some feature/effort,
> what would be the procedure to sponsor that work?
> 
> 
> Thanks,
> Jok
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


This may assist:

http://article.gmane.org/gmane.comp.web.squid.general/114389

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

> 
> mmm code ar the same must be something else corrupt the vary before
> varyEvaluateMatch()
> 

This ? 
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[joe]

FredB wrote
>> Objet: Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)
>> 
>> intercept  ??
> 
> No, implicit proxy 
> 
>> i got excellent result but not the correct way its and old issue
>> may be i was not posting the issue in correct way for the dev... to
>> understand
> 
> Very recent for me, not problem with 6 proxies and squid 3.5.13 but
> present with 2 new 3.5.16
> 
> ___
> squid-users mailing list

> squid-users@.squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

mmm code ar the same must be something else corrupt the vary before
varyEvaluateMatch()

i can provide testing patchjust for testing  .. not for production until
they find the right cause
but   make shurr the header ar  public for those link might be your
situation ar diff...

diff -Naur src/client_side.cc src/client_side.cc
--- src/client_side.cc  2016-04-02 03:38:47.0 +0300
+++ src/client_side.cc  2016-04-03 16:47:02.0 +0300
@@ -4725,13 +4725,26 @@
 if (!vary.isEmpty())
 request->vary_headers = vary;
 }
+if (vary.isEmpty()) {
+vary = entry->mem_obj->vary_headers;
+
+if (!vary.isEmpty())
+request->vary_headers = vary;
+}
 
 if (vary.isEmpty()) {
 /* Ouch.. we cannot handle this kind of variance */
 /* XXX This cannot really happen, but just to be complete */
 return VARY_CANCEL;
+
 } else if (vary.cmp(entry->mem_obj->vary_headers) == 0) {
 return VARY_MATCH;
+
+} else if (vary.cmp(httpMakeVaryMark(request, entry->getReply()))
== 0) {
+return VARY_MATCH;
+
+} else if (!vary.isEmpty() &&
!entry->mem_obj->vary_headers.isEmpty()) {
+return VARY_MATCH;
 } else {
 /* Oops.. we have already been here and still haven't
  * found the requested variant. Bail out




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-16-and-vary-loop-objects-bug-tp4676901p4676908.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

>  
> Version 4.0.8 has the same issue after upgrading without cache
> clean-up.
> 

Thanks I will test, I confirm the problem still present after a while 
Eg: this object seems never cleaned/fixed from cache 

Snip, there are many requests before ...

2016/04/04 13:39:11 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:14 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:16 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:17 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:21 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:22 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:22 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:22 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:22 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:23 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:23 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:23 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:23 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:23 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:23 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:24 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:26 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:27 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:28 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:29 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:30 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:32 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:32 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:35 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:35 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:35 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:35 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:35 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 13:39:35 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://live.lemde.fr/mux.json' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

> Objet: Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)
> 
> intercept  ??

No, implicit proxy 

> i got excellent result but not the correct way its and old issue
> may be i was not posting the issue in correct way for the dev... to
> understand

Very recent for me, not problem with 6 proxies and squid 3.5.13 but present 
with 2 new 3.5.16

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[joe]

forgot to say  if its possible to get one of those link re send thim meny
time you should get alwes varyEvaluateMatch: Oops  not just once ok
and try to get  Cache-Control header  should be   public   if its privet 
then that normal as amos says




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-16-and-vary-loop-objects-bug-tp4676901p4676905.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[joe]

intercept  ??
mostly those you see on accelerator that what i,m trying to explain in my
other post 
i know the cause it's in varyEvaluateMatch in source code some how the vary
its not empty and it might not match mem_obj->vary_headers   so you end up
in cache.log  varyEvaluateMatch: Oops. Not a Vary match on second attempt  
and even if its public header dose same usually if its privet on
Cache-Control dose that
but it dose it on public as well  i did some testing modifying the function
i got excellent result but not the correct way its and old issue
may be i was not posting the issue in correct way for the dev... to
understand



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-3-5-16-and-vary-loop-objects-bug-tp4676901p4676904.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Problem to configure squid for HTTPS website (HSTS or others certificate problems)

[Raph Ghost]

Hi users :)


What I want to do: I have a dedicated server and I want to make it as a 
transparent adblocker through a VPN. So I have installed and configured OpenVPN 
and route my traffic from the VPN tun into the squid proxy.


What is the problem: Websites based on http work great but those based on httpS 
doesn't work at all.


I have already tried two squid configurations and look for that problem in the 
user mail list history but I can't find any workaround that works.


My compilation options (squid 3.5.15 -with-openssl is enabled):

'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' 
'--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 
'--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' 
'--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' 
'--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now' 
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' 
'--disable-arch-native' '--enable-async-io=8' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' 
'--enable-follow-x-forwarded-for' 
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' 
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' 
'--enable-auth-ntlm=fake,smb_lm' 
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
 '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' 
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' 
'--with-openssl=/etc/ssl' '--enable-ssl-crtd' '--with-swapdir=/var/spool/squid' 
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' 
'--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' 
'--enable-build-info= linux' '--enable-linux-netfilter' 
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong 
-Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro 
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE 
-fstack-protector-strong -Wformat -Werror=format-security'


My iptable conf (port 22: my ssh server/ input port 443: my OpenVPN server):

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

My iptable conf (nat table):
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -s 10.8.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 
3129
-A PREROUTING -s 10.8.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 
3130
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This iptables configuration works great to route vpn input trafic into squid.


1st squid conf I've tried (based on this tutorial 
http://monblog.system-linux.net/blog/2013/03/23/mettre-en-oeuvre-squid-transparent-https-sous-debian/
 and others):

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.8.0.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only 

Re: [squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Version 4.0.8 has the same issue after upgrading without cache clean-up.

04.04.16 14:28, FredB пишет:
> Hello
>
> I migrated my Squid to the latest version 3.5.16 (from 3.5.10) and now
I have many many "Vary loop objects"
> What happen ? I made no configuration changes
>
> After 1 hours
>
> Squid 3.5.16
> grep "Vary" /var/log/squid/cache.log | wc -l
> 18176
>
> Squid 3.5.10
> grep "Vary" /var/log/squid/cache.log | wc -l
> 4
>
> My cache value is also very slow, -15%
>
> As you can see there many lines each seconds
>
> 2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_Pave_Edito_Chat/actionAfficherPave/WzM/yMT/Bd/EMPTY/?key=7d65cf7d4c3a74e05cb76a09e96f5afb430d22e3'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_Abonnes_AppelJelec/actionAfficher/W3R/ydW/UsI/kJMT0NBQk9TRVFDT0xEUjE0IiwiIiwzMjEwXQ--/?key=3e9cf6640e7918a9414ffdf81f2d59ea943790df'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_General_Colonne_Defaut/actionAfficher/W10/-/EMPTY/EMPTY/?key=dc4d5d30403d8d1a697e69255a95c47f05e387bd'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt, 'http://abonnes.lemonde.fr/ws/1/jelec/kiosque/'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_Pave_Edito_Item/actionAfficherPave/W25/1bG/wse/yJydWJyaXF1ZV9pZCI6MzIxMH0sNDg1NDMwNixudWxsXQ--/?key=2c4363f33e0fda86711e649d14ae9ec6f513ccbe'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:08 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt, 'http://www.sudouest.fr/img/meteo/102.png'
'host="www.sudouest.fr", accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:08 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:08 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt, 'http://www.sudouest.fr/img/meteo/10.png'
'host="www.sudouest.fr", accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:08 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://s2.cdscdn.com/cds/showCaseCss.css?LanguageCode=fr=100=89f22cc02227662988361ba3aed55805'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://s2.cdscdn.com/Css/cdsrwd/wl/rwd/master/fullrwd.css?LanguageCode=fr=100'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt, 'http://s3.cdscdn.com/Js/cdsrwd/wl/rwd/block/recs.js'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://s3.cdscdn.com/cds/showCaseJs.js?md5=e2ef12f58f4161c79776f239ad0c34f0'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://s2.cdscdn.com/Css/cdsrwd/wl/rwd/block/button.css?LanguageCode=fr=100'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,
'http://s3.cdscdn.com/Js/external/tagcommander/tc_nav.js'
'accept-encoding="identity,gzip,deflate"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt, 'http://www.cdiscount.com/favicon.ico'
'user-agent="Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20rv%3A38.0)%20Gecko%2F20100101%20Firefox%2F38.0"'
> 2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
> 2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on
second attempt,

[squid-users] Squid 3.5.16 and vary loop objects (bug ?)

[FredB]

Hello

I migrated my Squid to the latest version 3.5.16 (from 3.5.10) and now I have 
many many "Vary loop objects"
What happen ? I made no configuration changes 

After 1 hours

Squid 3.5.16
grep "Vary" /var/log/squid/cache.log | wc -l
18176

Squid 3.5.10
grep "Vary" /var/log/squid/cache.log | wc -l
4

My cache value is also very slow, -15%

As you can see there many lines each seconds 

2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_Pave_Edito_Chat/actionAfficherPave/WzM/yMT/Bd/EMPTY/?key=7d65cf7d4c3a74e05cb76a09e96f5afb430d22e3'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_Abonnes_AppelJelec/actionAfficher/W3R/ydW/UsI/kJMT0NBQk9TRVFDT0xEUjE0IiwiIiwzMjEwXQ--/?key=3e9cf6640e7918a9414ffdf81f2d59ea943790df'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_General_Colonne_Defaut/actionAfficher/W10/-/EMPTY/EMPTY/?key=dc4d5d30403d8d1a697e69255a95c47f05e387bd'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://abonnes.lemonde.fr/ws/1/jelec/kiosque/' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:07 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://abonnes.lemonde.fr/ajah/5m/lemonde/abonnes/Controller_Module_Pave_Edito_Item/actionAfficherPave/W25/1bG/wse/yJydWJyaXF1ZV9pZCI6MzIxMH0sNDg1NDMwNixudWxsXQ--/?key=2c4363f33e0fda86711e649d14ae9ec6f513ccbe'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:07 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:08 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://www.sudouest.fr/img/meteo/102.png' 'host="www.sudouest.fr", 
accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:08 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:08 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://www.sudouest.fr/img/meteo/10.png' 'host="www.sudouest.fr", 
accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:08 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://s2.cdscdn.com/cds/showCaseCss.css?LanguageCode=fr=100=89f22cc02227662988361ba3aed55805'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://s2.cdscdn.com/Css/cdsrwd/wl/rwd/master/fullrwd.css?LanguageCode=fr=100'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://s3.cdscdn.com/Js/cdsrwd/wl/rwd/block/recs.js' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://s3.cdscdn.com/cds/showCaseJs.js?md5=e2ef12f58f4161c79776f239ad0c34f0' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://s2.cdscdn.com/Css/cdsrwd/wl/rwd/block/button.css?LanguageCode=fr=100'
 'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://s3.cdscdn.com/Js/external/tagcommander/tc_nav.js' 
'accept-encoding="identity,gzip,deflate"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 'http://www.cdiscount.com/favicon.ico' 
'user-agent="Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20rv%3A38.0)%20Gecko%2F20100101%20Firefox%2F38.0"'
2016/04/04 10:17:09 kid1| clientProcessHit: Vary object loop!
2016/04/04 10:17:09 kid1| varyEvaluateMatch: Oops. Not a Vary match on second 
attempt, 
'http://regie2.moto-net.com/adimage.php?filename=ban-starplaq-2014.gif=gif'
 'accept-encoding="identity,gzip,deflate", 
user-agent="Mozilla%2F5.0%20(compatible%3B%20MSIE%209.0%3B%20Windows%20NT%206.1%3B%20Trident%2F5.0)"'
2016/04/04 10:17:09 kid1| clientProcessHit: 

[squid-users] Squid 3.5.16 for Microsoft Windows 64-bit is available

[Rafael Akchurin]

Greetings everyone,



The CygWin based build of Squid proxy for Microsoft Windows version 3.5.16 is 
now available (amd64 only!).



* Original release notes are at 
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.16-RELEASENOTES.html.

* Ready to use MSI package can be downloaded from http://squid.diladele.com.

* List of open issues for the installer - 
https://github.com/diladele/squid3-windows/issues



Thanks a lot for Squid developers for making this great software!



Please join our humble efforts to provide ready to run MSI installer for Squid 
on Microsoft Windows with all required dependencies at GitHub -

https://github.com/diladele/squid3-windows. Please report all 
issues/bugs/feature requests at GitHub project.

Issues about the *MSI installer only* can also be reported to 
supp...@diladele.com.



NOTE: the 3.5.16 version of Squid for Ubuntu 14.04 LTS will be also available 
during today. The repo is at http://ubuntu.diladele.com. This version is 
recompiled using Squid DEB source from Debian Testing with some changes 
required to support SSL bump / libecap3 on Ubuntu 14.04 LTS. See more at 
http://docs.diladele.com/tutorials/build_squid_ubuntu14/index.html.



Best regards,

Rafael Akchurin

Diladele B.V.

http://www.quintolabs.com

http://www.diladele.com



--

Please take a look at Web Safety - our ICAP based web filter server for Squid 
proxy.



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Slowly rising CPU load (eventually hits 100)

[squid]

On 2016-03-31 16:21, sq...@peralex.com wrote:
> On 2016-03-31 16:07, Yuri Voinov wrote:
>>
>> Looks like permanently running clients, which is exausted network
>> resources and then initiating connection abort.
>>
>> Try to add
>>
>> client_persistent_connections off

This option didn't fix the problem.  The CPU usage went wild again after
about a day.

I've changed the maximum_object_size_in_memory setting as suggested by
Alex, and I'll report back on that.

Mark


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users