date:20160824

[squid-users] smp purge

2016-08-24 Thread 曹士超

Hi How are you
I don`t know squid use smp , multi cpu process purge cache, each 
process define cache_dir ,when purge cache Choose a different worker,Lead to 
clear the cache fails






___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Some delay pools questions

2016-08-24 Thread erdosain9

Hi.
I have thought to have several delay pools but I doubt whether this is the
right way.
Eg.
I want to give to the "administration" 512kb in total, to be distributed
among 8 users.
Give the "video editing area" a total of 1000KB to divide among 8 users.
I want to limit the bandwidth dedicated to youtube for "administration" to
125kb and 512kb for "video editing area".
And this bandwidth dedicated to youtube, are taken from the respective
totals.
It's possible??

Another doubt. If I want to provide, for example. 512kb to three different
areas.

How would the syntax? Not to be shared, but each area has 512kb available.

It would be like this??

delay_pools 1
delay_class February 1
delay_parameters 1 512000/512000 64000/256000
delay_access 1 area1
delay_access 1 area2
delay_access 1 area3

In this way each area would 512kb ?? or they would be sharing ??

Thank you very much!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Some-delay-pools-questions-tp4679149.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Alex Rousskov

On 08/24/2016 12:24 PM, Omid Kosari wrote:
> Alex Rousskov wrote
>> Thus, the existing implementation should cover non-HTTP
>> requests on port 80 (or 3128). If it does not, it is a bug. We should
>> polish the documentation to make this clear.

> The problem is not squid itself . The problem is in some situations for
> example DOS(with malformed requests) , infected clients sends lots of
> requests to target server . The requests goes through squid tproxy so squid
> will send back about 250 byte in reply to each request .
> 
> So i am looking for a way to just send tcp reset and not that 250 bytes .

What you said is orthogonal to what I said. There are two parts of the
problem you are trying to solve:

1. Detect a non-HTTP request on port 80.
2. Reset the client connection when #1 happens.

The existing on_unsupported_protocol directive already supports #1 --
bugs notwithstanding, it can be used to generate an error response when
you want. It is also the default behavior.

Once that error response is generated, you want to convert it into a TCP
reset by denying that response _and_ using a matching "deny_info
TCP_RESET". That is part #2. I do not know why deny_info does not work
in your tests.

N.B. Since resetting non-HTTP connections is a common need, it may be
tempting to add a "terminate" action to the on_unsupported_protocol list
of supported actions. However, I am not sure that is a good idea because
resetting a connection is a common need in many contexts. Deny_info may
be a better (more general) solution.

HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Omid Kosari

Alex Rousskov wrote
> Thus, the existing implementation should cover non-HTTP
> requests on port 80 (or 3128). If it does not, it is a bug. We should
> polish the documentation to make this clear.

The problem is not squid itself . The problem is in some situations for
example DOS(with malformed requests) , infected clients sends lots of
requests to target server . The requests goes through squid tproxy so squid
will send back about 250 byte in reply to each request .

So i am looking for a way to just send tcp reset and not that 250 bytes .

HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Wed, 24 Aug 2016 14:11:35 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 5
X-Cache: MISS from cache1
X-Cache-Lookup: NONE from cache1:3128
Connection: close 




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679147.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

2016-08-24 Thread Stanford Prescott

I just read through the wiki being discussed. For the first time, I think I
finally understand, for the most part, what peek, splice and stare do. The
last time I read the wiki a few months ago, I gave up understanding those
because it was too confusing to me.

Thanks!

On Wed, Aug 24, 2016 at 9:28 AM, Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 08/24/2016 07:23 AM, Marcus Kool wrote:
> > I added an image in PNG format with data flow and events.
>
> And I added an XXX why that image might do more harm than good.
>
>
> > If you are interested I can send you the ODG file that was
> > used to generate the image.
>
> Please attach those image sources to the wiki page itself. I do not
> think I will have the time to fix it, but somebody else might.
>
>
> Thank you,
>
> Alex.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Alex Rousskov

On 08/24/2016 06:36 AM, Yuri Voinov wrote:
> 24.08.2016 18:32, Antony Stone пишет:
>> He wants to configure his browser to connect to the proxy over an SSL
>> connection, and then inside this secure connection send standard HTTP and
>> HTTPS requests

> Yeah, I get it. It seems to me, is absolutely crazy and insecure idea.

No, you do not get it. If you were getting it, you would not call it
"crazy" or "insecure". Please do not scare folks away from the
configuration that makes a lot of sense and is actually used in highly
secure environments.

If you would like to understand why this configuration makes sense,
please carefully study available documentation, resist the urge to post
one-sentence knee-jerk responses, and think about what gets encrypted
between the client and Squid (hint: There are two layers of encryption
in case of HTTPS) and between Squid and the server. If, after all that
effort, you still think that this is "crazy" or "insecure", then
consider carefully itemizing a few specific reasons behind that
[incorrect] conclusion so that others can correct your mistake.

Thank you,

Alex.

>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem ( 2 minor bugsmaybe )

2016-08-24 Thread L . P . H . van Belle

Ok reply to myself so other users know this also.

 

if you create a user for the HTTP services and you dont use msktutil but like 
me samba-tool or something else. 

 

Read : 

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos carefully. 

and the clue was this line for me.  

 

Squid "login" to Windows Active Directory or Unix kdc as user 
@DOMAIN.COM>. 

This requires Active Directory to have an attribute userPrincipalname set to 
@DOMAIN.COM>

 for the associated acount. This is usaully done by using msktutil. 

 

But this is not done by samba-tools  

 

samba-tool setup fro squid i used, was as followed. 

samba-tool user create squid1-service --description="Unprivileged user for 
SQUID1-Proxy Services" --random-password 

samba-tool user setexpiry squid1-service –noexpiry

samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service

 

 

Now this results in : 

My UPN was set to the usern...@internal.domain.tld  ( as it should ). 

My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )  

 

samba-tool spn list squid1-service 

squid1-service

User CN=squid1-service,OU=Service-Accounts,OU=,DC=X,DC=,DC=XX has 
the following servicePrincipalName:

 HTTP/proxy.internal.domain.tld

 HTTP/proxy.internal.domain.tld@YOUR.REALM.T

 

 

Now i changed my UPN from usern...@internal.domain.tld  to the (SPN name)   
HTTP/proxyserver.internal.domain.tld@REALM 

Solved my initial problem. 

This should be in my optionion be changed to search for the SPN in 
ext_kerberos_ldap_group.

 

Now i have LDAPS messages, see below, im adding the _ldaps SRV records now ,but 
i dont get why im getting : 

Set certificate file for ldap server to /etc/ssl/certs/cert.pem.(Changeable 
through setting environment variable TLS_CACERTFILE)

 

Im already having : TLS_CACERT  /etc/ssl/certs/ca-certificates.crt 

Which contains the needed certs.

 

Did i find 2 small bugs here?  

Or is this a “Debian” related thing? 

 

 

Debug output. 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -g internet-m...@your.realm.tld -D 
YOUR.REALM.TLD -N internet-mail@NTDOMAIN -s -i -d

kerberos_ldap_group.cc(278): pid=6902 :2016/08/24 16:10:07| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
INFO: Group list internet-m...@your.realm.tld

support_group.cc(447): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: Netbios list internet-mail@NTDOMAIN

support_netbios.cc(156): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: ldap server list NULL

support_lserver.cc(86): pid=6902 :2016/08/24 16:10:07| kerberos_ldap_group: 
DEBUG: No ldap servers defined.

testuser internet-mail

kerberos_ldap_group.cc(371): pid=6902 :2016/08/24 16:10:12| 
kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=6902 :2016/08/24 16:10:12| 
kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: User domain loop: group@domain internet-m...@your.realm.tld

support_member.cc(65): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Found group@domain internet-m...@your.realm.tld

support_ldap.cc(898): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Set credential cache to MEMORY:squid_ldap_6902

support_krb5.cc(138): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Get default keytab file name

support_krb5.cc(144): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Found principal name: HTTP/proxy.internal.domain@your.realm.tld

support_krb5.cc(196): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Got principal name HTTP/proxy.internal.domain@your.realm.tld

support_krb5.cc(260): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Stored credentials

support_ldap.cc(927): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Initialise ldap connection

support_ldap.cc(931): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: 
DEBUG: Enable SSL to ldap servers

support_ldap.cc(933): pid=6902 :2

Re: [squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Alex Rousskov

On 08/24/2016 07:54 AM, Amos Jeffries wrote:
> on_unsupported_protocol will need patching to be applied when HTTP
> parser detects unsupported protocol on port 80 (or 3128).

on_unsupported_protocol determines (among other things) Squid behavior
when encountering a strange (i.e., probably non-HTTP) request at the
beginning of an accepted TCP connection (where Squid expects to see an
HTTP request). Thus, the existing implementation should cover non-HTTP
requests on port 80 (or 3128). If it does not, it is a bug. We should
polish the documentation to make this clear.

> AFAIK it is
> currently only done by SSL-Bump'ing code detecting non-TLS protocols on
> port 443.

Yes, the above use case is also covered by the existing implementation.

You might also be thinking about non-HTTP inside a bumped TLS tunnel.
IIRC, that is indeed not supported, but Factory is working on that.

HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Diogenes S. Jesus

Oh, an a tiny little detail :)

# squid -v

Squid Cache: Version 4.0.13

Service Name: squid

configure options:  '--with-openssl' '--prefix=/usr' '--localstatedir=/var'
'--libexecdir=/lib/squid' '--datadir=/share/squid'
'--sysconfdir=/etc/squid' '--with-default-user=proxy'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'


On Wed, Aug 24, 2016 at 4:37 PM, Diogenes S. Jesus  wrote:

> This configuration here covers the use case described by the OP:
> https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad
> 73/raw/8050fa054821657812961050332b38a56e7e3e68/
>
> If everything works well, you'll notice you won't support HTTP proxy at
> all, but users can reach  both HTTP and HTTPS target websites via your
> HTTPS proxy.
>
> # netstat -nltp
>
> Active Internet connections (only servers)
>
> Proto Recv-Q Send-Q Local Address   Foreign Address State
>   PID/Program name
>
> tcp0  0 0.0.0.0:22  0.0.0.0:*
> LISTEN  32109/sshd
>
> tcp6   0  0 :::80   :::*
> LISTEN  26627/apache2
>
> tcp6   0  0 :::3443 :::*
> LISTEN  7303/(squid-1)
>
> tcp6   0  0 :::22   :::*
> LISTEN  32109/sshd
>
>
> The user connects to the proxy ONLY via HTTPS Proxy on port 3443
>
> All traffic between the OP and the proxy is encrypted using TLS.
> A) If the user enters http://target.example.com, between the proxy and
> the target you'll see HTTP.
> B) If the user enters https://target.example.com, between the proxy and
> the target you'll see HTTPS.
>
> If you sniff the traffic between the client and the proxy, you'll see TLS.
>
> Tested with:
>
> $ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v
>
> Mozilla Firefox 48.0
>
> Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
> "Automatic Proxy Configuration": http://squid.example.com/proxy.pac
>
> The downside here of course is the limited amount of clients supporting
> HTTPS Proxy settings.
>
> Dio
>
>
> On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries 
> wrote:
>
>> Just to rewind this conversation to the actual problem ...
>>
>> On 24/08/2016 11:42 p.m., Samuraiii wrote:
>> > On 24.8.2016 13:18, Antony Stone wrote:
>> >> Unfortunately it's not Squid that's the challenge - it's the browser.
>> >>
>> >> If you're using Firefox and/or Chrome, you should be okay.
>> >>
>> >> See "Encrypted browser-Squid connection" at the bottom of
>> >> http://wiki.squid-cache.org/Features/HTTPS
>> >>
>> >>
>> >> Antony.
>> >>
>> > I have seen that, it is the cause of my subscription to this list.
>> > I haven't been able to find any usable hints.
>> > My config attempt fails
>> >
>>
>> 
>> >
>> > https_port 8443 \
>> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>> > tls-dh=/etc/ssl/certs/dhparam.pem \
>> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>> > cipher=HIGH
>>
>>
>> As Dio mentioned the cleintca= (or rather clientca=) is for
>> authenticating clients ceritficates. Don't use that unless you are
>> requiring client certs in TLS.
>>
>> The rest of your config looks reasonable to me. I suspect you have found
>> a bug introduced during all the SSL-Bump code changes. Please make a
>> bugzilla report and include your exact Squid version (found with the
>> 'squid -v' command), the https_port line(s) and the exact error message
>> produced on startup.
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> --
>
> 
>
> Diogenes S. de Jesus
>



-- 



Diogenes S. de Jesus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Diogenes S. Jesus

This configuration here covers the use case described by the OP:
https://gist.githubusercontent.com/splashx/758ff0c59ea291f32edafc516fdaad73/raw/8050fa054821657812961050332b38a56e7e3e68/

If everything works well, you'll notice you won't support HTTP proxy at
all, but users can reach  both HTTP and HTTPS target websites via your
HTTPS proxy.

# netstat -nltp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address   Foreign Address State
PID/Program name

tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
32109/sshd

tcp6   0  0 :::80   :::*LISTEN
26627/apache2

tcp6   0  0 :::3443 :::*LISTEN
7303/(squid-1)

tcp6   0  0 :::22   :::*LISTEN
32109/sshd


The user connects to the proxy ONLY via HTTPS Proxy on port 3443

All traffic between the OP and the proxy is encrypted using TLS.
A) If the user enters http://target.example.com, between the proxy and the
target you'll see HTTP.
B) If the user enters https://target.example.com, between the proxy and the
target you'll see HTTPS.

If you sniff the traffic between the client and the proxy, you'll see TLS.

Tested with:

$ /Applications/Firefox\ 2.app/Contents/MacOS/firefox -v

Mozilla Firefox 48.0

Firefox set up to use PAC: Preferences > Advanced > Network > Settings:
"Automatic Proxy Configuration": http://squid.example.com/proxy.pac

The downside here of course is the limited amount of clients supporting
HTTPS Proxy settings.

Dio


On Wed, Aug 24, 2016 at 3:46 PM, Amos Jeffries  wrote:

> Just to rewind this conversation to the actual problem ...
>
> On 24/08/2016 11:42 p.m., Samuraiii wrote:
> > On 24.8.2016 13:18, Antony Stone wrote:
> >> Unfortunately it's not Squid that's the challenge - it's the browser.
> >>
> >> If you're using Firefox and/or Chrome, you should be okay.
> >>
> >> See "Encrypted browser-Squid connection" at the bottom of
> >> http://wiki.squid-cache.org/Features/HTTPS
> >>
> >>
> >> Antony.
> >>
> > I have seen that, it is the cause of my subscription to this list.
> > I haven't been able to find any usable hints.
> > My config attempt fails
> >
>
> 
> >
> > https_port 8443 \
> > cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> > key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> > cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> > tls-dh=/etc/ssl/certs/dhparam.pem \
> > sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> > cipher=HIGH
>
>
> As Dio mentioned the cleintca= (or rather clientca=) is for
> authenticating clients ceritficates. Don't use that unless you are
> requiring client certs in TLS.
>
> The rest of your config looks reasonable to me. I suspect you have found
> a bug introduced during all the SSL-Bump code changes. Please make a
> bugzilla report and include your exact Squid version (found with the
> 'squid -v' command), the https_port line(s) and the exact error message
> produced on startup.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 



Diogenes S. de Jesus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

2016-08-24 Thread Alex Rousskov

On 08/24/2016 07:23 AM, Marcus Kool wrote:
> I added an image in PNG format with data flow and events.

And I added an XXX why that image might do more harm than good.

> If you are interested I can send you the ODG file that was
> used to generate the image.

Please attach those image sources to the wiki page itself. I do not
think I will have the time to fix it, but somebody else might.

Thank you,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Omid Kosari

acl status_400 http_status 400
deny_info TCP_RESET status_400
http_reply_access deny status_400


still send headers . just the 400 changed to 403


HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Wed, 24 Aug 2016 14:11:35 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 5
X-Cache: MISS from cache1
X-Cache-Lookup: NONE from cache1:3128
Connection: close

reset



Isn't a way that squid does not send these headers and just send reset ?




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679139.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Objects with values below 60 second for Cache-Control max-age are not cached

2016-08-24 Thread Garri Djavadyan

On Mon, 2016-08-22 at 16:46 +0500, Garri Djavadyan wrote:
> Hello Squid users,
> 
> Can anyone explain, why Squid doesn't cache the objects with max-age
> values below 60 seconds? For example:
> 
> $ http_proxy="127.0.0.1:3128" curl --head "http://sandbox.comnet.loca
> l/
> cgi-bin/hello.cgi" && date
> HTTP/1.1 200 OK
> Date: Mon, 22 Aug 2016 11:31:16 GMT
> Server: Apache
> Cache-Control: max-age=60
> Content-Type: text/plain
> X-Cache: MISS from gentoo.comnet.uz
> Via: 1.1 gentoo.comnet.uz (squid/3.5.20)
> Connection: keep-alive
> 
> Mon Aug 22 16:31:19 UZT 2016
> 
> ---
> 
> $ http_proxy="127.0.0.1:3128" curl --head "http://sandbox.comnet.loca
> l/
> cgi-bin/hello.cgi" && date
> HTTP/1.1 200 OK
> Date: Mon, 22 Aug 2016 11:31:23 GMT
> Server: Apache
> Cache-Control: max-age=60
> Content-Type: text/plain
> X-Cache: MISS from gentoo.comnet.uz
> Via: 1.1 gentoo.comnet.uz (squid/3.5.20)
> Connection: keep-alive
> 
> Mon Aug 22 16:31:26 UZT 2016
> 
> 
> No problems with values above 60 seconds. For example:
> 
> $ http_proxy="127.0.0.1:3128" curl --head "http://sandbox.comnet.loca
> l/
> cgi-bin/hello.cgi" && date
> HTTP/1.1 200 OK
> Date: Mon, 22 Aug 2016 11:36:06 GMT
> Server: Apache
> Cache-Control: max-age=70
> Content-Type: text/plain
> X-Cache: MISS from gentoo.comnet.uz
> Via: 1.1 gentoo.comnet.uz (squid/3.5.20)
> Connection: keep-alive
> 
> Mon Aug 22 16:36:09 UZT 2016
> 
> ---
> 
> $ http_proxy="127.0.0.1:3128" curl --head "http://sandbox.comnet.loca
> l/
> cgi-bin/hello.cgi" && date
> HTTP/1.1 200 OK
> Date: Mon, 22 Aug 2016 11:36:06 GMT
> Server: Apache
> Cache-Control: max-age=70
> Content-Type: text/plain
> Age: 5
> X-Cache: HIT from gentoo.comnet.uz
> Via: 1.1 gentoo.comnet.uz (squid/3.5.20)
> Connection: keep-alive
> 
> Mon Aug 22 16:36:11 UZT 2016
> 
> 
> As you can see, time difference between origin server and localhost
> is
> 3 seconds (UZT is +5 offset).
> 
> Configuration is minimal:
> 
> # diff -u etc/squid.conf.default etc/squid.conf
> --- etc/squid.conf.default2016-08-12 17:21:48.877474780 +0500
> +++ etc/squid.conf2016-08-22 16:41:47.759766991 +0500
> @@ -71,3 +71,5 @@
>  refresh_pattern ^gopher: 14400%  1440
>  refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
>  refresh_pattern .0   20% 4320
> +
> +cache_mem 64 MB
> 
> 
> Thanks in advance!
> Garri
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Dear Squid developers,

Is the situation described above intended behaviour, or a bug which
should be reported? Thanks.

Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Amos Jeffries

On 25/08/2016 12:39 a.m., Omid Kosari wrote:
> This config works for dstdomain acl type
> 
> acl test dstdomain 123.com
> deny_info TCP_RESET test
> adapted_http_access deny test
> 
> 
> but it is not what i want . I want
> 
> acl status_400 http_status 400
> deny_info TCP_RESET status_400 
> adapted_http_access deny status_400 
> 
> OR
> 
> acl HTTP proto HTTP
> acl PORT_80 port 80 
> deny_info TCP_RESET PORT_80 !HTTP
> adapted_http_access deny PORT_80 !HTTP 
> 

Status code is only available in the response processing pathways.
So use "http_reply_access deny test". As Alex showed the generated
errors do go through that access control.

For better control Squid-4 will be needed, and also the
on_unsupported_protocol will need patching to be applied when HTTP
parser detects unsupported protocol on port 80 (or 3128). AFAIK it is
currently only done by SSL-Bump'ing code detecting non-TLS protocols on
port 443.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Amos Jeffries

Just to rewind this conversation to the actual problem ...

On 24/08/2016 11:42 p.m., Samuraiii wrote:
> On 24.8.2016 13:18, Antony Stone wrote:
>> Unfortunately it's not Squid that's the challenge - it's the browser.
>>
>> If you're using Firefox and/or Chrome, you should be okay.
>>
>> See "Encrypted browser-Squid connection" at the bottom of
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>>
>> Antony.
>>
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails
> 

> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH

As Dio mentioned the cleintca= (or rather clientca=) is for
authenticating clients ceritficates. Don't use that unless you are
requiring client certs in TLS.

The rest of your config looks reasonable to me. I suspect you have found
a bug introduced during all the SSL-Bump code changes. Please make a
bugzilla report and include your exact Squid version (found with the
'squid -v' command), the https_port line(s) and the exact error message
produced on startup.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] dynamic group using URI as group name on external acl with ext_ldap_group_acl

2016-08-24 Thread Amos Jeffries

On 24/08/2016 4:24 a.m., Diogenes S. Jesus wrote:
 If you want to do things like this safely please upgrade to Squid-4
 where the logformat codes are available. Those codes provide
 customizable escaping and quoting styles so you can set one that
 protects LDAP against these attacks to be ued on the URI field value
 sent by Squid.
>>>
>>> You mean these 
>>> logformats are available to be used in acl / external acls @ squid.conf?
>> Or?
>>>
>>
>> Yes. I'm trying to get all the things in squid.conf that take/use a
>> custom format to use the logformat code system. Squid-4 is the
>> external_acl_type directives turn.
>>
>> All of them are available for use in the %FORMAT field. It only depends
>> on whether the data any given code outputs exists at the point of
>> transaction where your ACL gets used.
>>
>> Amos
>>
>>
> Cool. I've compiled the latest beta of squid4 and tested. I was able to
> move to "%>rd", the following works:
> 

Doh!. Thanks for the patch it has now been applied to Squid-4.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 19:24, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:
>
 Then I do not understand what he wants op.
>>
>>
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
>> on
>>
>>> Secure connection to squid proxy without need for anything else (on
>>> client side) than configuring proxy in browser.
>>
>>> Using provided signed certificates.
>>> No SSL-bumping or whatever just forwarding.
>>
>> Firstly, the concept is not safe. Users will have a secure connection to
>> the proxy
>
> Yes, that is all the OP is looking for.
>
>> as well as the next?
>
> Once it leaves the OP's network I suspect the risk (of eavesdropping
etc) is
> reduced.
>
>> HTTP? User misled green padlock,
>
> I do not think the browser will show an SSL/TLS padlock for a secured
proxy
> connection - it only shows this for a secured connection to the
destination
> server.  Therefore no misled users.
>
>> believes all secure connection - as external traffic is not encrypted
>> after the fact. Second. You seriously think that the world will sit
>> under HTTPS? What, for example, you want to protect on news sites?
>
> I don't understand what you are saying here.
May be some misunderstanding here.

If we are talking about encryption, just authentication proxy - is one
thing. If encryption of all client traffic at all only to the proxy, not
caring about what happens to it next - is another.

>
> The connection across the local network between browser and proxy is
secured.
>
> Beyond that everything works across the Internet just as normal - HTTP
sites
> are not secured, HTTPS sites are secured.  The user sees SSL padlock and
> certificate chain for HTTPS sites, nothing for HTTP sites.
>
> So, the design is more secure over the local network than the standard
> arrangement, and exactly the same beyond the local network.
Correct LAN design solves most of these problems.
>
>
> No security is being compromised or downgraded.
Not sure.
>
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvaF5AAoJENNXIZxhPexG7MMH/RYfzKl3PMQFBtbjZ8jg6Jra
4dtgJifJTLjSsF0NSqRtT/iZ8KpW3SrSJ+10Ht9IoVbjGiAL8p8/FMLh8/ImTmqJ
QxqI0ovLgj/YuHoxlm4U25L7NG0amzUTINhNXRw79Yvp5RxNEyAmfFpy0mAfD34h
ClXQQeWsCalS8Wz7yGqpgp28T9m86l3BNe+SoP+Q1/tfIkopcGD4Hz32N32J/Bsm
Wen8JMW2f6BAa0mIbb+tV9q1dI5stommTtprCzi8kAtzqX2bbBt3Nnz+xXQWZmwZ
tEO9CsLN4fTSUGILLQG2Bv5ZyT0tAFvhxzCBoz8hpBO+NcIPkm5OgkzpGe32/NA=
=A9CF
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 14:35:03, Yuri Voinov wrote:

> >> Then I do not understand what he wants op.
> 
> http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connecti
> on
> 
> > Secure connection to squid proxy without need for anything else (on
> > client side) than configuring proxy in browser.
> 
> > Using provided signed certificates.
> > No SSL-bumping or whatever just forwarding.
> 
> Firstly, the concept is not safe. Users will have a secure connection to
> the proxy

Yes, that is all the OP is looking for.

> as well as the next?

Once it leaves the OP's network I suspect the risk (of eavesdropping etc) is 
reduced.

> HTTP? User misled green padlock,

I do not think the browser will show an SSL/TLS padlock for a secured proxy 
connection - it only shows this for a secured connection to the destination 
server.  Therefore no misled users.

> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?

I don't understand what you are saying here.

The connection across the local network between browser and proxy is secured.

Beyond that everything works across the Internet just as normal - HTTP sites 
are not secured, HTTPS sites are secured.  The user sees SSL padlock and 
certificate chain for HTTPS sites, nothing for HTTP sites.

So, the design is more secure over the local network than the standard 
arrangement, and exactly the same beyond the local network.

No security is being compromised or downgraded.

Antony.

-- 
Douglas was one of those writers who honourably failed to get anywhere with 
'weekending'.  It put a premium on people who could write things that lasted 
thirty seconds, and Douglas was incapable of writing a single sentence that 
lasted less than thirty seconds.

 - Geoffrey Perkins, about Douglas Adams

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] DENIED and ALLOWED at once?

2016-08-24 Thread Amos Jeffries

On 24/08/2016 3:55 a.m., Sergio Belkin wrote:
> 2016-08-19 17:22 GMT-03:00 Antony Stone :
> 
>> On Friday 19 August 2016 at 20:41:11, Jok Thuau wrote:
>>
>>> On Fri, Aug 19, 2016 at 9:33 AM, Sergio Belkin  wrote:
 /var/log/squid/access.log
 192.168.50.41 - - [19/Aug/2016:12:19:45 -0300] "CONNECT
 beap-bc.yahoo.com:443 HTTP/1.1" 407 4634 "-" "Mozilla/5.0 (Windows NT
 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TCP_DENIED:HIER_NONE
>>>
>>> This is unauthenticated (notice the "- -" after the IP)
>>>
 192.168.50.41 - juan.perez [19/Aug/2016:12:19:45 -0300] "CONNECT
 beap-bc.yahoo.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT
>> 6.1;
 WOW64; rv:41.0) Gecko/20100101 Firefox/41.0" TAG_NONE:HIER_DIRECT
>>>
>>> This one is authenticated (juan.perez). The code 407 in the first request
>>> means "proxy request authentication". So what happened here is that the
>>> user browsed, was asked for credentials (and maybe those were provided
>>> automatically), and then the request was resent with the creds included.
>>
>> Given the timestamps (both 12:19:45; no time for a human to enter
>> credentials
>> at a prompt) the browser did this automatically, and invisibly to the user.
>>
> 
> 
> Exactly it does so, but I wonder if TCP_DENIED is the proper message here.
> 
> It's a case of "client must first authenticate itself with the proxy" (
> https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), perhaps I'm
> wrong, but would something such as TCP_UNAUTHORIZED be better?
> 

'Unauthorized' is what DENIED means. That is not related to the 407
(*Authenticate* required).

The textual part is indicating what actions Squid has taken. DENIED
means a denial/error page was generated. In this case referring to the
payload it sent on the 407 response.


The 407 means "Authentication Required". Repeating that in the textual
tag would be redundant and also no cover the subtle event cases properly ...

Specifically, in uncommon cases a 407 can also be logged with other tags
like HIT (the response was stored in cache for some reason - not
produced due to authenticator activity), and MISS (upstream proxy
generated the 407), or even REFRESH etc.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

2016-08-24 Thread Marcus Kool




On 08/24/2016 02:43 AM, Alex Rousskov wrote:

On 08/23/2016 08:34 AM, Marcus Kool wrote:


ok, I suggest that you review what is done already.


I have made a few corrections and improvements, trying to document every
change (and some suggestions for future work) in the commit messages.

The page still needs a lot of work IMO, but perhaps it is now better
than it was before you started polishing it.


Thank you,

Alex.


Ok, it is improving.
I added an image in PNG format with data flow and events.
If you are interested I can send you the ODG file that was
used to generate the image.

Marcus

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem

2016-08-24 Thread L . P . H . van Belle

Hello Dia, 

 

Thank you for the reply,  

 

So, can this be a “MIT” kerberos of HEIMDAL thing. 

Im use Samba4 for ADDC and that uses heimdal. 

 

Even that the logs says : 

"Client 'HTTP/hostname.internet.domain@your.realm.tld' not found in 
Kerberos database". 

 

Im using NFSv4 over kerberos, ssh over kerberos, squid user auth already and 
that is working fine. ( on the same server ) 

I dont have/use kadmin, since samba is my KDC. 

 

The only thing i can think of besides MIT or HEIMDAL is that i use a dedicated 
user, which is having the SPN for my proxy server. 

 

A snip from my krb5.conf 

[libdefaults]

    default_realm = YOUR.REALM.TLD

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

 

Best regards, 

 

Louis

 

 

 

 


Van: Diogenes S. Jesus [mailto:spl...@gmail.com] 
Verzonden: woensdag 24 augustus 2016 13:29
Aan: L.P.H. van Belle
CC: squid-us...@squid-cache.org
Onderwerp: Re: [squid-users] ext_kerberos_ldap_group_acl problem


 

Hi there.

 


Well, the log says "Client 'HTTP/hostname.internet.domain@your.realm.tld' 
not found in Kerberos database". 

 


Check your krb5.conf on the squid host if you're pointing to the right KDC and 
make sure the principal exists in the Kerberos database.


kadmin.local and "getprinc HTTP/hostname.internet.domain@your.realm.tld" 
should yield the same error if the principal doesn't exist.


 


Dio




 

On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle  wrote:

Hai, 

 

Im having trouble to get the ext_kerberos_ldap_group_acl  working. 

 

I’ve read : 
http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html

 

Here is what i have checked / done already. 

 

My keytab file : 

klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP

Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP

KVNO Timestamp   Principal

 --- --

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld 
(des-cbc-crc)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld 
(des-cbc-md5)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld 
(arcfour-hmac)

   

 

The auth im using ( which is working fine )

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

--kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/hostname.internet.domain@your.realm.tld \

--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

For testing im starting on commandline the group acl: 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N 
internet-mail@NTDOMAIN -m 4 -s -i –d

 

kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
INFO: Group list internet-m...@your.realm.tld

support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: Netbios list internet-mail@NTDOMAIN

support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: ldap server list NULL

support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: No ldap servers defined.

 

when i test with the user group now. 

 

testuser internet-mail

 

kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| 
kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| 
kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: User domain loop: group@domain internet-m...@your.realm.tld

support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Found group@domain internet-m...@your.realm.tld

support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Set credential cache to MEMORY:squid_ldap_21722

support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Get default keytab file name

support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_lda

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samurai

Ok
This is answer (not) I was looking for. 
Thank you 
S

On 24 August 2016 14:48:40 CEST, Yuri Voinov  wrote:
>
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
> 
>
>
>24.08.2016 18:44, Samuraiii пишет:
>>
>>>
>>>   > No SSL-bumping or whatever just forwarding.
>>> Firstly, the concept is not safe. Users will have a secure
>connection
>to the proxy - as well as the next? HTTP? User misled green padlock,
>believes all secure connection - as external traffic is not encrypted
>after the fact. Second. You seriously think that the world will sit
>under HTTPS? What, for example, you want to protect on news sites?
>>>
>>>
>> Since I would like to set up proxy for few people I am comfortable in
>telling them what to want from it and what not.
>> Second what about of security on proxy login info?
>> Last I asked this because I stumbled on this on official squid wiki.
>> It wouldn't cross my mind that it existed.
>> It should be corrected, if it is impossible to set it up.
>> I really do not like your quick judgement.
>What is the question - is the answer. Telepaths vacation.
>
>I also do not like a lot of things in the modern sense of security.
>However, I did not create this world in this. In addition, as far as I
>know, the functionality that you want to see - do not exist in nature.
>Either fully encrypted connections - or not at all. Proxy is not a Web
>server that can encrypt only the login and then leave unprotected
>connection or let the tunnel.
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>-BEGIN PGP SIGNATURE-
>Version: GnuPG v2
> 
>iQEcBAEBCAAGBQJXvZeoAAoJENNXIZxhPexGR8oH/2qrV0Hqc2A8OnmO/m5Xd+2/
>Rhlmabr5yofll/aqg3qwmYwY76QcONt2+Ur4kmbf99chwALV/68qVyahPTbyB/8w
>NY9/lYffQYeff63bWj/VbbdjYtH1vjp2NmD47nfv5fJFaVOTtGlvVhJ55VLtY2eC
>IfT/WflvA6aGnG7IyyvTa0EDN7unhgvBJEwUXvmhnCDJVF0NWWp9NcWZytufF3g9
>9V02KYIaw49TFmUOMn0R3f42HHpCrlYLNNG8yy3yBs2t5o4dhQ+dMvTE6MWQrzgR
>kPLoJcLKzrlFN8aY1MzKo7MjiAY8WGkkayZnaS65c//sZFa63CI4/q17Iu++qJM=
>=6+l5
>-END PGP SIGNATURE-
>
>
>
>
>
>___
>squid-users mailing list
>squid-users@lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:44, Samuraiii пишет:
>
>>
>>   > No SSL-bumping or whatever just forwarding.
>> Firstly, the concept is not safe. Users will have a secure connection
to the proxy - as well as the next? HTTP? User misled green padlock,
believes all secure connection - as external traffic is not encrypted
after the fact. Second. You seriously think that the world will sit
under HTTPS? What, for example, you want to protect on news sites?
>>
>>
> Since I would like to set up proxy for few people I am comfortable in
telling them what to want from it and what not.
> Second what about of security on proxy login info?
> Last I asked this because I stumbled on this on official squid wiki.
> It wouldn't cross my mind that it existed.
> It should be corrected, if it is impossible to set it up.
> I really do not like your quick judgement.
What is the question - is the answer. Telepaths vacation.

I also do not like a lot of things in the modern sense of security.
However, I did not create this world in this. In addition, as far as I
know, the functionality that you want to see - do not exist in nature.
Either fully encrypted connections - or not at all. Proxy is not a Web
server that can encrypt only the login and then leave unprotected
connection or let the tunnel.
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZeoAAoJENNXIZxhPexGR8oH/2qrV0Hqc2A8OnmO/m5Xd+2/
Rhlmabr5yofll/aqg3qwmYwY76QcONt2+Ur4kmbf99chwALV/68qVyahPTbyB/8w
NY9/lYffQYeff63bWj/VbbdjYtH1vjp2NmD47nfv5fJFaVOTtGlvVhJ55VLtY2eC
IfT/WflvA6aGnG7IyyvTa0EDN7unhgvBJEwUXvmhnCDJVF0NWWp9NcWZytufF3g9
9V02KYIaw49TFmUOMn0R3f42HHpCrlYLNNG8yy3yBs2t5o4dhQ+dMvTE6MWQrzgR
kPLoJcLKzrlFN8aY1MzKo7MjiAY8WGkkayZnaS65c//sZFa63CI4/q17Iu++qJM=
=6+l5
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii


>
>   > No SSL-bumping or whatever just forwarding.
> Firstly, the concept is not safe. Users will have a secure connection
> to the proxy - as well as the next? HTTP? User misled green padlock,
> believes all secure connection - as external traffic is not encrypted
> after the fact. Second. You seriously think that the world will sit
> under HTTPS? What, for example, you want to protect on news sites?
>
>
Since I would like to set up proxy for few people I am comfortable in
telling them what to want from it and what not.
Second what about of security on proxy login info?
Last I asked this because I stumbled on this on official squid wiki.
It wouldn't cross my mind that it existed.
It should be corrected, if it is impossible to set it up.
I really do not like your quick judgement.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Omid Kosari

This config works for dstdomain acl type

acl test dstdomain 123.com
deny_info TCP_RESET test
adapted_http_access deny test


but it is not what i want . I want

acl status_400 http_status 400
deny_info TCP_RESET status_400 
adapted_http_access deny status_400 

OR

acl HTTP proto HTTP
acl PORT_80 port 80 
deny_info TCP_RESET PORT_80 !HTTP
adapted_http_access deny PORT_80 !HTTP 




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679126.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Against this backdrop, even a bump SSL security seems a masterpiece.


24.08.2016 18:32, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:
>
>> 24.08.2016 18:23, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
 No one CA do not issue signing CA for subject, which is not CA itself.

 So, op wants impossible thing.
>>>
>>> Why would one need a signING certificate just to create an SSL
connection
>>> between the browser and Squid?
>>>
>>> Surely one merely needs a valid signED certificate, same as you would
>>> put on a web server to set up secure connections to it?
>>>
>>> OP is not intercepting secure traffic, nor making HTTP sites look to
>>> the browser like HTTPS ones.
>>
>> Then I do not understand what he wants op.
>
> He wants to configure his browser to connect to the proxy over an SSL
> connection, and then inside this secure connection send standard HTTP and
> HTTPS requests, just as a browser would do over an unsecured
connection to the
> proxy on Squid's standard port 3128.
>
> It's nothing to do with whether either the client or the destination
server
> believe the web content itself to be secured with SSL/TLS.
>
> See "Encrypted browser-Squid connection" at the bottom of
> http://wiki.squid-cache.org/Features/HTTPS
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZT/AAoJENNXIZxhPexG2NQH/3zgESU+lH6DAOGxvB/9IPUa
P9OUKg4Ss9sRj8l1zUhAxy1Gf5A9vbX0qxUKF7KhhwsmUU1BSG+F2ocbouG4YGwJ
VNeyPSLhsQ9AF83OZEaaov4cra9YuYSk7pGxm4SdafTYDyPU96UCcj5MwEQfRzjq
TgB7GVrhGQ7TalEjGKGW8qP6nI1apriEkKXNCbEvm6Q3tpIjp72cx/LuQv/pu03x
BOFpZoUxzn61a2JUV4+lUcz6lmeji3kcTSWhuMBgE+W8klqxRYGOtVTGwNLv08N2
v1HYYI05BrCtqVYaPXAfKNxgqzBIS8X7fFSf14JrnpsF0W6d994g5La3EnOpZ/4=
=kNOJ
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:32, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:
>
>> 24.08.2016 18:23, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
 No one CA do not issue signing CA for subject, which is not CA itself.

 So, op wants impossible thing.
>>>
>>> Why would one need a signING certificate just to create an SSL
connection
>>> between the browser and Squid?
>>>
>>> Surely one merely needs a valid signED certificate, same as you would
>>> put on a web server to set up secure connections to it?
>>>
>>> OP is not intercepting secure traffic, nor making HTTP sites look to
>>> the browser like HTTPS ones.
>>
>> Then I do not understand what he wants op.
>
> He wants to configure his browser to connect to the proxy over an SSL
> connection, and then inside this secure connection send standard HTTP and
> HTTPS requests, just as a browser would do over an unsecured
connection to the
> proxy on Squid's standard port 3128.
Yeah, I get it. It seems to me, is absolutely crazy and insecure idea.
>
>
> It's nothing to do with whether either the client or the destination
server
> believe the web content itself to be secured with SSL/TLS.
>
> See "Encrypted browser-Squid connection" at the bottom of
> http://wiki.squid-cache.org/Features/HTTPS
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZTTAAoJENNXIZxhPexG3n4H/0O+OLxWoxAIoVq4B2g33Ep0
Iz4JkLx542E4gQjCzhtO3Ikjxoh2VLwwkF/S6PZqNvmQg6dJ6sbZVSsUBtJa6h+6
dWCM6gEeH/xnO3B5krKw9t721fyMpQEmb2uKCLyDxpJHiJLGShifliFykfcZwJ+m
Vt7+bp1R4KWtYGfh/2QUyRwzReMqlEkuNIJ2/KHucuuEfMauOB/Gn42MsPQDxZKZ
I0eJmi4Eo8jzYKyC1ZLsZVPVqVSuMz152QYdhBuUb5AJo/DaWVuyEwmhP0MYmEbU
bSYzQh8FiKuTsrHKYoqqo6m7fLtbz2o5ouGP8kbq6l93E9JBsmBwSsR28Urzwyg=
=C3LP
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:31, Samuraiii пишет:
>
>>   look to the browser
>>
>>   > like HTTPS ones.
>> Then I do not understand what he wants op.
>>
>>
>>
>
>
http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
>
> Secure connection to squid proxy without need for anything else (on
client side) than configuring proxy in browser.
> Using provided signed certificates.
> No SSL-bumping or whatever just forwarding.
Firstly, the concept is not safe. Users will have a secure connection to
the proxy - as well as the next? HTTP? User misled green padlock,
believes all secure connection - as external traffic is not encrypted
after the fact. Second. You seriously think that the world will sit
under HTTPS? What, for example, you want to protect on news sites?
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZR2AAoJENNXIZxhPexGuysH/isUCXkB+snA0NlEimmF9Z2k
wC7jugsj7Fu5hzmx2JFI/Q6X+uuJ/bxzjqwkMQGA3358EZI3PtYfuvJmRoF5g4eE
X4zoy9anB+Phvo1T4/EhT5v8utLBndRgeD0j2btAQmQSYimB6HGoxxrW4XM6EZj3
s/WCPXmfdIdbu/hOvnrPE0a7y7RRbvLx5tvem0jdBpOcLyK4jq40p4f8J57dF5Qk
w0wSKgLe9R+FBjRhj+MxBbjFNDsU1/nP/Nb4wmTgCQ0OPMUprlVIpyz3TDv4qRhY
fxb2nkKZuf1ouKJy/ewtNpZZqX52Pqao1wGWr1U/I/bZtdHVpI87hrKHgj4o3pA=
=0NS/
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 14:26:48, Yuri Voinov wrote:

> 24.08.2016 18:23, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
> >> No one CA do not issue signing CA for subject, which is not CA itself.
> >> 
> >> So, op wants impossible thing.
> > 
> > Why would one need a signING certificate just to create an SSL connection
> > between the browser and Squid?
> > 
> > Surely one merely needs a valid signED certificate, same as you would
> > put on a web server to set up secure connections to it?
> > 
> > OP is not intercepting secure traffic, nor making HTTP sites look to
> > the browser like HTTPS ones.
> 
> Then I do not understand what he wants op.

He wants to configure his browser to connect to the proxy over an SSL 
connection, and then inside this secure connection send standard HTTP and 
HTTPS requests, just as a browser would do over an unsecured connection to the 
proxy on Squid's standard port 3128.

It's nothing to do with whether either the client or the destination server 
believe the web content itself to be secured with SSL/TLS.

See "Encrypted browser-Squid connection" at the bottom of
http://wiki.squid-cache.org/Features/HTTPS

Antony.

-- 
Archaeologists have found a previously-unknown dinosaur which seems to have 
had a very large vocabulary.  They've named it Thesaurus.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii


>   look to the browser
>
>   > like HTTPS ones.
> Then I do not understand what he wants op.
>
>
>

http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

Secure connection to squid proxy without need for anything else (on
client side) than configuring proxy in browser.
Using provided signed certificates.
No SSL-bumping or whatever just forwarding.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


24.08.2016 18:23, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:
>
>> No one CA do not issue signing CA for subject, which is not CA itself.
>>
>> So, op wants impossible thing.
>
> Why would one need a signING certificate just to create an SSL connection
> between the browser and Squid?
>
> Surely one merely needs a valid signED certificate, same as you would
put on a
> web server to set up secure connections to it?
>
> OP is not intercepting secure traffic, nor making HTTP sites look to
the browser
> like HTTPS ones.
Then I do not understand what he wants op.
>
>
>
> Antony.
>
>> 24.08.2016 18:15, Antony Stone пишет:
>>> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
 Squid fails to start for me with:
 FATAL: No valid signing SSL certificate configured for HTTPS_port
>>
>> [::]:8443
>>
 I have found that this is related to missing self signed certificate,
 and since I do not want to use self signed certificate I am asking if I
 can do anything about it.
 I would like to avoid self signed certificates so my users would not
 need to import and replace my own certs.
>>>
>>> Have you tried adding the option "generate-host-certificates=off" to
your
>>> https_port line?
>>>
>>> I'm not an expert on this bit of Squid, but I'm just looking at
>>> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
>>
>> noticing
>>
>>> anything to do with a "signing certificate" (which you do not have,
>>
>> and do not
>>
>>> want to use).
>>>
 And here is my complete squid.conf:

 acl SSL_ports port 443
 acl Safe_ports port 80  # http
 acl Safe_ports port 21  # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 70  # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535  # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl Safe_ports port 901 # SWAT
 acl CONNECT method CONNECT
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager
 http_access deny to_localhost

 auth_param basic program /usr/libexec/squid/basic_pam_auth
 auth_param basic children 5
 auth_param basic realm Proxy Authentication Required
 auth_param basic credentialsttl 2 hours

 acl authenticated proxy_auth REQUIRED
 http_access allow authenticated
 http_access deny all

 https_port 8443 \

 cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
 key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
 clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
 tls-dh=/etc/ssl/certs/dhparam.pem \
 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
 cipher=HIGH

 cache_dir aufs /var/cache/squid 512 16 256
 coredump_dir /var/cache/squid
 refresh_pattern ^ftp:   144020% 10080
 refresh_pattern ^gopher:14400%  1440
 refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
 refresh_pattern .   0   20% 4320
>>>
>>> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZKIAAoJENNXIZxhPexG5iIIAJTZAbpMkYDqdVWG5thlBxG0
cJBXI/MmYN7Al6GiGGD1ttqXHv6AAIeg5NXue0qVM/hGcJuE5eTI4+10zzQImeTU
OFRHz/C4EqBCDb06lfM+spR/5xFxW4l8vXYxr9Q61YYE2JyCvmMEoABntiWrE0/+
pwoUiNK2lIVURAGMBjMzMYwAC/t0D8JRg79gsh+o/h3TtOtAiKFbZRU3Dy2EqP9E
0pNssmSvUSR4Du0mY4fZJisAnUNUzYz1qkX0GyS0zdj6LZ4r7VlTX+fjyfPGd/fg
va1nQFgA5IqQ+VKoD02GSNBkNCw56j8aOwoo3RXO6bLKPell5NFzWVC3Wrn0AXY=
=9vnU
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii

On 24.8.2016 14:24, Antony Stone wrote:
> On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote:
>
>> On 24.8.2016 14:18, Yuri Voinov wrote:
>>> No one CA do not issue signing CA for subject, which is not CA itself.
>>>
>>> So, op wants impossible thing.
>> I have tried to drop clientca option, to add generate-host-certificates=off
>>  but outcome is still same error...
>>
>> even with just this as config:
>> https_port 8443 accel \
> Why are you using accelerator mode?  Surely this is just a normal forwarding 
> proxy?
It was just kind of random try.
Error is still same.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 14:22:18, Samuraiii wrote:

> On 24.8.2016 14:18, Yuri Voinov wrote:
> > No one CA do not issue signing CA for subject, which is not CA itself.
> > 
> > So, op wants impossible thing.
> 
> I have tried to drop clientca option, to add generate-host-certificates=off
>  but outcome is still same error...
> 
> even with just this as config:
> https_port 8443 accel \

Why are you using accelerator mode?  Surely this is just a normal forwarding 
proxy?

> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem


Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we don't 
know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Predictable.


24.08.2016 18:22, Samuraiii пишет:
> On 24.8.2016 14:18, Yuri Voinov wrote:
> >
>> No one CA do not issue signing CA for subject, which is not CA itself.
>>
>> So, op wants impossible thing.
>>
> I have tried to drop clientca option, to add
generate-host-certificates=off
>  but outcome is still same error...
>
> even with just this as config:
> https_port 8443 accel \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem
>
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZGzAAoJENNXIZxhPexG8DMH/RSvPBJGW2cyA9RFWQU9bwnl
9mPyiFB8nGOFh5EK5m9+BTaE3vItK6wOslS+jwMHD7J/o9NcaVVXQl4duaANG9oA
gA6K3f3pfUEcIl3eBDU534DM+GZfgKaH8vkUoM9kbKomzp42Co8KXscMzwLv0m8S
fbytyQG51ksg1J5UbZph7dKjTUWDbvdY+ILCw0OqwwOcEC/32oaIHexURZN3htbB
qVqeyrtD+xLoBzvSRTyCo9yTp7hmjtz3cFMMVM4W8nvuH7yuAL3Y4hOch3OmEAJO
m9Cgo3SLQNEs64FMuYXefql7GTbKzs+2XHf2C1p4khZguTAZIgUDq0mnYYUE3nE=
=e9Gg
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 14:18:46, Yuri Voinov wrote:

> No one CA do not issue signing CA for subject, which is not CA itself.
> 
> So, op wants impossible thing.

Why would one need a signING certificate just to create an SSL connection 
between the browser and Squid?

Surely one merely needs a valid signED certificate, same as you would put on a 
web server to set up secure connections to it?

OP is not intercepting secure traffic, nor making HTTP sites look to the 
browser 
like HTTPS ones.


Antony.

> 24.08.2016 18:15, Antony Stone пишет:
> > On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
> >> Squid fails to start for me with:
> >> FATAL: No valid signing SSL certificate configured for HTTPS_port
> 
> [::]:8443
> 
> >> I have found that this is related to missing self signed certificate,
> >> and since I do not want to use self signed certificate I am asking if I
> >> can do anything about it.
> >> I would like to avoid self signed certificates so my users would not
> >> need to import and replace my own certs.
> > 
> > Have you tried adding the option "generate-host-certificates=off" to your
> > https_port line?
> > 
> > I'm not an expert on this bit of Squid, but I'm just looking at
> > http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
> 
> noticing
> 
> > anything to do with a "signing certificate" (which you do not have,
> 
> and do not
> 
> > want to use).
> > 
> >> And here is my complete squid.conf:
> >> 
> >> acl SSL_ports port 443
> >> acl Safe_ports port 80  # http
> >> acl Safe_ports port 21  # ftp
> >> acl Safe_ports port 443 # https
> >> acl Safe_ports port 70  # gopher
> >> acl Safe_ports port 210 # wais
> >> acl Safe_ports port 1025-65535  # unregistered ports
> >> acl Safe_ports port 280 # http-mgmt
> >> acl Safe_ports port 488 # gss-http
> >> acl Safe_ports port 591 # filemaker
> >> acl Safe_ports port 777 # multiling http
> >> acl Safe_ports port 901 # SWAT
> >> acl CONNECT method CONNECT
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> http_access allow localhost manager
> >> http_access deny manager
> >> http_access deny to_localhost
> >> 
> >> auth_param basic program /usr/libexec/squid/basic_pam_auth
> >> auth_param basic children 5
> >> auth_param basic realm Proxy Authentication Required
> >> auth_param basic credentialsttl 2 hours
> >> 
> >> acl authenticated proxy_auth REQUIRED
> >> http_access allow authenticated
> >> http_access deny all
> >> 
> >> https_port 8443 \
> >> 
> >> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> >> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> >> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> >> tls-dh=/etc/ssl/certs/dhparam.pem \
> >> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> >> cipher=HIGH
> >> 
> >> cache_dir aufs /var/cache/squid 512 16 256
> >> coredump_dir /var/cache/squid
> >> refresh_pattern ^ftp:   144020% 10080
> >> refresh_pattern ^gopher:14400%  1440
> >> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> >> refresh_pattern .   0   20% 4320
> > 
> > Antony.

-- 
I think broken pencils are pointless.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii

On 24.8.2016 14:18, Yuri Voinov wrote:
>
> No one CA do not issue signing CA for subject, which is not CA itself.
>
> So, op wants impossible thing.
>
I have tried to drop clientca option, to add generate-host-certificates=off
 but outcome is still same error...

even with just this as config:
https_port 8443 accel \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
No one CA do not issue signing CA for subject, which is not CA itself.

So, op wants impossible thing.


24.08.2016 18:15, Antony Stone пишет:
> On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:
>
>> Squid fails to start for me with:
>> FATAL: No valid signing SSL certificate configured for HTTPS_port
[::]:8443
>>
>> I have found that this is related to missing self signed certificate,
>> and since I do not want to use self signed certificate I am asking if I
>> can do anything about it.
>> I would like to avoid self signed certificates so my users would not
>> need to import and replace my own certs.
>
> Have you tried adding the option "generate-host-certificates=off" to your
> https_port line?
>
> I'm not an expert on this bit of Squid, but I'm just looking at
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and
noticing
> anything to do with a "signing certificate" (which you do not have,
and do not
> want to use).
>
>> And here is my complete squid.conf:
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80  # http
>> acl Safe_ports port 21  # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70  # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 901 # SWAT
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny to_localhost
>>
>> auth_param basic program /usr/libexec/squid/basic_pam_auth
>> auth_param basic children 5
>> auth_param basic realm Proxy Authentication Required
>> auth_param basic credentialsttl 2 hours
>>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>> http_access deny all
>>
>> https_port 8443 \
>> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
>> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
>> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
>> tls-dh=/etc/ssl/certs/dhparam.pem \
>> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
>> cipher=HIGH
>> cache_dir aufs /var/cache/squid 512 16 256
>> coredump_dir /var/cache/squid
>> refresh_pattern ^ftp:   144020% 10080
>> refresh_pattern ^gopher:14400%  1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
>> refresh_pattern .   0   20% 4320
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXvZCjAAoJENNXIZxhPexG5scH/3BeBhhmHmi9HjNt/gEVaM3U
xx1VqyOm3a+1gsfRJFpwag3NCvCoqfy0+XR/QV0OLaRVrmbBSp6YgIEDZsD7JLhZ
ZauSTvv/KPeMU0obAqI1ax3/w7MzlsjburDt47LDnxaBoXULooiThRYy4w8Uzwi9
bHiHPzQ7OBvPuu2z+4WrojhrexGjBQflZ7I1ACuze0ZNyL0zZi+zitQ/K11NUsyA
wXgS0R3t8k5pY/9ZhLvHFc9Zgj6FRaEY9sQ0z4TLlL+vq9t/ceT9xbWooFyL3GAU
2D1aNTpB5d7ejhfiSBagUw1DgHvjeC0uH33Ox0JLfKdfxYQikU/dkWWHnrv/qKc=
=7Z61
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Diogenes S. Jesus

Just one thing I noticed:

"clientca" is not the CA which issued your "cert" (sklad.duckdns.org) -
it's the CA to be used when doing client-side authentication, which I'm not
sure if you're doing.

Dio

On Wed, Aug 24, 2016 at 2:02 PM, Samuraiii 
wrote:

>
> > Please give more details for "fails".
> >
> > Is the following your entire squid.conf (except for comments)?
> >
> > Have you tried getting SSL access to Squid working before introducing
> > authentication?
> >
> > What are you trying, to test this, and what are the results?
> >
> >
> > Regards,
> >
> >
> > Antony.
> First I would like to apologize for previous incomplete mail.
> I got interrupted and accidentally sent it out before being complete.
>
> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.
>
>
> And here is my complete squid.conf:
>
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
>
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
>
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
>
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320
>
>
> One more apology for escaped mail.
> S
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 



Diogenes S. de Jesus
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 14:02:43, Samuraiii wrote:

> Squid fails to start for me with:
> FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
>
> I have found that this is related to missing self signed certificate,
> and since I do not want to use self signed certificate I am asking if I
> can do anything about it.
> I would like to avoid self signed certificates so my users would not
> need to import and replace my own certs.

Have you tried adding the option "generate-host-certificates=off" to your 
https_port line?

I'm not an expert on this bit of Squid, but I'm just looking at
http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html and noticing 
anything to do with a "signing certificate" (which you do not have, and do not 
want to use).

> And here is my complete squid.conf:
> 
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320

Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] TCP_RESET non http requests on port 80

2016-08-24 Thread Omid Kosari

Hello,

I want to squid send tcp_reset as reply to non http requests on port 80 . 

I want that squid DONT reply these headers

HTTP/1.1 400 Bad Request
Server: squid
Mime-Version: 1.0
Date: Wed, 24 Aug 2016 12:08:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
X-Cache: MISS from cache1
X-Cache-Lookup: NONE from cache1:3128
Connection: close


but i want just something LIKE DROP in FIREWALL .

acl HTTP proto HTTP
acl PORT_80 port 80
#acl status_400 http_status 400
#deny_info TCP_RESET status_400
#http_access deny PORT_80 !HTTP
#http_access deny !HTTP
deny_info TCP_RESET PORT_80 !HTTP
#adapted_http_access deny PORT_80 !HTTP

As you can see i have tried other configs which commented right now but no
success .


Squid 3.5.19 from debian repo 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-RESET-non-http-requests-on-port-80-tp4679102p4679111.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii


> Please give more details for "fails".
>
> Is the following your entire squid.conf (except for comments)?
>
> Have you tried getting SSL access to Squid working before introducing 
> authentication?
>
> What are you trying, to test this, and what are the results?
>
>
> Regards,
>
>
> Antony.
First I would like to apologize for previous incomplete mail.
I got interrupted and accidentally sent it out before being complete.

Squid fails to start for me with:
FATAL: No valid signing SSL certificate configured for HTTPS_port [::]:8443
I have found that this is related to missing self signed certificate,
and since I do not want to use self signed certificate I am asking if I
can do anything about it.
I would like to avoid self signed certificates so my users would not
need to import and replace my own certs.


And here is my complete squid.conf:

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

auth_param basic program /usr/libexec/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

https_port 8443 \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
clientca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
tls-dh=/etc/ssl/certs/dhparam.pem \
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
cipher=HIGH
cache_dir aufs /var/cache/squid 512 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320


One more apology for escaped mail.
S

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 13:42:16, Samuraiii wrote:

> On 24.8.2016 13:18, Antony Stone wrote:
> > 
> > See "Encrypted browser-Squid connection" at the bottom of
> > http://wiki.squid-cache.org/Features/HTTPS
> 
> I have seen that, it is the cause of my subscription to this list.
> I haven't been able to find any usable hints.
> My config attempt fails

Please give more details for "fails".

Is the following your entire squid.conf (except for comments)?

Have you tried getting SSL access to Squid working before introducing 
authentication?

What are you trying, to test this, and what are the results?


Regards,


Antony.

> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> auth_param basic program /usr/libexec/squid/basic_pam_auth
> auth_param basic children 5
> auth_param basic realm Proxy Authentication Required
> auth_param basic credentialsttl 2 hours
> 
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
> http_access deny all
> 
> https_port 8443 \
> cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
> key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
> cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
> tls-dh=/etc/ssl/certs/dhparam.pem \
> sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
> cipher=HIGH
> cache_dir aufs /var/cache/squid 512 16 256
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
> refresh_pattern .   0   20% 4320

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii

On 24.8.2016 13:18, Antony Stone wrote:
> Unfortunately it's not Squid that's the challenge - it's the browser.
>
> If you're using Firefox and/or Chrome, you should be okay.
>
> See "Encrypted browser-Squid connection" at the bottom of
> http://wiki.squid-cache.org/Features/HTTPS
>
>
> Antony.
>
I have seen that, it is the cause of my subscription to this list.
I haven't been able to find any usable hints.
My config attempt fails


acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

auth_param basic program /usr/libexec/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

https_port 8443 \
cert=/etc/letsencrypt/live/sklad.duckdns.org/cert.pem \
key=/etc/letsencrypt/live/sklad.duckdns.org/key.pem \
cleintca=/etc/letsencrypt/live/sklad.duckdns.org/fullchain.pem \
tls-dh=/etc/ssl/certs/dhparam.pem \
sslproxy_options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE \
cipher=HIGH
cache_dir aufs /var/cache/squid 512 16 256
coredump_dir /var/cache/squid
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ext_kerberos_ldap_group_acl problem

2016-08-24 Thread Diogenes S. Jesus

Hi there.

Well, the log says "Client 'HTTP/hostname.internet.domain@your.realm.tld'
not found in Kerberos database".

Check your krb5.conf on the squid host if you're pointing to the right KDC
and make sure the principal exists in the Kerberos database.
kadmin.local and "getprinc HTTP/hostname.internet.domain@your.realm.tld"
should yield the same error if the principal doesn't exist.

Dio

On Wed, Aug 24, 2016 at 1:03 PM, L.P.H. van Belle  wrote:

> Hai,
>
>
>
> Im having trouble to get the *ext_kerberos_ldap_group_acl  working. *
>
>
>
> I’ve read : http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_
> kerberos_ldap_group_acl.html
>
>
>
> Here is what i have checked / done already.
>
>
>
> My keytab file :
>
> klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP
>
> Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP
>
> KVNO Timestamp   Principal
>
>  --- --
> 
>
>1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld
> (des-cbc-crc)
>
>1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld
> (des-cbc-md5)
>
>1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld
> (arcfour-hmac)
>
>
>
>
>
> The auth im using ( which is working fine )
>
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
>
> --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
> HTTP/hostname.internet.domain@your.realm.tld \
>
> --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
>
>
>
> For testing im starting on commandline the group acl:
>
> /usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N
> internet-mail@NTDOMAIN -m 4 -s -i –d
>
>
>
> kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: INFO: Starting version 1.3.1sq
>
> support_group.cc(382): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: INFO: Group list internet-m...@your.realm.tld
>
> support_group.cc(447): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: INFO: Group internet-mail  Domain YOUR.REALM.TLD
>
> support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: Netbios list internet-mail@NTDOMAIN
>
> support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: Netbios name internet-mail  Domain NTDOMAIN
>
> support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: ldap server list NULL
>
> support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49|
> kerberos_ldap_group: DEBUG: No ldap servers defined.
>
>
>
> when i test with the user group now.
>
>
>
> testuser internet-mail
>
>
>
> kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: INFO: Got User: testuser set default domain:
> YOUR.REALM.TLD
>
> kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD
>
> support_member.cc(63): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: User domain loop: group@domain
> internet-m...@your.realm.tld
>
> support_member.cc(65): pid=21722 :2016/08/24 10:57:39|
> kerberos_ldap_group: DEBUG: Found group@domain
> internet-m...@your.realm.tld
>
> support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Setup Kerberos credential cache
>
> support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Set credential cache to MEMORY:squid_ldap_21722
>
> support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Get default keytab file name
>
> support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP
>
> support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP
>
> support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
>
> support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Found principal name: HTTP/hostname.internet.domain.
> t...@your.realm.tld
>
> support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Got principal name HTTP/hostname.internet.domain@your.realm.tld
>
> support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> ERROR: Error while initialising credentials from keytab : Client
> 'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos
> database
>
> support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Keytab entry has realm name: YOUR.REALM.TLD
>
> support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBUG: Found principal name: HTTP/hostname.internet.domain.
> t...@your.realm.tld
>
> support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group:
> DEBU

Re: [squid-users] Https_port with "official" certificate

2016-08-24 Thread Antony Stone

On Wednesday 24 August 2016 at 13:09:52, Samuraiii wrote:

> Hello,
> I am trying to setup squid as SSL protected proxy for few users without
> any intention to use ssl-bumping or any other MITM technique.
> I just want to have SSL secured connection between browser and proxy.
> Proxy will not be "transparent" and will be using PAC file for
> configuration and PAM for authentication.
> I want to avoid any "other software" alternative as stunnel etc...
> I also have (for server involved) valid "Lets encrypt" certificate which
> I would like to use for this.
> What can I do to achieve this on squid 3.5?

Unfortunately it's not Squid that's the challenge - it's the browser.

If you're using Firefox and/or Chrome, you should be okay.

See "Encrypted browser-Squid connection" at the bottom of
http://wiki.squid-cache.org/Features/HTTPS


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Https_port with "official" certificate

2016-08-24 Thread Samuraiii

Hello,
I am trying to setup squid as SSL protected proxy for few users without
any intention to use ssl-bumping or any other MITM technique.
I just want to have SSL secured connection between browser and proxy.
Proxy will not be "transparent" and will be using PAC file for
configuration and PAM for authentication.
I want to avoid any "other software" alternative as stunnel etc...
I also have (for server involved) valid "Lets encrypt" certificate which
I would like to use for this.
What can I do to achieve this on squid 3.5?

With thanks
S

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ext_kerberos_ldap_group_acl problem

2016-08-24 Thread L . P . H . van Belle

Hai, 

 

Im having trouble to get the ext_kerberos_ldap_group_acl  working. 

 

I’ve read : 
http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_kerberos_ldap_group_acl.html

 

Here is what i have checked / done already. 

 

My keytab file : 

klist -ekt /etc/squid/keytab.PROXYSERVER-HTTP

Keytab name: FILE:/etc/squid/keytab.PROXYSERVER-HTTP

KVNO Timestamp   Principal

 --- --

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld 
(des-cbc-crc)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld 
(des-cbc-md5)

   1 06/08/2015 15:28:03 HTTP/hostname.internet.domain@your.realm.tld 
(arcfour-hmac)

   

 

The auth im using ( which is working fine )

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \

--kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
HTTP/hostname.internet.domain@your.realm.tld \

--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN

 

For testing im starting on commandline the group acl: 

/usr/lib/squid3/ext_kerberos_ldap_group_acl -D YOUR.REALM.TLD -N 
internet-mail@NTDOMAIN -m 4 -s -i –d

 

kerberos_ldap_group.cc(278): pid=20782 :2016/08/24 10:40:49| 
kerberos_ldap_group: INFO: Starting version 1.3.1sq

support_group.cc(382): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
INFO: Group list internet-m...@your.realm.tld

support_group.cc(447): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
INFO: Group internet-mail  Domain YOUR.REALM.TLD

support_netbios.cc(83): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: Netbios list internet-mail@NTDOMAIN

support_netbios.cc(156): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: Netbios name internet-mail  Domain NTDOMAIN

support_lserver.cc(82): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: ldap server list NULL

support_lserver.cc(86): pid=20782 :2016/08/24 10:40:49| kerberos_ldap_group: 
DEBUG: No ldap servers defined.

 

when i test with the user group now. 

 

testuser internet-mail

 

kerberos_ldap_group.cc(371): pid=21722 :2016/08/24 10:57:39| 
kerberos_ldap_group: INFO: Got User: testuser set default domain: YOUR.REALM.TLD

kerberos_ldap_group.cc(376): pid=21722 :2016/08/24 10:57:39| 
kerberos_ldap_group: INFO: Got User: testuser Domain: YOUR.REALM.TLD

support_member.cc(63): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: User domain loop: group@domain internet-m...@your.realm.tld

support_member.cc(65): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Found group@domain internet-m...@your.realm.tld

support_ldap.cc(898): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Setup Kerberos credential cache

support_krb5.cc(127): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Set credential cache to MEMORY:squid_ldap_21722

support_krb5.cc(138): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Get default keytab file name

support_krb5.cc(144): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Got default keytab file name /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(158): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Get principal name from keytab /etc/squid/keytab.PROXYSERVER-HTTP

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Found principal name: HTTP/hostname.internet.domain@your.realm.tld

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Got principal name HTTP/hostname.internet.domain@your.realm.tld

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
ERROR: Error while initialising credentials from keytab : Client 
'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos 
database

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Found principal name: HTTP/hostname.internet.domain@your.realm.tld

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Got principal name HTTP/hostname.internet.domain@your.realm.tld

support_krb5.cc(64): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
ERROR: Error while initialising credentials from keytab : Client 
'HTTP/hostname.internet.domain@your.realm.tld' not found in Kerberos 
database

support_krb5.cc(169): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Keytab entry has realm name: YOUR.REALM.TLD

support_krb5.cc(181): pid=21722 :2016/08/24 10:57:39| kerberos_ldap_group: 
DEBUG: Found principal name: HTTP/hostname.internet.domain@your.realm.tld

support_krb5.cc(196): pid=21722 :2016/08/24 10:57:39| kerberos_l

47 matches

Mail list logo