Re: [squid-users] ssl bump certificate question
On Wed, Sep 7, 2016 at 3:05 PM, Marcus Koolwrote: > > slightly off topic: what is the easiest way to install a cert on a > smartphone? > I looked for an app but did not find one. > > Look for some MDM solutions. That's not really an option for one (personal) phone, but for a company, that allows you to manage a fleet of phone long-term, including profiles, policies, etc (including certs, both client certs and root certs). ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
On Thursday 08 September 2016 at 00:06:02, Marcus Kool wrote: > slightly off topic: what is the easiest way to install a cert on a > smartphone? I looked for an app but did not find one. On my Android 4.2.2 device: Settings -> Security -> Trusted credentials: "Display trusted CA certificates" Settings -> Security -> Install from SD card: "Install certificates from SD card" Antony. -- You can tell that the day just isn't going right when you find yourself using the telephone before the toilet. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
On 09/07/2016 05:58 PM, Antony Stone wrote: On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote: 08.09.2016 2:25, erdosain9 пишет: Hi. A query. Sslbump is possible without installing the certificate, machine by machine ??? Bump impossible. Splice - possible. Is there any way that this certificate Squid SUBMIT ?? Cant understand question. What do you mean? I believe he wants a mechanism for squid to be able to provide the fake CA certificate to the browser, so that the browser then trusts the fake site certificate which is signed with it. Of course, this is impossible, since any mechanism which allowed this would allow the browser to be fooled into trusting any certificate anyone cared to wave at it. Antony. Yes, I also interpret his question like that. slightly off topic: what is the easiest way to install a cert on a smartphone? I looked for an app but did not find one. Marcus -- int main() { printf("42\n"); } ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
On 09/07/2016 05:58 PM, Antony Stone wrote: On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote: 08.09.2016 2:25, erdosain9 пишет: Hi. A query. Sslbump is possible without installing the certificate, machine by machine ??? Bump impossible. Splice - possible. Is there any way that this certificate Squid SUBMIT ?? Cant understand question. What do you mean? I believe he wants a mechanism for squid to be able to provide the fake CA certificate to the browser, so that the browser then trusts the fake site certificate which is signed with it. Of course, this is impossible, since any mechanism which allowed this would allow the browser to be fooled into trusting any certificate anyone cared to wave at it. Antony. Yes, I also interpret his question like that. slightly off topic: what is the easiest way to install a cert on a smartphone? I looked for an app but did not find one. Marcus -- int main() { printf("42\n"); } ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
"I believe he wants a mechanism for squid to be able to provide the fake CA certificate to the browser" Exactly. ok, no possible then. Thanks -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-certificate-question-tp4679409p4679413.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 08.09.2016 2:58, Antony Stone пишет: > On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote: > >> 08.09.2016 2:25, erdosain9 пишет: >>> Hi. >>> A query. Sslbump is possible without installing the certificate, >>> machine by machine ??? >> >> Bump impossible. Splice - possible. >> >>> Is there any way that this certificate Squid SUBMIT ?? >> >> Cant understand question. What do you mean? > > I believe he wants a mechanism for squid to be able to provide the fake CA > certificate to the browser, so that the browser then trusts the fake site > certificate which is signed with it. > > Of course, this is impossible, since any mechanism which allowed this would > allow the browser to be fooled into trusting any certificate anyone cared to > wave at it. (facepalm) > > > > Antony. > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJX0H+7AAoJENNXIZxhPexG8+YH/jq85O+ieQ5+Bf5CK2arYyb2 F7p7sa3+bgFY4zuw9e592fCWlMaUEQdCVGSwnSJv6Zaxsylst/GnBk8d1yq1PyAR R6CKr9itvwvyfqKXpqbasB41NogbesHn21ht5ttxusv+c0i1onp6BHDkWRVDEBTA RLrdBZmw/yuHCOKXi3L3Ef/0k7OVHfbvTXUAcI70cweaGMr8Nbofm6Zn/T6LN2ow FJKSFrWpluMFhidaMhEuLiJ/FmbgCJSl2E14Bz57YBusiMVmjNvJjIpo5dnPbxnF HyQrkRq/UJxHw2YIeVIrQ4+Yubw4xxerw7R2ecO3fCoH7Y6dyL/D4R2e96t33dw= =SvH8 -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote: > 08.09.2016 2:25, erdosain9 пишет: > > Hi. > > A query. Sslbump is possible without installing the certificate, > > machine by machine ??? > > Bump impossible. Splice - possible. > > > Is there any way that this certificate Squid SUBMIT ?? > > Cant understand question. What do you mean? I believe he wants a mechanism for squid to be able to provide the fake CA certificate to the browser, so that the browser then trusts the fake site certificate which is signed with it. Of course, this is impossible, since any mechanism which allowed this would allow the browser to be fooled into trusting any certificate anyone cared to wave at it. Antony. -- #define SIX 1+5 #define NINE 8+1 int main() { printf("%d\n", SIX * NINE); } - thanks to ECB for bringing this to my attention Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ssl bump certificate question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 08.09.2016 2:25, erdosain9 пишет: > > Hi. > A query. Sslbump is possible without installing the certificate, machine by > machine ??? Bump impossible. Splice - possible. > > Is there any way that this certificate Squid SUBMIT ?? Cant understand question. What do you mean? > > > sorry for my english. > > Thanks! > > > > -- > View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-certificate-question-tp4679409.html > Sent from the Squid - Users mailing list archive at Nabble.com. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJX0H6pAAoJENNXIZxhPexG4bgIALO4Gudeot2aSVp9ckCaRdDO mMv9R9P1W2rT2b2tZt9b39mFrU7qFnF/m1m3p1++vqBr7StSZKyeWxJFYhwXA86p cvKiyk6Nd/1u29eXfr4+dJRFD2jf3aax84cjgAIlJLzZrO3QAYzEZs/f36GkmFVs WDz/1oOjpH7hXqoohVL4X+DFUb9Iq5DHwMLP6pDhu9d4sFxX0DOQfoilp9P7gBd5 yxXevN/kfjaf8Rm53xLYjPO81dY9iLkMJEwt4aEQpBHvNd2hWKgIk9sjS6d58++L MiKUDiCzW6BZMhQB6tZ6LaDYULH2eThjJ1a8Ahc36N3uglHdG4CQrEh64aDcMj0= =avbu -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] ssl bump certificate question
Hi. A query. Sslbump is possible without installing the certificate, machine by machine ??? Is there any way that this certificate Squid SUBMIT ?? sorry for my english. Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-certificate-question-tp4679409.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] subnet forward
to be sure that the link speed and duplex is OK, you need to look at both sides. Marcus On 09/07/2016 01:01 PM, Pol Hallen wrote: Since you have an ancient version of Squid I am assuming that you also have ancient hardware. :-) NIC are not so ancient :-) hw also.. Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Advertised pause frame use: Symmetric Receive-only Advertised auto-negotiation: Yes Link partner advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Link partner advertised pause frame use: Symmetric Link partner advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: MII PHYAD: 0 Transceiver: internal Auto-negotiation: on Supports Wake-on: pumbg Wake-on: g Current message level: 0x0033 (51) drv probe ifdown ifup Link detected: yes Pol ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Windows Updates a Caching Stub zone, A windows updates store.
Hey Omid, For now the software is restricted only to windows updates which is protected and secured enough to sustain caching. About Mozilla, I need to verify it before I am doing anything about it. From my point of view it is hosted on Akamai and HSTS is restricting couple things on their service. I will try to look at it later without any promises. Do you have any starting points else then the domain itself? Have you tried to analyze some logs? Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Omid Kosari Sent: Tuesday, September 6, 2016 5:48 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Windows Updates a Caching Stub zone, A windows updates store. Hey Eliezer, According to these threads http://squid-web-proxy-cache.1019090.n4.nabble.com/range-offset-limit-not-working-as-expected-td4679355.html http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-td4670189.html Is there any chance that you implement something that may be used for other (206 partial) popular sites like download.cdn.mozilla.net . I think it has also same problem as windows update and has lots of uncachable requests . Thanks in advance . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Windows-Updates-a-Caching-Stub-zone-A-windows-updates-store-tp4678454p4679373.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] compliled squid size
On 07.09.16 09:02, mzgmedia wrote: I've tried to compile squid with the same params as on www1.ngtech.co.il/repo/ but the binnary size of the squid is 50M but the one from the repo is only 6M, any idea why? apparently unstriped binary (compiled/linked without the "-s" flag) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] compliled squid size
hello I've tried to compile squid with the same params as on www1.ngtech.co.il/repo/ but the binnary size of the squid is 50M but the one from the repo is only 6M, any idea why? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/compliled-squid-size-tp4679405.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] subnet forward
Since you have an ancient version of Squid I am assuming that you also have ancient hardware. :-) NIC are not so ancient :-) hw also.. Settings for eth0: Supported ports: [ TP MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Advertised pause frame use: Symmetric Receive-only Advertised auto-negotiation: Yes Link partner advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Link partner advertised pause frame use: Symmetric Link partner advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: MII PHYAD: 0 Transceiver: internal Auto-negotiation: on Supports Wake-on: pumbg Wake-on: g Current message level: 0x0033 (51) drv probe ifdown ifup Link detected: yes Pol ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] windows update not working squid 3.5.2
On 7/09/2016 9:08 p.m., --Ahmad-- wrote: > its same not caching at all > 1473239296.459990 192.168.0.10 TCP_MISS/206 1049144 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239296.576 1032 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239296.624 1183 192.168.0.10 TCP_MISS/206 1049144 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239297.332 1540 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239297.502 1145 192.168.0.10 TCP_MISS/206 1049144 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239297.509 1247 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239297.676 1376 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239297.836666 192.168.0.10 TCP_MISS/206 1049144 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239297.911 1277 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239298.593 1146 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239298.601 1475 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239298.623 1550 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239299.174 1238 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239299.213 1327 192.168.0.10 TCP_MISS/206 1049144 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239299.576 1594 192.168.0.10 TCP_MISS/206 1049144 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239299.794 1527 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239300.070 1373 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239300.167 1356 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239300.321 1558 192.168.0.10 TCP_MISS/206 1049146 GET > http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab > - ORIGINAL_DST/8.254.191.254 application/octet-stream > 1473239300.443 1347 192.168.0.10
Re: [squid-users] TCP_RESET non http requests on port 80
On 09/07/2016 01:56 AM, Matus UHLAR - fantomas wrote: > and how is this done? Which system or library call does drop connection to > send a RST immediately? This is not a squid-users question, but Squid calls comm_reset_close() (quoted below) to reset the connection. That function uses zero SO_LINGER option value to trigger a TCP reset when the connection is closed. AFAICT, this is a "standard" approach. I do not know whether that approach results in an actual TCP reset packet immediately sent (as opposed to responding to any incoming packets on the same connection with TCP reset packets). HTH, Alex. > /** > * enable linger with time of 0 so that when the socket is > * closed, TCP generates a RESET > */ > void > comm_reset_close(const Comm::ConnectionPointer ) > { > struct linger L; > L.l_onoff = 1; > L.l_linger = 0; > > if (setsockopt(conn->fd, SOL_SOCKET, SO_LINGER, (char *) , sizeof(L)) < > 0) { > int xerrno = errno; > debugs(50, DBG_CRITICAL, "ERROR: Closing " << conn << " with TCP RST: > " << xstrerr(xerrno)); > } > conn->close(); > } ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Proxy
On 7/09/2016 9:27 p.m., Antony Stone wrote: > On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote: > FYI: Jon. Please be careful about yoru use of teh word "forward" and "forwarding". Both NAT and routing are methods of forwarding, but which one is used at each particular step of the packets path through your network from client to Squid matters A LOT. Some routers offer "forwarding" options / settings, which actually NAT. That will break MITM Squid installations which require routing only outside the Squid machine. >> I believe so. The specific command I used was: >> >> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT >> --to-port 3128 >> >> (For some reason my adapter is ens33, I have no idea why it's not eth0. >> Squid is set to run on 3128.) > > That looks okay, then. > >> It's fair to say I have almost no experience with iptables. Is it iptables >> that should be doing the address translation? > > Yes - the rule above tells the machine to take any packet addressed to port > 80 > on any address and send it instead to the local machine (REDIRECT changes the > destination address to 127.0.0.1, even though that's not obvious) and port > 3128. No it does not change the IP to localhost. It changes the address to the machines primary IP. If that is localhost IP then something is wrong in the machines network interface configuration - which may lead to trouble. > >> when the packet is sent back to the client? > > Correct. IPtables' address translation rules are automatically symmetrical - > when a packet gets translated in one direction, a record is kept that it was > done, and then the reply packet is automatically reverse-translated when it > comes back in the other direction. > > This is true no matter whether packets are going *through* the IPtables > machine (ie: it's acting as a router), or whether they're being processed > *on* > the IPtables machine (as in this case). > > I think we need to know more about your squid setup. > > Please tell us which version of squid you are using, and post here your > squid.conf file without comments or blank lines. > Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] subnet forward
On 09/07/2016 10:05 AM, Pol Hallen wrote: Hello all :-) I'm sorry if this couldn't squid problem.. honestly I don't know.. I've a small lan: dsl<-WAN_NIC0_192.168.5.0/30->lan1_192.168.10.0/24 (NIC1)<-->switch+AP lan2_192.168.1.0/24 (NIC2)<--->switch+AP I've squid server v.3.1.20 on 192.168.1.20 from 192.168.1.0/24 network squid works perfectly :-))) from 192.168.10.0/24 network squid works but: is very very very slow... I've check firewall and routing, dns and ping and seem ok anyone has an advice for this scenario? is it a forward/routing problem? any idea? Since you have an ancient version of Squid I am assuming that you also have ancient hardware. Old NICs can do speed-negotiation and duplex setting wrong and if the switch and NIC have different duplex settings, throughput is ~75K/sec where you expect 10 MB/sec. I suggest to doublecheck speed and duplex setting on NIC and switch. Marcus many thanks! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] subnet forward
On Wednesday 07 September 2016 at 15:05:25, Pol Hallen wrote: > I've a small lan: > > dsl<-WAN_NIC0_192.168.5.0/30->lan1_192.168.10.0/24 (NIC1)<-->switch+AP >lan2_192.168.1.0/24 (NIC2)<--->switch+AP > > I've squid server v.3.1.20 on 192.168.1.20 > > from 192.168.1.0/24 network squid works perfectly :-))) from > 192.168.10.0/24 network squid works but: is very very very slow... > > I've check firewall and routing, dns and ping and seem ok Where's the firewall? Show us the routing table on 192.168.1.20, and show us the routing table on the machine above with three network cards. Also please tell us the IP addresses on its three interfaces. Show us any NAT rules you have on that machine. > maximum_object_size 5 Gb > cache_dir ufs /data/vmware/squid-cache 30720 16 256 > cache_mem 4096 MB > > minimum_object_size 0 > maximum_object_size_in_memory 512 Kb > cache_replacement_policy heap GDSF > > cache_swap_low 85 > cache_swap_high 90 > > half_closed_clients off > > hosts_file /etc/hosts > memory_pools off > client_db off > dns_nameservers 127.0.0.1 > > via off > forwarded_for off > httpd_suppress_version_string off > follow_x_forwarded_for deny all > #visible_hostname sign.bunker.org > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 > override-expire ignore-no-cache ignore-no-store ignore-private > refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% > 432000 override-expire ignore-no-cache ignore-no-store ignore-private > refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ > 10080 90% 43200 override-expire ignore-no-cache ignore-no-store > ignore-private > refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 > refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 > refresh_pattern . 0 40% 40320 > > refresh_pattern -i movies.com/.* 10080 90% 43200 > refresh_pattern (/cgi-bin/|\?) 0 0% 0 What? No http_access rules or ACLs? Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Proxy
On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote: > I believe so. The specific command I used was: > > iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT > --to-port 3128 > > (For some reason my adapter is ens33, I have no idea why it's not eth0. > Squid is set to run on 3128.) That looks okay, then. > It's fair to say I have almost no experience with iptables. Is it iptables > that should be doing the address translation? Yes - the rule above tells the machine to take any packet addressed to port 80 on any address and send it instead to the local machine (REDIRECT changes the destination address to 127.0.0.1, even though that's not obvious) and port 3128. > when the packet is sent back to the client? Correct. IPtables' address translation rules are automatically symmetrical - when a packet gets translated in one direction, a record is kept that it was done, and then the reply packet is automatically reverse-translated when it comes back in the other direction. This is true no matter whether packets are going *through* the IPtables machine (ie: it's acting as a router), or whether they're being processed *on* the IPtables machine (as in this case). I think we need to know more about your squid setup. Please tell us which version of squid you are using, and post here your squid.conf file without comments or blank lines. Antony. -- Software development can be quick, high quality, or low cost. The customer gets to pick any two out of three. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] windows update not working squid 3.5.2
also here is squid -k parse not sure if it helps : root@raspberrypi:~# squid -k parse 2016/09/07 09:10:44| Startup: Initializing Authentication Schemes ... 2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'basic' 2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'digest' 2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'negotiate' 2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'ntlm' 2016/09/07 09:10:44| Startup: Initialized Authentication. 2016/09/07 09:10:44| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain windowsupdate.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain .update.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain download.windowsupdate.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain redir.metaservices.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain images.metaservices.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain c.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain www.download.windowsupdate.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain wustat.windows.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain crl.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain sls.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain productactivation.one.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain ntservicepack.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain au.download.windowsupdate.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain ds.download.windowsupdate.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain ctldl.windowsupdate.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain .data.microsoft.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain .l.windowsupdate.com 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain .microsoft.com.akadns.net 2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain .deploy.akamaitechnologies.com 2016/09/07 09:10:44| Processing: acl CONNECT method CONNECT 2016/09/07 09:10:44| Processing: acl wuCONNECT dstdomain www.update.microsoft.com 2016/09/07 09:10:44| Processing: acl wuCONNECT dstdomain sls.microsoft.com 2016/09/07 09:10:44| Processing: refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims 2016/09/07 09:10:44| Processing: refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims 2016/09/07 09:10:44| Processing: refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims 2016/09/07 09:10:44| Processing: refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims 2016/09/07 09:10:44| Processing: refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims 2016/09/07 09:10:44| Processing: refresh_pattern \^ftp: 144020% 10080 2016/09/07 09:10:44| Processing: refresh_pattern \^gopher:14400% 1440 2016/09/07 09:10:44| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2016/09/07 09:10:44| Processing: refresh_pattern . 0 20% 4320 2016/09/07 09:10:44| Processing: acl localnet src 10.0.0.0/8# RFC1918 possible internal network 2016/09/07 09:10:44| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network 2016/09/07 09:10:44| Processing: acl localnet src 192.168.0.0/16# RFC1918 possible internal network 2016/09/07 09:10:44| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range 2016/09/07 09:10:44| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines 2016/09/07 09:10:44| Processing: acl SSL_ports port 443 2016/09/07 09:10:44| Processing: acl Safe_ports port 80 # http 2016/09/07 09:10:44| Processing: acl Safe_ports port 21 # ftp 2016/09/07 09:10:44| Processing: acl Safe_ports port 443# https 2016/09/07 09:10:44| Processing: acl Safe_ports port 70 # gopher 2016/09/07 09:10:44| Processing: acl Safe_ports port 210# wais 2016/09/07 09:10:44| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2016/09/07 09:10:44| Processing: acl Safe_ports port 280# http-mgmt 2016/09/07 09:10:44| Processing: acl Safe_ports port 488# gss-http 2016/09/07 09:10:44| Processing: acl Safe_ports port 591# filemaker 2016/09/07 09:10:44| Processing: acl Safe_ports port 777#
Re: [squid-users] windows update not working squid 3.5.2
its same not caching at all 1473239296.459990 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239296.576 1032 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239296.624 1183 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239297.332 1540 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239297.502 1145 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239297.509 1247 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239297.676 1376 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239297.836666 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239297.911 1277 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239298.593 1146 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239298.601 1475 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239298.623 1550 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239299.174 1238 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239299.213 1327 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239299.576 1594 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239299.794 1527 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239300.070 1373 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239300.167 1356 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239300.321 1558 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.254.191.254 application/octet-stream 1473239300.443 1347 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab -
Re: [squid-users] regarding to "cache videos" plugin now as open source
Might be usable. Question is, how effective it will be on overall traffic, as most famous/accessed videos to be found on youtube. Which uses https, in my area, at least. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/regarding-to-cache-videos-plugin-now-as-open-source-tp4679366p4679394.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] windows update not working squid 3.5.2
Hai, Change this part : # range_offset_limit 5 Gb windowsupdate maximum_object_size 5 Gb quick_abort_min -1 # To range_offset_limit 0 quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 90 and see what happens. Greetz, Louis Van: --Ahmad-- [mailto:ahmed.za...@netstream.ps] Verzonden: woensdag 7 september 2016 9:40 Aan: L.P.H. van Belle CC: squid-us...@squid-cache.org Onderwerp: Re: [squid-users] windows update not working squid 3.5.2 thanks for reply but i still don’t see even the hdd drive getting increasing when windows updates go on i tested it on windows 7 i never seen TCP_HIT and the hdd size still the same !!! here is again my squid.conf in final form on my server : root@raspberrypi:~# cat /etc/squid/squid.conf # acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl windowsupdate dstdomain au.download.windowsupdate.com acl windowsupdate dstdomain ds.download.windowsupdate.com acl windowsupdate dstdomain ctldl.windowsupdate.com acl windowsupdate dstdomain .data.microsoft.com acl windowsupdate dstdomain .l.windowsupdate.com acl windowsupdate dstdomain .microsoft.com.akadns.net acl windowsupdate dstdomain .deploy.akamaitechnologies.com ### acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern \^ftp: 1440 20% 10080 refresh_pattern \^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access allow CONNECT wuCONNECT localnet http_access allow windowsupdate localnet http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow
Re: [squid-users] Transparent Proxy
I believe so. The specific command I used was: iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 3128 (For some reason my adapter is ens33, I have no idea why it's not eth0. Squid is set to run on 3128.) And after running this command port 80 now shows as being open with nmap. And the output from iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination It's fair to say I have almost no experience with iptables. Is it iptables that should be doing the address translation? when the packet is sent back to the client? -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Antony Stone Sent: 07 September 2016 09:28 To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Transparent Proxy On Wednesday 07 September 2016 at 10:23:02, John Sayce wrote: > I'm trying to set up a transparent proxy but I'm fairly sure I'm > missing something. > > I've followed the instructions on the juniper website along with a > couple of other blogs as per: > https://damn.technology/using-squid-juniper-pbr-transparent-proxy You *have* applied the iptables rule on the machine running squid as described on that page, yes? iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Antony. -- This email was created using 100% recycled electrons. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Transparent Proxy
I'm trying to set up a transparent proxy but I'm fairly sure I'm missing something. I've followed the instructions on the juniper website along with a couple of other blogs as per: https://damn.technology/using-squid-juniper-pbr-transparent-proxy http://davehope.co.uk/Blog/implementing-pbr-and-squid3-as-a-transparent-proxy/ https://kb.juniper.net/InfoCenter/index?id=KB24139=content=search I have a juniper SSG320 firewall setup with policy based routing. For my chosen subnet this is configured to forward traffic on port 80 to the squid server. The traffic from my firewall is forwarded to squid. This appears to be happening. The client starts with a syn packet which is forwarded from the firewall to the squid server. The packet is forwarded to the squid server with the source IP address remaining that of the client. The problem is that the squid server then responds to the client as itself rather than spoofing the address that the client originally requested. So the ACK packet the client receives is from the squid server rather than the remote webserver the client made a request to, which isn't going to work. So should my firewall be doing something more, or is it my squid server that's not performing as expected? In addition to forwarding the packet to squid I can enable source translation on the firewall (which isn't in the guides I mentioned) so the source address of the packet sent to squid comes from the firewall, squid then responds to the firewall, which in turn translates the packet back to the client. This configuration works, however the access log stores the address of the firewall rather than the address of the client. Is this how it's meant to work, or am I missing something? Thanks ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_RESET non http requests on port 80
On 05.09.16 23:32, Omid Kosari wrote: Filed a bug report http://bugs.squid-cache.org/show_bug.cgi?id=4585 On 09/06/2016 08:36 AM, Matus UHLAR - fantomas wrote: I wonder if this is doable at all. On 06.09.16 12:02, Alex Rousskov wrote: Yes, and Squid supports it in other contexts. and how is this done? Which system or library call does drop connection to send a RST immediately? Does any tcp stack allow sending reset AFTER the connection has been opened? A TCP RESET packet can be sent at any time. This is not something the protocol can (or needs to!) prohibit. I'm not saying that it should not be done, I was just unaware of how this is implemented. closing connection sends FIN, not RST, correct? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Debugging NTLM problem
Dear Amos, i found the problem. It was a samba issue caused by badlock patch implementation. Thanks for your assistance and sorry for my wrong mailing-list post, i should have check better the samba logs. Giulius. Sent: Saturday, September 03, 2016 at 4:43 AM From: "Amos Jeffries"To: "akn ab" , squid-users@lists.squid-cache.org Subject: Re: [squid-users] Debugging NTLM problem On 3/09/2016 3:06 a.m., akn ab wrote: > Hello Amos, > auth_param ntlm keep_alive off > unfortunately does not solve the problem. > I did more investigation about the problem and i found informations. > Every time a user get the browser popup requesting credentials, i found on squid > log this event: > Login for user [DOMAIN]\[user]@[PC_] failed due to [Access denied] > NTLMSSP BH: NT_STATUS_ACCESS_DENIED > 2016/09/02 16:56:13 kid1| ERROR: NTLM Authentication validating user. Result: > {result=BH, notes={message: NT_STATUS_ACCESS_DENIED; }} That is ntlm_auth (on behalf of AD) telling Squid the user credentials are not correct. There is no NTLM protocol problem. Consider this NT_STATUS_ACCESS_DENIED as if a user entered the wrong password. Why do you want to allow them access in that case? > It's not easy to do more debug because i have 9000 concurrent connections, but > if you think that can help me, i try to set debug_option to something like 29,5 > Sometimes users left the office letting the browser open. > After 1 hour (more or less), they return to the pc and popup show as soos as > mouse point to a new link on the open browser. > It's probably because something cached expire, but i cannot demostrate it so > easily beceuse, as you said, ntlm never cache. > On my samba/winbind logs i see many > rpccli_netlogon_sam_network_logon: credentials chain check failed > So it's very strange to understand if some problem occur beetween squid and > browser or samba and Active Directory. > What do you think about? > Thanks. > Giulius. > > On 1/09/2016 12:37 a.m., akn ab wrote: > > Dear all, > > i'm facing a strange problem using squid 3.5.20 with ntlm transparent > > authentication. > > I cannot use kerberos auth because i need to pass DOMAIN\user to my parent proxy > > with x-authenticated-user header, and the form USERNAME@DOMAIN is not supported. I suggest you use an external_acl_type helper that takes the %LOGIN format parameter and sends 'OK upstream_user_="..." ' back to Squid. Use the %note{upstream_user_} in your request_header_add directive to send the right header value upstream. That will allow you to at least keep your part of the proxy chain using secure Negotiate authentication even though the parent proxy allows anyone to inject traffic spoofing your user accounts. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] windows update not working squid 3.5.2
thanks for reply but i still don’t see even the hdd drive getting increasing when windows updates go on i tested it on windows 7 i never seen TCP_HIT and the hdd size still the same !!! here is again my squid.conf in final form on my server : root@raspberrypi:~# cat /etc/squid/squid.conf # acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl windowsupdate dstdomain au.download.windowsupdate.com acl windowsupdate dstdomain ds.download.windowsupdate.com acl windowsupdate dstdomain ctldl.windowsupdate.com acl windowsupdate dstdomain .data.microsoft.com acl windowsupdate dstdomain .l.windowsupdate.com acl windowsupdate dstdomain .microsoft.com.akadns.net acl windowsupdate dstdomain .deploy.akamaitechnologies.com ### acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern \^ftp: 144020% 10080 refresh_pattern \^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access allow CONNECT wuCONNECT localnet http_access allow windowsupdate localnet http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 192.168.0.1:3128 # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache/squid 2 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # #refresh_pattern ^ftp: 144020% 10080 #refresh_pattern ^gopher: 14400% 1440 #refresh_pattern -i (/cgi-bin/|\?) 00% 0 #refresh_pattern . 0 20% 4320 # range_offset_limit 5 Gb windowsupdate maximum_object_size 5 Gb quick_abort_min -1 # http_port 3129
Re: [squid-users] windows update not working squid 3.5.2
I also have these for windows updates. acl windowsupdate dstdomain au.download.windowsupdate.com acl windowsupdate dstdomain ds.download.windowsupdate.com acl windowsupdate dstdomain ctldl.windowsupdate.com acl windowsupdate dstdomain .data.microsoft.com acl windowsupdate dstdomain .l.windowsupdate.com acl windowsupdate dstdomain .microsoft.com.akadns.net acl windowsupdate dstdomain .deploy.akamaitechnologies.com and add this one to your refresh. refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims Greetz, Louis Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens --Ahmad-- Verzonden: dinsdag 6 september 2016 19:08 Aan: Yuri Voinov CC: squid-users@lists.squid-cache.org Onderwerp: Re: [squid-users] windows update not working squid 3.5.2 /driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.13.30 application/octet-stream 1473181228.768 1202 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.70.206 application/octet-stream 1473181229.117 1159 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.70.206 application/octet-stream 1473181229.265 984 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181229.525 1207 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181230.066 1314 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.70.206 application/octet-stream 1473181230.147 913 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181230.166 1659 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.13.30 application/octet-stream 1473181230.438 1233 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.30 application/octet-stream 1473181230.461 1569 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181230.621 1023 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181231.143 1219 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181231.166 1212 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181231.528 1131 192.168.0.10 TCP_MISS/206 1049142 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181231.601 1416 192.168.0.10 TCP_MISS/206 1049146 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - ORIGINAL_DST/8.253.13.30 application/octet-stream 1473181231.784 938 192.168.0.10 TCP_MISS/206 1049144 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.13.46 application/octet-stream 1473181232.102 1565 192.168.0.10 TCP_MISS/206 1049142 GET http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe - ORIGINAL_DST/8.253.70.206