Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Jok Thuau 
On Wed, Sep 7, 2016 at 3:05 PM, Marcus Kool 
wrote:

>
> slightly off topic: what is the easiest way to install a cert on a
> smartphone?
> I looked for an app but did not find one.
>
>
Look for some MDM solutions. That's not really an option for one (personal)
phone, but for a company, that allows you to manage a fleet of phone
long-term, including profiles, policies, etc (including certs, both client
certs and root certs).
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Antony Stone 
On Thursday 08 September 2016 at 00:06:02, Marcus Kool wrote:

> slightly off topic: what is the easiest way to install a cert on a
> smartphone? I looked for an app but did not find one.

On my Android 4.2.2 device:

Settings -> Security -> Trusted credentials: "Display trusted CA certificates"

Settings -> Security -> Install from SD card: "Install certificates from SD 
card"


Antony.

-- 
You can tell that the day just isn't going right when you find yourself using 
the telephone before the toilet.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Marcus Kool 



On 09/07/2016 05:58 PM, Antony Stone wrote:

On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:


08.09.2016 2:25, erdosain9 пишет:

Hi.
A query. Sslbump is possible without installing the certificate,
machine by machine ???


Bump impossible. Splice - possible.


Is there any way that this certificate Squid SUBMIT ??


Cant understand question. What do you mean?


I believe he wants a mechanism for squid to be able to provide the fake CA
certificate to the browser, so that the browser then trusts the fake site
certificate which is signed with it.

Of course, this is impossible, since any mechanism which allowed this would
allow the browser to be fooled into trusting any certificate anyone cared to
wave at it.


Antony.


Yes, I also interpret his question like that.

slightly off topic: what is the easiest way to install a cert on a smartphone?
I looked for an app but did not find one.

Marcus

--
int main()
{
   printf("42\n");
}
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Marcus Kool 



On 09/07/2016 05:58 PM, Antony Stone wrote:

On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:


08.09.2016 2:25, erdosain9 пишет:

Hi.
A query. Sslbump is possible without installing the certificate,
machine by machine ???


Bump impossible. Splice - possible.


Is there any way that this certificate Squid SUBMIT ??


Cant understand question. What do you mean?


I believe he wants a mechanism for squid to be able to provide the fake CA
certificate to the browser, so that the browser then trusts the fake site
certificate which is signed with it.

Of course, this is impossible, since any mechanism which allowed this would
allow the browser to be fooled into trusting any certificate anyone cared to
wave at it.


Antony.


Yes, I also interpret his question like that.

slightly off topic: what is the easiest way to install a cert on a smartphone?
I looked for an app but did not find one.

Marcus

--
int main()
{
   printf("42\n");
}
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread erdosain9 

"I believe he wants a mechanism for squid to be able to provide the fake CA 
certificate to the browser"
Exactly. ok, no possible then.
Thanks



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-certificate-question-tp4679409p4679413.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


08.09.2016 2:58, Antony Stone пишет:
> On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:
>
>> 08.09.2016 2:25, erdosain9 пишет:
>>> Hi.
>>> A query. Sslbump is possible without installing the certificate,
>>> machine by machine ???
>>
>> Bump impossible. Splice - possible.
>>
>>> Is there any way that this certificate Squid SUBMIT ??
>>
>> Cant understand question. What do you mean?
>
> I believe he wants a mechanism for squid to be able to provide the
fake CA
> certificate to the browser, so that the browser then trusts the fake site
> certificate which is signed with it.
>
> Of course, this is impossible, since any mechanism which allowed this
would
> allow the browser to be fooled into trusting any certificate anyone
cared to
> wave at it.
(facepalm)
>
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX0H+7AAoJENNXIZxhPexG8+YH/jq85O+ieQ5+Bf5CK2arYyb2
F7p7sa3+bgFY4zuw9e592fCWlMaUEQdCVGSwnSJv6Zaxsylst/GnBk8d1yq1PyAR
R6CKr9itvwvyfqKXpqbasB41NogbesHn21ht5ttxusv+c0i1onp6BHDkWRVDEBTA
RLrdBZmw/yuHCOKXi3L3Ef/0k7OVHfbvTXUAcI70cweaGMr8Nbofm6Zn/T6LN2ow
FJKSFrWpluMFhidaMhEuLiJ/FmbgCJSl2E14Bz57YBusiMVmjNvJjIpo5dnPbxnF
HyQrkRq/UJxHw2YIeVIrQ4+Yubw4xxerw7R2ecO3fCoH7Y6dyL/D4R2e96t33dw=
=SvH8
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Antony Stone 
On Wednesday 07 September 2016 at 22:55:06, Yuri Voinov wrote:

> 08.09.2016 2:25, erdosain9 пишет:
> > Hi.
> > A query. Sslbump is possible without installing the certificate,
> > machine by machine ???
> 
> Bump impossible. Splice - possible.
> 
> > Is there any way that this certificate Squid SUBMIT ??
> 
> Cant understand question. What do you mean?

I believe he wants a mechanism for squid to be able to provide the fake CA 
certificate to the browser, so that the browser then trusts the fake site 
certificate which is signed with it.

Of course, this is impossible, since any mechanism which allowed this would 
allow the browser to be fooled into trusting any certificate anyone cared to 
wave at it.


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl bump certificate question

2016-09-07 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


08.09.2016 2:25, erdosain9 пишет:
>
> Hi.
> A query. Sslbump is possible without installing the certificate,
machine by
> machine ???
Bump impossible. Splice - possible.
>
> Is there any way that this certificate Squid SUBMIT ??
Cant understand question. What do you mean?
>
>
> sorry for my english.
>
> Thanks!
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-certificate-question-tp4679409.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX0H6pAAoJENNXIZxhPexG4bgIALO4Gudeot2aSVp9ckCaRdDO
mMv9R9P1W2rT2b2tZt9b39mFrU7qFnF/m1m3p1++vqBr7StSZKyeWxJFYhwXA86p
cvKiyk6Nd/1u29eXfr4+dJRFD2jf3aax84cjgAIlJLzZrO3QAYzEZs/f36GkmFVs
WDz/1oOjpH7hXqoohVL4X+DFUb9Iq5DHwMLP6pDhu9d4sFxX0DOQfoilp9P7gBd5
yxXevN/kfjaf8Rm53xLYjPO81dY9iLkMJEwt4aEQpBHvNd2hWKgIk9sjS6d58++L
MiKUDiCzW6BZMhQB6tZ6LaDYULH2eThjJ1a8Ahc36N3uglHdG4CQrEh64aDcMj0=
=avbu
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ssl bump certificate question

2016-09-07 Thread erdosain9 

Hi.
A query. Sslbump is possible without installing the certificate, machine by
machine ???
Is there any way that this certificate Squid SUBMIT ??

sorry for my english.

Thanks!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-bump-certificate-question-tp4679409.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] subnet forward

2016-09-07 Thread Marcus Kool 

to be sure that the link speed and duplex is OK, you need to look at both sides.

Marcus

On 09/07/2016 01:01 PM, Pol Hallen wrote:

Since you have an ancient version of Squid I am assuming that you also
have ancient hardware.


:-)

NIC are not so ancient :-) hw also..

Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised pause frame use: Symmetric Receive-only
Advertised auto-negotiation: Yes
Link partner advertised link modes:  10baseT/Half 10baseT/Full
 100baseT/Half 100baseT/Full
 1000baseT/Full
Link partner advertised pause frame use: Symmetric
Link partner advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: MII
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x0033 (51)
   drv probe ifdown ifup
Link detected: yes

Pol
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Windows Updates a Caching Stub zone, A windows updates store.

2016-09-07 Thread Eliezer Croitoru 
Hey Omid,

For now the software is restricted only to windows updates which is protected 
and secured enough to sustain caching.
About Mozilla, I need to verify it before I am doing anything about it.
From my point of view it is hosted on Akamai and HSTS is restricting couple 
things on their service.
I will try to look at it later without any promises.

Do you have any starting points else then the domain itself?
Have you tried to analyze some logs?

Eliezer 


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Omid Kosari
Sent: Tuesday, September 6, 2016 5:48 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Windows Updates a Caching Stub zone, A windows 
updates store.

Hey Eliezer,

According to these threads
http://squid-web-proxy-cache.1019090.n4.nabble.com/range-offset-limit-not-working-as-expected-td4679355.html

http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-td4670189.html

Is there any chance that you implement something that may be used for other
(206 partial) popular sites like download.cdn.mozilla.net . I think it has also 
same problem as windows update and has lots of uncachable requests .

Thanks in advance .



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Windows-Updates-a-Caching-Stub-zone-A-windows-updates-store-tp4678454p4679373.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compliled squid size

2016-09-07 Thread Matus UHLAR - fantomas 

On 07.09.16 09:02, mzgmedia wrote:

I've tried to compile squid with the same params as on
www1.ngtech.co.il/repo/ but the binnary size of the squid is 50M but the one
from the repo is only 6M, any idea why?


apparently unstriped binary (compiled/linked without the "-s" flag)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] compliled squid size

2016-09-07 Thread mzgmedia 
hello

I've tried to compile squid with the same params as on
www1.ngtech.co.il/repo/ but the binnary size of the squid is 50M but the one
from the repo is only 6M, any idea why?




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/compliled-squid-size-tp4679405.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] subnet forward

2016-09-07 Thread Pol Hallen 

Since you have an ancient version of Squid I am assuming that you also
have ancient hardware.


:-)

NIC are not so ancient :-) hw also..

Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised pause frame use: Symmetric Receive-only
Advertised auto-negotiation: Yes
Link partner advertised link modes:  10baseT/Half 10baseT/Full
 100baseT/Half 100baseT/Full
 1000baseT/Full
Link partner advertised pause frame use: Symmetric
Link partner advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: MII
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x0033 (51)
   drv probe ifdown ifup
Link detected: yes

Pol
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] windows update not working squid 3.5.2

2016-09-07 Thread Amos Jeffries 
On 7/09/2016 9:08 p.m., --Ahmad-- wrote:
> its same not caching at all 
> 1473239296.459990 192.168.0.10 TCP_MISS/206 1049144 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239296.576   1032 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239296.624   1183 192.168.0.10 TCP_MISS/206 1049144 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239297.332   1540 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239297.502   1145 192.168.0.10 TCP_MISS/206 1049144 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239297.509   1247 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239297.676   1376 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239297.836666 192.168.0.10 TCP_MISS/206 1049144 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239297.911   1277 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239298.593   1146 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239298.601   1475 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239298.623   1550 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239299.174   1238 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239299.213   1327 192.168.0.10 TCP_MISS/206 1049144 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239299.576   1594 192.168.0.10 TCP_MISS/206 1049144 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239299.794   1527 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239300.070   1373 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239300.167   1356 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239300.321   1558 192.168.0.10 TCP_MISS/206 1049146 GET 
> http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
>  - ORIGINAL_DST/8.254.191.254 application/octet-stream
> 1473239300.443   1347 192.168.0.10

Re: [squid-users] TCP_RESET non http requests on port 80

2016-09-07 Thread Alex Rousskov 
On 09/07/2016 01:56 AM, Matus UHLAR - fantomas wrote:

> and how is this done? Which system or library call does drop connection to
> send a RST immediately?

This is not a squid-users question, but Squid calls comm_reset_close()
(quoted below) to reset the connection. That function uses zero
SO_LINGER option value to trigger a TCP reset when the connection is
closed. AFAICT, this is a "standard" approach.

I do not know whether that approach results in an actual TCP reset
packet immediately sent (as opposed to responding to any incoming
packets on the same connection with TCP reset packets).


HTH,

Alex.

> /**
>  * enable linger with time of 0 so that when the socket is
>  * closed, TCP generates a RESET
>  */
> void
> comm_reset_close(const Comm::ConnectionPointer )
> {
> struct linger L;
> L.l_onoff = 1;
> L.l_linger = 0;
> 
> if (setsockopt(conn->fd, SOL_SOCKET, SO_LINGER, (char *) , sizeof(L)) < 
> 0) {
> int xerrno = errno;
> debugs(50, DBG_CRITICAL, "ERROR: Closing " << conn << " with TCP RST: 
> " << xstrerr(xerrno));
> }
> conn->close();
> }

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Proxy

2016-09-07 Thread Amos Jeffries 
On 7/09/2016 9:27 p.m., Antony Stone wrote:
> On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote:
> 

FYI: Jon. Please be careful about yoru use of teh word "forward" and
"forwarding". Both NAT and routing  are methods of forwarding, but which
one is used at each particular step of the packets path through your
network from client to Squid matters A LOT.

Some routers offer "forwarding" options / settings, which actually NAT.
That will break MITM Squid installations which require routing only
outside the Squid machine.


>> I believe so.  The specific command I used was:
>>
>> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>> (For some reason my adapter is ens33, I have no idea why it's not eth0. 
>> Squid is set to run on 3128.)
> 
> That looks okay, then.
> 
>> It's fair to say I have almost no experience with iptables.  Is it iptables
>> that should be doing the address translation?
> 
> Yes - the rule above tells the machine to take any packet addressed to port 
> 80 
> on any address and send it instead to the local machine (REDIRECT changes the 
> destination address to 127.0.0.1, even though that's not obvious) and port 
> 3128.

No it does not change the IP to localhost. It changes the address to the
machines primary IP. If that is localhost IP then something is wrong in
the machines network interface configuration - which may lead to trouble.


> 
>> when the packet is sent back to the client?
> 
> Correct.  IPtables' address translation rules are automatically symmetrical - 
> when a packet gets translated in one direction, a record is kept that it was 
> done, and then the reply packet is automatically reverse-translated when it 
> comes back in the other direction.
> 
> This is true no matter whether packets are going *through* the IPtables 
> machine (ie: it's acting as a router), or whether they're being processed 
> *on* 
> the IPtables machine (as in this case).
> 
> I think we need to know more about your squid setup.
> 
> Please tell us which version of squid you are using, and post here your 
> squid.conf file without comments or blank lines.
> 


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] subnet forward

2016-09-07 Thread Marcus Kool 



On 09/07/2016 10:05 AM, Pol Hallen wrote:

Hello all :-) I'm sorry if this couldn't squid problem.. honestly I don't know..

I've a small lan:

dsl<-WAN_NIC0_192.168.5.0/30->lan1_192.168.10.0/24 (NIC1)<-->switch+AP
  lan2_192.168.1.0/24 (NIC2)<--->switch+AP

I've squid server v.3.1.20 on 192.168.1.20

from 192.168.1.0/24 network squid works perfectly :-))) from 192.168.10.0/24 
network squid works but: is very very very slow...

I've check firewall and routing, dns and ping and seem ok

anyone has an advice for this scenario? is it a forward/routing problem? any 
idea?


Since you have an ancient version of Squid I am assuming that you also have 
ancient hardware.
Old NICs can do speed-negotiation and duplex setting wrong and if the switch 
and NIC have different duplex settings, throughput is ~75K/sec where you expect 
10 MB/sec.
I suggest to doublecheck speed and duplex setting on NIC and switch.

Marcus


many thanks!


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] subnet forward

2016-09-07 Thread Antony Stone 
On Wednesday 07 September 2016 at 15:05:25, Pol Hallen wrote:

> I've a small lan:
> 
> dsl<-WAN_NIC0_192.168.5.0/30->lan1_192.168.10.0/24 (NIC1)<-->switch+AP
>lan2_192.168.1.0/24 (NIC2)<--->switch+AP
> 
> I've squid server v.3.1.20 on 192.168.1.20
> 
> from 192.168.1.0/24 network squid works perfectly :-))) from
> 192.168.10.0/24 network squid works but: is very very very slow...
> 
> I've check firewall and routing, dns and ping and seem ok

Where's the firewall?

Show us the routing table on 192.168.1.20, and show us the routing table on 
the machine above with three network cards.  Also please tell us the IP 
addresses on its three interfaces.

Show us any NAT rules you have on that machine.

> maximum_object_size 5 Gb
> cache_dir ufs /data/vmware/squid-cache 30720 16 256
> cache_mem 4096 MB
> 
> minimum_object_size 0
> maximum_object_size_in_memory 512 Kb
> cache_replacement_policy heap GDSF
> 
> cache_swap_low 85
> cache_swap_high 90
> 
> half_closed_clients off
> 
> hosts_file /etc/hosts
> memory_pools off
> client_db off
> dns_nameservers 127.0.0.1
> 
> via off
> forwarded_for off
> httpd_suppress_version_string off
> follow_x_forwarded_for deny all
> #visible_hostname sign.bunker.org
> 
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
> override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
> 432000 override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
> 10080 90% 43200 override-expire ignore-no-cache ignore-no-store
> ignore-private
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern . 0 40% 40320
> 
> refresh_pattern -i movies.com/.* 10080 90% 43200
> refresh_pattern (/cgi-bin/|\?) 0 0% 0

What?  No http_access rules or ACLs?


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Proxy

2016-09-07 Thread Antony Stone 
On Wednesday 07 September 2016 at 10:51:49, John Sayce wrote:

> I believe so.  The specific command I used was:
> 
> iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 
> (For some reason my adapter is ens33, I have no idea why it's not eth0. 
> Squid is set to run on 3128.)

That looks okay, then.

> It's fair to say I have almost no experience with iptables.  Is it iptables
> that should be doing the address translation?

Yes - the rule above tells the machine to take any packet addressed to port 80 
on any address and send it instead to the local machine (REDIRECT changes the 
destination address to 127.0.0.1, even though that's not obvious) and port 
3128.

> when the packet is sent back to the client?

Correct.  IPtables' address translation rules are automatically symmetrical - 
when a packet gets translated in one direction, a record is kept that it was 
done, and then the reply packet is automatically reverse-translated when it 
comes back in the other direction.

This is true no matter whether packets are going *through* the IPtables 
machine (ie: it's acting as a router), or whether they're being processed *on* 
the IPtables machine (as in this case).

I think we need to know more about your squid setup.

Please tell us which version of squid you are using, and post here your 
squid.conf file without comments or blank lines.


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] windows update not working squid 3.5.2

2016-09-07 Thread --Ahmad-- 
also  here is squid -k parse not sure if it helps :
root@raspberrypi:~# squid -k parse
2016/09/07 09:10:44| Startup: Initializing Authentication Schemes ...
2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'basic'
2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'digest'
2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'negotiate'
2016/09/07 09:10:44| Startup: Initialized Authentication Scheme 'ntlm'
2016/09/07 09:10:44| Startup: Initialized Authentication.
2016/09/07 09:10:44| Processing Configuration File: /etc/squid/squid.conf 
(depth 0)
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
windowsupdate.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
.update.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
download.windowsupdate.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
redir.metaservices.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
images.metaservices.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain c.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
www.download.windowsupdate.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain wustat.windows.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain crl.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain sls.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
productactivation.one.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
ntservicepack.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
au.download.windowsupdate.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
ds.download.windowsupdate.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
ctldl.windowsupdate.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain .data.microsoft.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
.l.windowsupdate.com
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
.microsoft.com.akadns.net
2016/09/07 09:10:44| Processing: acl windowsupdate dstdomain 
.deploy.akamaitechnologies.com
2016/09/07 09:10:44| Processing: acl CONNECT method CONNECT
2016/09/07 09:10:44| Processing: acl wuCONNECT dstdomain 
www.update.microsoft.com
2016/09/07 09:10:44| Processing: acl wuCONNECT dstdomain sls.microsoft.com
2016/09/07 09:10:44| Processing: refresh_pattern -i 
windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 
80% 129600 reload-into-ims
2016/09/07 09:10:44| Processing: refresh_pattern -i 
microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
2016/09/07 09:10:44| Processing: refresh_pattern -i 
windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
2016/09/07 09:10:44| Processing: refresh_pattern -i 
microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 
43200 80% 129600 reload-into-ims
2016/09/07 09:10:44| Processing: refresh_pattern -i 
deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
 43200 80% 129600 reload-into-ims
2016/09/07 09:10:44| Processing: refresh_pattern \^ftp:   144020%   
  10080
2016/09/07 09:10:44| Processing: refresh_pattern \^gopher:14400%
  1440
2016/09/07 09:10:44| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 
 0
2016/09/07 09:10:44| Processing: refresh_pattern .   0   20%
 4320
2016/09/07 09:10:44| Processing: acl localnet src 10.0.0.0/8# RFC1918 
possible internal network
2016/09/07 09:10:44| Processing: acl localnet src 172.16.0.0/12 # RFC1918 
possible internal network
2016/09/07 09:10:44| Processing: acl localnet src 192.168.0.0/16# 
RFC1918 possible internal network
2016/09/07 09:10:44| Processing: acl localnet src fc00::/7   # RFC 4193 
local private network range
2016/09/07 09:10:44| Processing: acl localnet src fe80::/10  # RFC 4291 
link-local (directly plugged) machines
2016/09/07 09:10:44| Processing: acl SSL_ports port 443
2016/09/07 09:10:44| Processing: acl Safe_ports port 80 # http
2016/09/07 09:10:44| Processing: acl Safe_ports port 21 # ftp
2016/09/07 09:10:44| Processing: acl Safe_ports port 443# https
2016/09/07 09:10:44| Processing: acl Safe_ports port 70 # gopher
2016/09/07 09:10:44| Processing: acl Safe_ports port 210# wais
2016/09/07 09:10:44| Processing: acl Safe_ports port 1025-65535 # unregistered 
ports
2016/09/07 09:10:44| Processing: acl Safe_ports port 280# 
http-mgmt
2016/09/07 09:10:44| Processing: acl Safe_ports port 488# 
gss-http
2016/09/07 09:10:44| Processing: acl Safe_ports port 591# 
filemaker
2016/09/07 09:10:44| Processing: acl Safe_ports port 777#

Re: [squid-users] windows update not working squid 3.5.2

2016-09-07 Thread --Ahmad-- 
its same not caching at all 
1473239296.459990 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239296.576   1032 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239296.624   1183 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239297.332   1540 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239297.502   1145 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239297.509   1247 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239297.676   1376 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239297.836666 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239297.911   1277 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239298.593   1146 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239298.601   1475 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239298.623   1550 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239299.174   1238 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239299.213   1327 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239299.576   1594 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239299.794   1527 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239300.070   1373 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239300.167   1356 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239300.321   1558 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.254.191.254 application/octet-stream
1473239300.443   1347 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 -

Re: [squid-users] regarding to "cache videos" plugin now as open source

2016-09-07 Thread reinerotto 
Might be usable. Question is, how effective it will be on overall traffic, as
most famous/accessed videos to be found on youtube. Which uses https, in my
area, at least.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/regarding-to-cache-videos-plugin-now-as-open-source-tp4679366p4679394.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] windows update not working squid 3.5.2

2016-09-07 Thread L . P . H . van Belle 
Hai, 

 

Change this part : 

#

range_offset_limit 5 Gb windowsupdate

maximum_object_size 5 Gb

quick_abort_min -1

#

 

To 

 

range_offset_limit 0

quick_abort_min 0 KB

quick_abort_max 0 KB

quick_abort_pct 90

 

and see what happens. 

 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: --Ahmad-- [mailto:ahmed.za...@netstream.ps] 
Verzonden: woensdag 7 september 2016 9:40
Aan: L.P.H. van Belle
CC: squid-us...@squid-cache.org
Onderwerp: Re: [squid-users] windows update not working squid 3.5.2


 

thanks for reply 

 


but i still  don’t see even the hdd drive getting increasing when windows 
updates go on 


 


i tested it on windows 7 


 


i never seen TCP_HIT and  the hdd size still the same !!!


 


 


here is again my  squid.conf in final form on my server :


 


root@raspberrypi:~# cat /etc/squid/squid.conf


#


acl windowsupdate dstdomain windowsupdate.microsoft.com


acl windowsupdate dstdomain .update.microsoft.com


acl windowsupdate dstdomain download.windowsupdate.com


acl windowsupdate dstdomain redir.metaservices.microsoft.com


acl windowsupdate dstdomain images.metaservices.microsoft.com


acl windowsupdate dstdomain c.microsoft.com


acl windowsupdate dstdomain www.download.windowsupdate.com


acl windowsupdate dstdomain wustat.windows.com


acl windowsupdate dstdomain crl.microsoft.com


acl windowsupdate dstdomain sls.microsoft.com


acl windowsupdate dstdomain productactivation.one.microsoft.com


acl windowsupdate dstdomain ntservicepack.microsoft.com


acl windowsupdate dstdomain au.download.windowsupdate.com


acl windowsupdate dstdomain ds.download.windowsupdate.com


acl windowsupdate dstdomain ctldl.windowsupdate.com


acl windowsupdate dstdomain .data.microsoft.com


acl windowsupdate dstdomain .l.windowsupdate.com


acl windowsupdate dstdomain .microsoft.com.akadns.net


acl windowsupdate dstdomain .deploy.akamaitechnologies.com


### 


acl CONNECT method CONNECT


acl wuCONNECT dstdomain www.update.microsoft.com


acl wuCONNECT dstdomain sls.microsoft.com





refresh_pattern -i 
windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 
80% 129600 reload-into-ims


refresh_pattern -i 
microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 
129600 reload-into-ims


refresh_pattern -i 
windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 
129600 reload-into-ims


refresh_pattern -i 
microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 
43200 80% 129600 reload-into-ims


refresh_pattern -i 
deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
 43200 80% 129600 reload-into-ims





refresh_pattern \^ftp:           1440    20%     10080


refresh_pattern \^gopher:        1440    0%      1440


refresh_pattern -i (/cgi-bin/|\?) 0     0%      0


refresh_pattern .               0       20%     4320





acl localnet src 10.0.0.0/8     # RFC1918 possible internal network


acl localnet src 172.16.0.0/12  # RFC1918 possible internal network


acl localnet src 192.168.0.0/16 # RFC1918 possible internal network


acl localnet src fc00::/7       # RFC 4193 local private network range


acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) 
machines


 


acl SSL_ports port 443


acl Safe_ports port 80          # http


acl Safe_ports port 21          # ftp


acl Safe_ports port 443         # https


acl Safe_ports port 70          # gopher


acl Safe_ports port 210         # wais


acl Safe_ports port 1025-65535  # unregistered ports


acl Safe_ports port 280         # http-mgmt


acl Safe_ports port 488         # gss-http


acl Safe_ports port 591         # filemaker


acl Safe_ports port 777         # multiling http


acl CONNECT method CONNECT


 


#


# Recommended minimum Access Permission configuration:


#


# Deny requests to certain unsafe ports


http_access allow CONNECT wuCONNECT localnet


http_access allow windowsupdate localnet


http_access deny !Safe_ports


 


# Deny CONNECT to other than secure SSL ports


http_access deny CONNECT !SSL_ports


 


# Only allow cachemgr access from localhost


http_access allow localhost manager


http_access deny manager


 


# We strongly recommend the following be uncommented to protect innocent


# web applications running on the proxy server who think the only


# one who can access services on "localhost" is a local user


#http_access deny to_localhost


 


#


# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS


#


 


# Example rule allowing access from your local networks.


# Adapt localnet in the ACL section to list your (internal) IP networks


# from where browsing should be allowed


http_access allow localnet


http_access allow

Re: [squid-users] Transparent Proxy

2016-09-07 Thread John Sayce 
I believe so.  The specific command I used was:

iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 
3128

(For some reason my adapter is ens33, I have no idea why it's not eth0.  Squid 
is set to run on 3128.)

And after running this command port 80 now shows as being open with nmap.

And the output from iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
REDIRECT   tcp  --  anywhere anywhere tcp dpt:http 
redir ports 3128

Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination


It's fair to say I have almost no experience with iptables.  Is it iptables 
that should be doing the address translation? when the packet is sent back to 
the client? 



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Antony Stone
Sent: 07 September 2016 09:28
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Transparent Proxy

On Wednesday 07 September 2016 at 10:23:02, John Sayce wrote:

> I'm trying to set up a transparent proxy but I'm fairly sure I'm 
> missing something.
> 
> I've followed the instructions on the juniper website along with a 
> couple of other blogs as per:
> https://damn.technology/using-squid-juniper-pbr-transparent-proxy

You *have* applied the iptables rule on the machine running squid as described 
on that page, yes?

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port
3128


Antony.

-- 
This email was created using 100% recycled electrons.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Transparent Proxy

2016-09-07 Thread John Sayce 
I'm trying to set up a transparent proxy but I'm fairly sure I'm missing 
something.

I've followed the instructions on the juniper website along with a couple of 
other blogs as per:
https://damn.technology/using-squid-juniper-pbr-transparent-proxy
http://davehope.co.uk/Blog/implementing-pbr-and-squid3-as-a-transparent-proxy/
https://kb.juniper.net/InfoCenter/index?id=KB24139=content=search


I have a juniper SSG320 firewall setup with policy based routing.  For my 
chosen subnet this is configured to forward traffic on port 80 to the squid 
server.

The traffic from my firewall is forwarded to squid.  This appears to be 
happening.  

The client starts with a syn packet which is forwarded from the firewall to the 
squid server. The packet is forwarded to the squid server with the source IP 
address remaining that of the client.  The problem is that the squid server 
then responds to the client as itself rather than spoofing the address that the 
client originally requested. So the ACK packet the client receives is from the 
squid server rather than the remote webserver the client made a request to, 
which isn't going to work.

So should my firewall be doing something more, or is it my squid server that's 
not performing as expected?

In addition to forwarding the packet to squid I can enable source translation 
on the firewall (which isn't in the guides I mentioned) so the source address 
of the packet sent to squid comes from the firewall, squid then responds to the 
firewall, which in turn translates the packet back to the client.  This 
configuration works, however the access log stores the address of the firewall 
rather than the address of the client.  Is this how it's meant to work, or am I 
missing something?

Thanks

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_RESET non http requests on port 80

2016-09-07 Thread Matus UHLAR - fantomas 

On 05.09.16 23:32, Omid Kosari wrote:

Filed a bug report http://bugs.squid-cache.org/show_bug.cgi?id=4585



On 09/06/2016 08:36 AM, Matus UHLAR - fantomas wrote:

I wonder if this is doable at all.


On 06.09.16 12:02, Alex Rousskov wrote:

Yes, and Squid supports it in other contexts.


and how is this done? Which system or library call does drop connection to
send a RST immediately?


Does any tcp stack allow sending reset AFTER the connection has been
opened?


A TCP RESET packet can be sent at any time. This is not something the
protocol can (or needs to!) prohibit.


I'm not saying that it should not be done, I was just unaware of how this is
implemented. closing connection sends FIN, not RST, correct?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Debugging NTLM problem

2016-09-07 Thread akn ab 

Dear Amos,

 

i found the problem.

It was a samba issue caused by badlock patch implementation.

Thanks for your assistance and sorry for my wrong mailing-list post, i should have check better the samba logs.

 

Giulius.

 

Sent: Saturday, September 03, 2016 at 4:43 AM
From: "Amos Jeffries" 
To: "akn ab" , squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Debugging NTLM problem

On 3/09/2016 3:06 a.m., akn ab wrote:
> Hello Amos,
> auth_param ntlm keep_alive off
> unfortunately does not solve the problem.
> I did more investigation about the problem and i found informations.
> Every time a user get the browser popup requesting credentials, i found on squid
> log this event:
> Login for user [DOMAIN]\[user]@[PC_] failed due to [Access denied]
> NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> 2016/09/02 16:56:13 kid1| ERROR: NTLM Authentication validating user. Result:
> {result=BH, notes={message: NT_STATUS_ACCESS_DENIED; }}

That is ntlm_auth (on behalf of AD) telling Squid the user credentials
are not correct. There is no NTLM protocol problem.

Consider this NT_STATUS_ACCESS_DENIED as if a user entered the wrong
password. Why do you want to allow them access in that case?


> It's not easy to do more debug because i have 9000 concurrent connections, but
> if you think that can help me, i try to set debug_option to something like 29,5
> Sometimes users left the office letting the browser open.
> After 1 hour (more or less), they return to the pc and popup show as soos as
> mouse point to a new link on the open browser.
> It's probably because something cached expire, but i cannot demostrate it so
> easily beceuse, as you said, ntlm never cache.
> On my samba/winbind logs i see many
> rpccli_netlogon_sam_network_logon: credentials chain check failed
> So it's very strange to understand if some problem occur beetween squid and
> browser or samba and Active Directory.
> What do you think about?
> Thanks.
> Giulius.
>
> On 1/09/2016 12:37 a.m., akn ab wrote:
> > Dear all,
> > i'm facing a strange problem using squid 3.5.20 with ntlm transparent
> > authentication.
> > I cannot use kerberos auth because i need to pass DOMAIN\user to my parent proxy
> > with x-authenticated-user header, and the form USERNAME@DOMAIN is not supported.

I suggest you use an external_acl_type helper that takes the %LOGIN
format parameter and sends 'OK upstream_user_="..." ' back to Squid. Use
the %note{upstream_user_} in your request_header_add directive to send
the right header value upstream.

That will allow you to at least keep your part of the proxy chain using
secure Negotiate authentication even though the parent proxy allows
anyone to inject traffic spoofing your user accounts.

Amos
 



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] windows update not working squid 3.5.2

2016-09-07 Thread --Ahmad-- 
thanks for reply 

but i still  don’t see even the hdd drive getting increasing when windows 
updates go on 

i tested it on windows 7 

i never seen TCP_HIT and  the hdd size still the same !!!


here is again my  squid.conf in final form on my server :

root@raspberrypi:~# cat /etc/squid/squid.conf
#
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain au.download.windowsupdate.com
acl windowsupdate dstdomain ds.download.windowsupdate.com
acl windowsupdate dstdomain ctldl.windowsupdate.com
acl windowsupdate dstdomain .data.microsoft.com
acl windowsupdate dstdomain .l.windowsupdate.com
acl windowsupdate dstdomain .microsoft.com.akadns.net
acl windowsupdate dstdomain .deploy.akamaitechnologies.com
### 
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

refresh_pattern -i 
windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 
80% 129600 reload-into-ims
refresh_pattern -i 
microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
refresh_pattern -i 
windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
refresh_pattern -i 
microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 
43200 80% 129600 reload-into-ims
refresh_pattern -i 
deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
 43200 80% 129600 reload-into-ims

refresh_pattern \^ftp:   144020% 10080
refresh_pattern \^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.0.1:3128

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 2 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
#refresh_pattern ^ftp:  144020% 10080
#refresh_pattern ^gopher:   14400%  1440
#refresh_pattern -i (/cgi-bin/|\?) 00%  0
#refresh_pattern .  0   20% 4320
#
range_offset_limit 5 Gb windowsupdate
maximum_object_size 5 Gb
quick_abort_min -1
#
http_port 3129

Re: [squid-users] windows update not working squid 3.5.2

2016-09-07 Thread L . P . H . van Belle 
I also have these for windows updates. 

 

acl windowsupdate dstdomain au.download.windowsupdate.com

acl windowsupdate dstdomain ds.download.windowsupdate.com

acl windowsupdate dstdomain ctldl.windowsupdate.com

acl windowsupdate dstdomain .data.microsoft.com

acl windowsupdate dstdomain .l.windowsupdate.com

acl windowsupdate dstdomain .microsoft.com.akadns.net

acl windowsupdate dstdomain .deploy.akamaitechnologies.com

 

and add this one to your refresh.

refresh_pattern -i 
deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
 43200 80% 129600 reload-into-ims

 

 

Greetz, 

 

Louis

 

 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
--Ahmad--
Verzonden: dinsdag 6 september 2016 19:08
Aan: Yuri Voinov
CC: squid-users@lists.squid-cache.org
Onderwerp: Re: [squid-users] windows update not working squid 3.5.2


 

/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab - 
ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181228.768   1202 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181229.117   1159 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181229.265    984 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181229.525   1207 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.066   1314 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.70.206 application/octet-stream
1473181230.147    913 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.166   1659 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181230.438   1233 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181230.461   1569 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181230.621   1023 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.143   1219 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.166   1212 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.528   1131 192.168.0.10 TCP_MISS/206 1049142 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181231.601   1416 192.168.0.10 TCP_MISS/206 1049146 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/driver/drvs/2015/10/26767_cec6101480492a8c7be6e668ff3284626a787359.cab
 - ORIGINAL_DST/8.253.13.30 application/octet-stream
1473181231.784    938 192.168.0.10 TCP_MISS/206 1049144 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.13.46 application/octet-stream
1473181232.102   1565 192.168.0.10 TCP_MISS/206 1049142 GET 
http://fg.v4.download.windowsupdate.com/d/msdownload/update/software/defu/2016/08/am_base_9668287df050e32ce73537e6505b5101ec5dc7f0.exe
 - ORIGINAL_DST/8.253.70.206