Re: [squid-users] URL list from a URL
Almost, What I was talking about and meant was to take the current official StoreID helper written in perl and remove the parts of the ID replacement while leaving the regex matching intact. Then pass to the StoreID helper the url and the source IP and let it match the url to the regex from the list in the "DB file". If it matches either return OK or ERR depends on the intention of the helper. ...The X code have almost everything needed so just convert it. I am offering to convert it if there is some interest in it. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Alex Rousskov Sent: Wednesday, March 22, 2017 6:10 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] URL list from a URL On 03/22/2017 09:25 AM, Eliezer Croitoru wrote: > I didn't meant by convert the StoreID helper to convert it into an > external_acl helper > It has both OK and ERR and a "checklist" which would be a match or not. Sigh. The combination of your answers does not make any sense to me. Squid does not use StoreID helpers to block access, regardless of what a StoreID helper returns. It is certainly possible to take some StoreID helper code and make an external_acl helper out of it, but that falls under my option #2. Perhaps what you meant to say is something like "Use StoreID helper X available at Y to implement option #2 -- that X code has everything you need!"? Alex. > -Original Message- > From: Alex Rousskov [mailto:rouss...@measurement-factory.com] > Sent: Wednesday, March 22, 2017 3:51 PM > To: squid-users@lists.squid-cache.org > Cc: Eliezer Croitoru> Subject: Re: [squid-users] URL list from a URL > > On 03/21/2017 06:17 PM, Eliezer Croitoru wrote: >> The current StoreID helper can be converted pretty fast into what he needs. > > Jason needs to block access. How can a [converted] StoreID helper > block access without becoming an external_acl helper? > > Alex. > >> -Original Message- >> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] >> On Behalf Of Alex Rousskov >> Sent: Tuesday, March 21, 2017 11:43 PM >> To: squid-users@lists.squid-cache.org >> Subject: Re: [squid-users] URL list from a URL >> >> On 03/21/2017 02:30 PM, Jason B. Nance wrote: >> >>> I should have mentioned that I'm not caching, I'm only using Squid >>> for whitelisting in this case. Would you still say this is the >>> right path? >> >> No. You probably have two better options: >> >> 1. Use a file with list of mirror URLs as an ACL parameter. Write a >> script that updates that file and reconfigures Squid as needed. >> Please keep in mind that Squid reconfiguration is currently a >> relatively heavy/intrusive operation, even if there were not changes >> except for that single ACL. >> >> 2. Write an external_acl helper that will consult the mirror list. >> This will make each HTTP transaction a little slower (because it >> needs to go to the helper) but eliminates reconfigurations. The >> helper itself or some other script will still need to update the >> mirror list as needed, of course. >> >> >> HTH, >> >> Alex. >> >> >> >> Hello, I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which retrieves the list of URLs from another URL (similar to pointing to a file). In this specific use case it is to allow a Foreman server to sync Yum content from the CentOS mirrors. I tell Foreman to use the following URL: http://mirrorlist.centos.org/?release=7=x86_64=updates Which returns a list of URLs, such as: http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/ http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/ http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/ http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/ http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/ http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/ http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/ http://centos.host-engine.com/7.3.1611/updates/x86_64/ http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/ http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/ Foreman then starts a new HTTP connection (not a redirect) to attempt to connect to those in turn until it works. So I would like to configure Squid to allow the Foreman server access to any of those URLs (the list changes somewhat often). I started to go down the external_acl_type but am wondering if I'm missing something obvious. >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> >
Re: [squid-users] URL list from a URL
On 03/22/2017 09:25 AM, Eliezer Croitoru wrote: > I didn't meant by convert the StoreID helper to convert it into an > external_acl helper > It has both OK and ERR and a "checklist" which would be a match or not. Sigh. The combination of your answers does not make any sense to me. Squid does not use StoreID helpers to block access, regardless of what a StoreID helper returns. It is certainly possible to take some StoreID helper code and make an external_acl helper out of it, but that falls under my option #2. Perhaps what you meant to say is something like "Use StoreID helper X available at Y to implement option #2 -- that X code has everything you need!"? Alex. > -Original Message- > From: Alex Rousskov [mailto:rouss...@measurement-factory.com] > Sent: Wednesday, March 22, 2017 3:51 PM > To: squid-users@lists.squid-cache.org > Cc: Eliezer Croitoru> Subject: Re: [squid-users] URL list from a URL > > On 03/21/2017 06:17 PM, Eliezer Croitoru wrote: >> The current StoreID helper can be converted pretty fast into what he needs. > > Jason needs to block access. How can a [converted] StoreID helper block > access without becoming an external_acl helper? > > Alex. > >> -Original Message- >> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On >> Behalf Of Alex Rousskov >> Sent: Tuesday, March 21, 2017 11:43 PM >> To: squid-users@lists.squid-cache.org >> Subject: Re: [squid-users] URL list from a URL >> >> On 03/21/2017 02:30 PM, Jason B. Nance wrote: >> >>> I should have mentioned that I'm not caching, I'm only using Squid >>> for whitelisting in this case. Would you still say this is the right >>> path? >> >> No. You probably have two better options: >> >> 1. Use a file with list of mirror URLs as an ACL parameter. Write a >> script that updates that file and reconfigures Squid as needed. Please >> keep in mind that Squid reconfiguration is currently a relatively >> heavy/intrusive operation, even if there were not changes except for >> that single ACL. >> >> 2. Write an external_acl helper that will consult the mirror list. This >> will make each HTTP transaction a little slower (because it needs to go >> to the helper) but eliminates reconfigurations. The helper itself or >> some other script will still need to update the mirror list as needed, >> of course. >> >> >> HTH, >> >> Alex. >> >> >> >> Hello, I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which retrieves the list of URLs from another URL (similar to pointing to a file). In this specific use case it is to allow a Foreman server to sync Yum content from the CentOS mirrors. I tell Foreman to use the following URL: http://mirrorlist.centos.org/?release=7=x86_64=updates Which returns a list of URLs, such as: http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/ http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/ http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/ http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/ http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/ http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/ http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/ http://centos.host-engine.com/7.3.1611/updates/x86_64/ http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/ http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/ Foreman then starts a new HTTP connection (not a redirect) to attempt to connect to those in turn until it works. So I would like to configure Squid to allow the Foreman server access to any of those URLs (the list changes somewhat often). I started to go down the external_acl_type but am wondering if I'm missing something obvious. >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Free Squid helper for dynamic content caching
I'm afraid that rewriting the rules is a big job. I strongly doubt that someone will lay it out in public open access for free. Saving traffic is money. Here's what I want to say. There are no really effective helpers in the public domain. As I know. 22.03.2017 21:38, Eduardo Carneiro пишет: > Hi Yuri. > > The reason I came here is because I've already tried but I didn't succeed. I > really expected a more specific answer. Not just "You can fix it yourself, > the code is open." > > Anyway, thanks. I'll Keep trying to fix this. > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681905.html > Sent from the Squid - Users mailing list archive at Nabble.com. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Bugs to the Future 0x613DEC46.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Free Squid helper for dynamic content caching
Hi Yuri. The reason I came here is because I've already tried but I didn't succeed. I really expected a more specific answer. Not just "You can fix it yourself, the code is open." Anyway, thanks. I'll Keep trying to fix this. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681905.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Skype via squid
On 23/03/2017 2:44 a.m., Heiler Bemerguy wrote: > > Hi dude, > > I've noticed our users are being blocked by a rule which prevents > CONNECTs to IP addresses instead of FQDN. > > What puzzles me is WHY skype is trying to connect to IPs even after > connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart > from whitelisting Microsoft IPs.. ??? This has always been the case. Skype was originally a P2P application, since end users normally do not have custom reverse-DNS entries for personal domain names (and Skype no easy way to reliably find out even if they do) those usually auto-negotiates its data connections using raw-IP to bust their way through NAT breakages, then uses the results. The domain name part at the beginning is a much more recent addition by MS to use their generic live.co autenticaion APIs, and not actually a part unique to Skype itself. That is why the wiki config example combines a regex ACL for matching raw-IP values in the URL, and the User-Agent header detection. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] URL list from a URL
Hey Alex, I didn't meant by convert the StoreID helper to convert it into an external_acl helper It has both OK and ERR and a "checklist" which would be a match or not. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: Alex Rousskov [mailto:rouss...@measurement-factory.com] Sent: Wednesday, March 22, 2017 3:51 PM To: squid-users@lists.squid-cache.org Cc: Eliezer CroitoruSubject: Re: [squid-users] URL list from a URL On 03/21/2017 06:17 PM, Eliezer Croitoru wrote: > The current StoreID helper can be converted pretty fast into what he needs. Jason needs to block access. How can a [converted] StoreID helper block access without becoming an external_acl helper? Alex. > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Alex Rousskov > Sent: Tuesday, March 21, 2017 11:43 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] URL list from a URL > > On 03/21/2017 02:30 PM, Jason B. Nance wrote: > >> I should have mentioned that I'm not caching, I'm only using Squid >> for whitelisting in this case. Would you still say this is the right >> path? > > No. You probably have two better options: > > 1. Use a file with list of mirror URLs as an ACL parameter. Write a > script that updates that file and reconfigures Squid as needed. Please > keep in mind that Squid reconfiguration is currently a relatively > heavy/intrusive operation, even if there were not changes except for > that single ACL. > > 2. Write an external_acl helper that will consult the mirror list. This > will make each HTTP transaction a little slower (because it needs to go > to the helper) but eliminates reconfigurations. The helper itself or > some other script will still need to update the mirror list as needed, > of course. > > > HTH, > > Alex. > > > > >>> Hello, >>> >>> I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which >>> retrieves the list of URLs from another URL (similar to pointing to a >>> file). In this specific use case it is to allow a Foreman server to sync >>> Yum content from the CentOS mirrors. I tell Foreman to use the following >>> URL: >>> >>> http://mirrorlist.centos.org/?release=7=x86_64=updates >>> >>> Which returns a list of URLs, such as: >>> >>> http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/ >>> http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/ >>> http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/ >>> http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/ >>> http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/ >>> http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/ >>> http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/ >>> http://centos.host-engine.com/7.3.1611/updates/x86_64/ >>> http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/ >>> http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/ >>> >>> Foreman then starts a new HTTP connection (not a redirect) to attempt to >>> connect to those in turn until it works. >>> >>> So I would like to configure Squid to allow the Foreman server access to >>> any of those URLs (the list changes somewhat often). >>> >>> I started to go down the external_acl_type but am wondering if I'm missing >>> something obvious. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid stopped working after cache.log and access.log rotation
If you do "lsof /var/log | grep -i delete" does it show squid writing to a deleted access.log / cache.log? j From: "Chee M Gui"To: squid-users@lists.squid-cache.org Sent: Wednesday, March 22, 2017 10:17:32 AM Subject: [squid-users] Squid stopped working after cache.log and access.log rotation Hi All We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS. It ran fine at first but stopped working after a while. telnet server 3128 still works, i.e., opens a blank window, but Squid is just not accepting requests. Then we realized that there is no new access.log file. The access.log file stopped rotated at 6:24AM on 3/17/2017. It looks like Squid wasn't able to create a new access.log? We could not find any error message in syslog or the cache.log. We haven't rebooted the server because we want to know what went wrong. It isn't the firewall blocking Squid because Squid was working fine all the while until recently. Also after it stopped working, we disabled the firewall to see if it would work but it still didn't work. root@paproxy:/var/log/squid# ls -alt total 15536 drwxr-xr-x 2 proxy proxy 4096 Mar 21 06:25 . -rw-r- 1 proxy proxy 63 Mar 21 06:25 cache.log drwxrwxr-x 9 root syslog 4096 Mar 21 06:25 .. -rw-r- 1 proxy proxy 63 Mar 20 06:25 cache.log.1 -rw-r- 1 proxy proxy 83 Mar 19 06:25 cache.log.2.gz -rw-r- 1 proxy proxy 15759111 Mar 17 06:24 access.log.1 -rw-r- 1 proxy proxy 117223 Mar 17 05:52 netdb.state Any ideas what went wrong? Thank you very much in anticipation. Gui ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid stopped working after cache.log and access.log rotation
On Wednesday 22 March 2017 at 16:17:32, Chee M Gui wrote: > Hi All > > We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS. It > ran fine at first but stopped working after a while. telnet server 3128 > still works, i.e., opens a blank window, but Squid is just not accepting > requests.Then we realized that there is no new access.log file. The > access.log file stopped rotated at 6:24AM on 3/17/2017.It looks like > Squid wasn't able to create a new access.log? We could not find any error > message in syslog or the cache.log. We haven't rebooted the server > because we want to know what went wrong. It isn't the firewall blocking > Squid because Squid was working fine all the while until recently. Also > after it stopped working, we disabled the firewall to see if it would work > but it still didn't work. > > root@paproxy:/var/log/squid# ls -alt > total 15536 > drwxr-xr-x 2 proxy proxy 4096 Mar 21 06:25 . > -rw-r- 1 proxy proxy63 Mar 21 06:25 cache.log > drwxrwxr-x 9 root syslog 4096 Mar 21 06:25 .. > -rw-r- 1 proxy proxy63 Mar 20 06:25 cache.log.1 > -rw-r- 1 proxy proxy83 Mar 19 06:25 cache.log.2.gz > -rw-r- 1 proxy proxy 15759111 Mar 17 06:24 access.log.1 > -rw-r- 1 proxy proxy117223 Mar 17 05:52 netdb.state > > Any ideas what went wrong? Any chance you've run out of disk space? Antony. -- I bought a book about anti-gravity. The reviews say you can't put it down. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid stopped working after cache.log and access.log rotation
Hi All We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS. It ran fine at first but stopped working after a while. telnet server 3128 still works, i.e., opens a blank window, but Squid is just not accepting requests.Then we realized that there is no new access.log file. The access.log file stopped rotated at 6:24AM on 3/17/2017.It looks like Squid wasn't able to create a new access.log? We could not find any error message in syslog or the cache.log. We haven't rebooted the server because we want to know what went wrong. It isn't the firewall blocking Squid because Squid was working fine all the while until recently. Also after it stopped working, we disabled the firewall to see if it would work but it still didn't work. root@paproxy:/var/log/squid# ls -alt total 15536 drwxr-xr-x 2 proxy proxy 4096 Mar 21 06:25 . -rw-r- 1 proxy proxy63 Mar 21 06:25 cache.log drwxrwxr-x 9 root syslog 4096 Mar 21 06:25 .. -rw-r- 1 proxy proxy63 Mar 20 06:25 cache.log.1 -rw-r- 1 proxy proxy83 Mar 19 06:25 cache.log.2.gz -rw-r- 1 proxy proxy 15759111 Mar 17 06:24 access.log.1 -rw-r- 1 proxy proxy117223 Mar 17 05:52 netdb.state Any ideas what went wrong? Thank you very much in anticipation. Gui ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid blocking own OCSP/AIA requests
On 03/22/2017 07:20 AM, Markus Wernig wrote: > Small update: > > - The URL ... is the AIA for the Root CA > > Since squid is sslbumping the connection, it must be doing the AIA > lookups (presumably for SSL verification). Does anybody have an idea why > it is blocking its own requests? My answer has not changed: http://lists.squid-cache.org/pipermail/squid-users/2017-March/014773.html Did you expect your update to change that answer? Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Free Squid helper for dynamic content caching
Things are changed in the web on regular basis. Nothing permanent in the world. So, store ID rules lost relevance and no longer work. You can fix it yourself, the code is open. 22.03.2017 20:35, Eduardo Carneiro пишет: > I have been using this helper for a while. It works very well. > Congratulations! > > But I noticed that after squid 3.5.19, this helper doesn't work anymore. Is > this a known problem? Is there any way to fix this? > > Best regards. > Eduardo Carneiro > > > > -- > View this message in context: > http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681896.html > Sent from the Squid - Users mailing list archive at Nabble.com. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Bugs to the Future 0x613DEC46.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] URL list from a URL
Thank you. In regards to the external ACL helper, would I basically say something like: external_acl_type foo %URL /path/to/my/helper And then have my helper compare the contents of %URL to the mirror list and spit out "OK" for pass or "ERR" for fail? Thanks, j - Original Message - From: "Alex Rousskov"To: squid-users@lists.squid-cache.org Cc: "Jason Nance" Sent: Tuesday, March 21, 2017 4:42:33 PM Subject: Re: [squid-users] URL list from a URL On 03/21/2017 02:30 PM, Jason B. Nance wrote: > I should have mentioned that I'm not caching, I'm only using Squid > for whitelisting in this case. Would you still say this is the right > path? No. You probably have two better options: 1. Use a file with list of mirror URLs as an ACL parameter. Write a script that updates that file and reconfigures Squid as needed. Please keep in mind that Squid reconfiguration is currently a relatively heavy/intrusive operation, even if there were not changes except for that single ACL. 2. Write an external_acl helper that will consult the mirror list. This will make each HTTP transaction a little slower (because it needs to go to the helper) but eliminates reconfigurations. The helper itself or some other script will still need to update the mirror list as needed, of course. HTH, Alex. >> Hello, >> >> I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which >> retrieves the list of URLs from another URL (similar to pointing to a file). >> In this specific use case it is to allow a Foreman server to sync Yum >> content from the CentOS mirrors. I tell Foreman to use the following URL: >> >> http://mirrorlist.centos.org/?release=7=x86_64=updates >> >> Which returns a list of URLs, such as: >> >> http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/ >> http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/ >> http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/ >> http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/ >> http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/ >> http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/ >> http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/ >> http://centos.host-engine.com/7.3.1611/updates/x86_64/ >> http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/ >> http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/ >> >> Foreman then starts a new HTTP connection (not a redirect) to attempt to >> connect to those in turn until it works. >> >> So I would like to configure Squid to allow the Foreman server access to any >> of those URLs (the list changes somewhat often). >> >> I started to go down the external_acl_type but am wondering if I'm missing >> something obvious. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Free Squid helper for dynamic content caching
I have been using this helper for a while. It works very well. Congratulations! But I noticed that after squid 3.5.19, this helper doesn't work anymore. Is this a known problem? Is there any way to fix this? Best regards. Eduardo Carneiro -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681896.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Skype via squid
Hi dude, I've noticed our users are being blocked by a rule which prevents CONNECTs to IP addresses instead of FQDN. What puzzles me is WHY skype is trying to connect to IPs even after connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart from whitelisting Microsoft IPs.. ??? LOG: 1490189501.442879 10.32.3.102 TCP_TUNNEL/200 8797 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.96 - 1490189502.241740 10.32.3.102 TCP_TUNNEL/200 6160 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.66 - 1490189503.017741 10.32.3.102 TCP_TUNNEL/200 13808 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.66 - 1490189510.193729 10.32.3.102 TCP_TUNNEL/200 8784 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.66 - 1490189511.068779 10.32.3.102 TCP_TUNNEL/200 6160 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.66 - 1490189512.162763 10.32.3.102 TCP_TUNNEL/200 7376 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.66 - 1490189512.216816 10.32.3.102 TCP_TUNNEL/200 7376 CONNECT login.live.com:443 - HIER_DIRECT/131.253.61.68 - 1490189517.077 1 10.32.3.102 NONE/503 0 CONNECT 157.55.130.146:443 - HIER_NONE/- - 1490189525.321 1 10.32.3.102 NONE/503 0 CONNECT 64.4.23.160:443 - HIER_NONE/- - 1490189526.333 1 10.32.3.102 NONE/503 0 CONNECT 111.221.77.165:443 - HIER_NONE/- - 1490189527.345 1 10.32.3.102 NONE/503 0 CONNECT 157.55.130.144:443 - HIER_NONE/- - 1490189528.354 1 10.32.3.102 NONE/503 0 CONNECT 111.221.77.149:443 - HIER_NONE/- - 1490189529.368 1 10.32.3.102 NONE/503 0 CONNECT 157.55.235.164:443 - HIER_NONE/- - 1490189531.375 1 10.32.3.102 NONE/503 0 CONNECT 157.56.52.20:443 - HIER_NONE/- - 1490189532.385 1 10.32.3.102 NONE/503 0 CONNECT 65.55.223.31:443 - HIER_NONE/- - 1490189533.393 1 10.32.3.102 NONE/503 0 CONNECT 157.56.52.21:443 - HIER_NONE/- - -- Atenciosamente / Best Regards, Heiler Bemerguy Network Manager - CINBESA 55 91 98151-4894/3184-1751 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] URL list from a URL
On 03/21/2017 06:17 PM, Eliezer Croitoru wrote: > The current StoreID helper can be converted pretty fast into what he needs. Jason needs to block access. How can a [converted] StoreID helper block access without becoming an external_acl helper? Alex. > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Alex Rousskov > Sent: Tuesday, March 21, 2017 11:43 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] URL list from a URL > > On 03/21/2017 02:30 PM, Jason B. Nance wrote: > >> I should have mentioned that I'm not caching, I'm only using Squid >> for whitelisting in this case. Would you still say this is the right >> path? > > No. You probably have two better options: > > 1. Use a file with list of mirror URLs as an ACL parameter. Write a > script that updates that file and reconfigures Squid as needed. Please > keep in mind that Squid reconfiguration is currently a relatively > heavy/intrusive operation, even if there were not changes except for > that single ACL. > > 2. Write an external_acl helper that will consult the mirror list. This > will make each HTTP transaction a little slower (because it needs to go > to the helper) but eliminates reconfigurations. The helper itself or > some other script will still need to update the mirror list as needed, > of course. > > > HTH, > > Alex. > > > > >>> Hello, >>> >>> I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which >>> retrieves the list of URLs from another URL (similar to pointing to a >>> file). In this specific use case it is to allow a Foreman server to sync >>> Yum content from the CentOS mirrors. I tell Foreman to use the following >>> URL: >>> >>> http://mirrorlist.centos.org/?release=7=x86_64=updates >>> >>> Which returns a list of URLs, such as: >>> >>> http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/ >>> http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/ >>> http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/ >>> http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/ >>> http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/ >>> http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/ >>> http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/ >>> http://centos.host-engine.com/7.3.1611/updates/x86_64/ >>> http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/ >>> http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/ >>> >>> Foreman then starts a new HTTP connection (not a redirect) to attempt to >>> connect to those in turn until it works. >>> >>> So I would like to configure Squid to allow the Foreman server access to >>> any of those URLs (the list changes somewhat often). >>> >>> I started to go down the external_acl_type but am wondering if I'm missing >>> something obvious. > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid blocking own OCSP/AIA requests
Small update: - The URL http://apps.identrust.com/roots/dstrootcax3.p7c is not the OCSP responder, but the AIA for the Root CA (DST Root CA X3) embedded in the issuing CA's certificate's CA Issuers. - Same for http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE: AIA for Root CA. Since squid is sslbumping the connection, it must be doing the AIA lookups (presumably for SSL verification). Does anybody have an idea why it is blocking its own requests? Best /markus On 03/21/2017 11:35 AM, Markus Wernig wrote: > Hi all > > I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as > ecap_service. This works well. > > One thing I've noticed though, are constant log entries like this in > access.log: > > 2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET > http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/- > text/html;charset=utf-8 - > 2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT > letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - - > > It appears that this is the OCSP URI for Letsencrypt certificates. > > And in fact every time this is logged, a CONNECT to a https uri is > logged that is using a Letsencrypt certificate (like eg. > https://letsencrypt.org). > > Given that there is no client IP logged, I assume that squid is blocking > its own outgoing OCSP request here (the browser is configured to NOT use > OCSP). > > The same seems to happen when there's no OCSP URI, but a regular AIA URI > in the certificate: > > 2017-03-21 10:36:19.773 +0100 00 - TCP_DENIED/403 3734 GET > http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE > - HIER_NONE/- text/html;charset=utf-8 - > 2017-03-21 10:36:19.782 +0100 38 10.254.254.2 NONE/200 0 CONNECT > swisssign.net:443 - HIER_DIRECT/swisssign.net - - > > I do have "http_access allow localhost" in squid.conf, but since there's > no IP associated with the request, this does not seem to help. > > Is there a way to allow these outgoing internal requests? I've looked > through the FAQ and wiki, but couldn't find anything on the topic. > > Thanks & best > > /markus > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Markus Wernig Unix/Network Security Engineer PGP: D9203D2A4AD9FCDEEF9DF7ACC6208E82E4DC SIP/XMPP: mar...@wernig.net Furch D25-SR Cut - Ovation CE C2078AX-5 - http://xfer.ch - http://markus.wernig.net - ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid Transparent/intercept Issues
On Wednesday 22 March 2017 at 11:59:14, christian brendan wrote: > One more thing, > Does this implies using two NICs (Network Interface Cards)? No, this is not necessary. > And the squid server has to be in-between clients and the internet? That is the simpler way of doing it (in which case you would want two NICs, yes). Basically your choices are: 1. Put the Squid server in the route between clients and the Internet (so, it has two NICs, each with an address on different networks), and an IPtables REDIRECT rule to send port 80 & 443 traffic to Squid. 2. Put your Squid server (with one NIC) wherever you like, having just a single IP address (and able to route to the Internet), and use policy routing on your Mikrotik router to send any packets from clients heading for port 80 & 443 out on the Internet, to the Squid server instead (without doing DNAT and changing the destination address). You still need the REDIRECT rule on the Squid server, and you must ensure that when Squid then makes its own request out to the Internet, that goes out, and does not get intercepted by the Mikrotik and sent back to Squid again :) Antony. -- Late in 1972 President Richard Nixon announced that the rate of increase of inflation was decreasing. This was the first time a sitting president used a third derivative to advance his case for re-election. - Hugo Rossi, Notices of the American Mathematical Society Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid Transparent/intercept Issues
One more thing, Does this implies using two NICs (Network Interface Cards)? And the squid server has to be in-between clients and the internet? Regards On Tue, Mar 21, 2017 at 5:29 PM, christian brendan < bosscb.chrisb...@gmail.com> wrote: > Thanks a lot for the information. > I will try this and give feedback. > Best Regards > > On Tue, Mar 21, 2017 at 1:00 PM,squid-cache.org> wrote: > >> Send squid-users mailing list submissions to >> squid-users@lists.squid-cache.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.squid-cache.org/listinfo/squid-users >> or, via email, send a message with subject or body 'help' to >> squid-users-requ...@lists.squid-cache.org >> >> You can reach the person managing the list at >> squid-users-ow...@lists.squid-cache.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of squid-users digest..." >> >> >> Today's Topics: >> >>1. Re: Squid Transparent/intercept Issues (Antony Stone) >> >> >> -- >> >> Message: 1 >> Date: Tue, 21 Mar 2017 12:12:01 +0100 >> From: Antony Stone >> To: squid-users@lists.squid-cache.org >> Subject: Re: [squid-users] Squid Transparent/intercept Issues >> Message-ID: <201703211212.01346.antony.st...@squid.open.source.it> >> Content-Type: Text/Plain; charset="utf-8" >> >> On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote: >> >> > > Today's Topics: >> > >1. Re: Squid Transparent/intercept Issues (Antony Stone) >> > >2. Re: SMP and AUFS (Matus UHLAR - fantomas) >> > >3. Re: SMP and AUFS (Alex Rousskov) >> > >4. Re: squid workers question (Alex Rousskov) >> > >5. Re: squid workers question (Matus UHLAR - fantomas) >> > >6. Re: SSL Bump issues (Alex Rousskov) >> > >7. blocking or allowing specific youtube videos (Sohan Wijetunga) >> >> Please edit your reply when responding to a digest email, deleting >> everything >> not specific to your question. >> >> > > Date: Mon, 20 Mar 2017 16:56:17 +0100 >> > > From: Antony Stone >> > > To: squid-users@lists.squid-cache.org >> > > Subject: Re: [squid-users] Squid Transparent/intercept Issues >> > > >> > > On Monday 20 March 2017 at 16:26:40, christian brendan wrote: >> > > > Hello Everyone, >> > > > >> > > > Squid Cache: Version 3.5.20 >> > > > OS: CentOS 7 >> > > > >> > > > I have used squid for quite some times non transparently and it >> works, >> > > > problem kicks in when: http_port 3128 transparent is enabled. >> > > > Access denied error page shows up when transparent is enabled >> > > > ERRORThe requested URL could not be retrieved >> > > >> > > How are you getting the packets to the Squid server for interception? >> > > >> > > Is the Squid server in the default route between your clients and the >> > > Internet, or are you redirecting the packets to the Squid server >> somehow? >> > > >> > > Please give *details* of how you are intercepting and sending the >> packets >> > > to Squid (eg: iptables rules, and which machine/s the rules are >> running >> > > on). >> > > >> > > >> > > Antony. >> >> > @Antony.Stone >> > 1. I am using mikrotik routerboard to redirect traffic, with this rule: >> > dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy" >> > dst-port=80 protocol=tcp \ src-address=10.24.7.100 >> to-addresses=10.24.7.101 >> > to-ports=3128 >> >> Okay, so there's your problem, then. >> >> You must not use DSTNAT on a separate router to send packets to Squid for >> intercept. >> >> (This used to work in older versions of Squid, but does not work any more >> and >> is documented on the wiki, for example at >> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat ) >> >> Note the wording: "NOTE: This configuration is given for use on the squid >> box." >> That means the NAT rules *must* be running on the Squid box itself and >> not (in >> your case) on the Mikrotik router. >> >> > 3. It is not in default route, packets is been redirected. >> >> In that case you need to use policy routing to get the packets >> *unchanged* to >> the Squid box - see the above link, and also >> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute >> >> > 4. There is no iptable rules, firewall is disabled for this test. >> >> You have to have a REDIRECT rule on the machine running Squid to get it >> to see >> the packets (once they are no longer being DNATted). >> >> Please try to follow the guidelines at >> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and >> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute >> and >> then come back to us with details of what you've tried, if there are still >> problems. >> >> >> Regards, >> >> >> Antony. >> >> -- >> A user interface is like a joke. >> If you have to explain it, it didn't work. >> >>