Re: [squid-users] URL list from a URL

2017-03-22 Thread Eliezer Croitoru 
Almost, What I was talking about and meant was to take the current official 
StoreID helper written in perl and remove the parts of the ID replacement while 
leaving the regex matching intact.
Then pass to the StoreID helper the url and the source IP and let it match the 
url to the regex from the list in the "DB file".
If it matches either return OK or ERR depends on the intention of the helper.
...The X code have almost everything needed so just convert it.
I am offering to convert it if there is some interest in it.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Alex Rousskov
Sent: Wednesday, March 22, 2017 6:10 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] URL list from a URL

On 03/22/2017 09:25 AM, Eliezer Croitoru wrote:

> I didn't meant by convert the StoreID helper to convert it into an 
> external_acl helper
> It has both OK and ERR and a "checklist" which would be a match or not.

Sigh. The combination of your answers does not make any sense to me.
Squid does not use StoreID helpers to block access, regardless of what a 
StoreID helper returns. It is certainly possible to take some StoreID helper 
code and make an external_acl helper out of it, but that falls under my option 
#2.

Perhaps what you meant to say is something like "Use StoreID helper X available 
at Y to implement option #2 -- that X code has everything you need!"?

Alex.


> -Original Message-
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com]
> Sent: Wednesday, March 22, 2017 3:51 PM
> To: squid-users@lists.squid-cache.org
> Cc: Eliezer Croitoru 
> Subject: Re: [squid-users] URL list from a URL
> 
> On 03/21/2017 06:17 PM, Eliezer Croitoru wrote:
>> The current StoreID helper can be converted pretty fast into what he needs.
> 
> Jason needs to block access. How can a [converted] StoreID helper 
> block access without becoming an external_acl helper?
> 
> Alex.
> 
>> -Original Message-
>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] 
>> On Behalf Of Alex Rousskov
>> Sent: Tuesday, March 21, 2017 11:43 PM
>> To: squid-users@lists.squid-cache.org
>> Subject: Re: [squid-users] URL list from a URL
>>
>> On 03/21/2017 02:30 PM, Jason B. Nance wrote:
>>
>>> I should have mentioned that I'm not caching, I'm only using Squid 
>>> for whitelisting in this case.  Would you still say this is the 
>>> right path?
>>
>> No. You probably have two better options:
>>
>> 1. Use a file with list of mirror URLs as an ACL parameter. Write a 
>> script that updates that file and reconfigures Squid as needed. 
>> Please keep in mind that Squid reconfiguration is currently a 
>> relatively heavy/intrusive operation, even if there were not changes 
>> except for that single ACL.
>>
>> 2. Write an external_acl helper that will consult the mirror list. 
>> This will make each HTTP transaction a little slower (because it 
>> needs to go to the helper) but eliminates reconfigurations. The 
>> helper itself or some other script will still need to update the 
>> mirror list as needed, of course.
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>
>>
 Hello,

 I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which 
 retrieves the list of URLs from another URL (similar to pointing to a 
 file).  In this specific use case it is to allow a Foreman server to sync 
 Yum content from the CentOS mirrors.  I tell Foreman to use the following 
 URL:

 http://mirrorlist.centos.org/?release=7=x86_64=updates

 Which returns a list of URLs, such as:

 http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/
 http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/
 http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/
 http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/
 http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/
 http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/
 http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/
 http://centos.host-engine.com/7.3.1611/updates/x86_64/
 http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/
 http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/

 Foreman then starts a new HTTP connection (not a redirect) to attempt to 
 connect to those in turn until it works.

 So I would like to configure Squid to allow the Foreman server access to 
 any of those URLs (the list changes somewhat often).

 I started to go down the external_acl_type but am wondering if I'm missing 
 something obvious.
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

Re: [squid-users] URL list from a URL

2017-03-22 Thread Alex Rousskov 
On 03/22/2017 09:25 AM, Eliezer Croitoru wrote:

> I didn't meant by convert the StoreID helper to convert it into an 
> external_acl helper
> It has both OK and ERR and a "checklist" which would be a match or not.

Sigh. The combination of your answers does not make any sense to me.
Squid does not use StoreID helpers to block access, regardless of what a
StoreID helper returns. It is certainly possible to take some StoreID
helper code and make an external_acl helper out of it, but that falls
under my option #2.

Perhaps what you meant to say is something like "Use StoreID helper X
available at Y to implement option #2 -- that X code has everything you
need!"?

Alex.


> -Original Message-
> From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
> Sent: Wednesday, March 22, 2017 3:51 PM
> To: squid-users@lists.squid-cache.org
> Cc: Eliezer Croitoru 
> Subject: Re: [squid-users] URL list from a URL
> 
> On 03/21/2017 06:17 PM, Eliezer Croitoru wrote:
>> The current StoreID helper can be converted pretty fast into what he needs.
> 
> Jason needs to block access. How can a [converted] StoreID helper block
> access without becoming an external_acl helper?
> 
> Alex.
> 
>> -Original Message-
>> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
>> Behalf Of Alex Rousskov
>> Sent: Tuesday, March 21, 2017 11:43 PM
>> To: squid-users@lists.squid-cache.org
>> Subject: Re: [squid-users] URL list from a URL
>>
>> On 03/21/2017 02:30 PM, Jason B. Nance wrote:
>>
>>> I should have mentioned that I'm not caching, I'm only using Squid
>>> for whitelisting in this case.  Would you still say this is the right
>>> path? 
>>
>> No. You probably have two better options:
>>
>> 1. Use a file with list of mirror URLs as an ACL parameter. Write a
>> script that updates that file and reconfigures Squid as needed. Please
>> keep in mind that Squid reconfiguration is currently a relatively
>> heavy/intrusive operation, even if there were not changes except for
>> that single ACL.
>>
>> 2. Write an external_acl helper that will consult the mirror list. This
>> will make each HTTP transaction a little slower (because it needs to go
>> to the helper) but eliminates reconfigurations. The helper itself or
>> some other script will still need to update the mirror list as needed,
>> of course.
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>
>>
 Hello,

 I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which 
 retrieves the list of URLs from another URL (similar to pointing to a 
 file).  In this specific use case it is to allow a Foreman server to sync 
 Yum content from the CentOS mirrors.  I tell Foreman to use the following 
 URL:

 http://mirrorlist.centos.org/?release=7=x86_64=updates

 Which returns a list of URLs, such as:

 http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/
 http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/
 http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/
 http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/
 http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/
 http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/
 http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/
 http://centos.host-engine.com/7.3.1611/updates/x86_64/
 http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/
 http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/

 Foreman then starts a new HTTP connection (not a redirect) to attempt to 
 connect to those in turn until it works.

 So I would like to configure Squid to allow the Foreman server access to 
 any of those URLs (the list changes somewhat often).

 I started to go down the external_acl_type but am wondering if I'm missing 
 something obvious.
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Free Squid helper for dynamic content caching

2017-03-22 Thread Yuri Voinov 
I'm afraid that rewriting the rules is a big job. I strongly doubt that
someone will lay it out in public open access for free. Saving traffic
is money.

Here's what I want to say. There are no really effective helpers in the
public domain. As I know.

22.03.2017 21:38, Eduardo Carneiro пишет:
> Hi Yuri.
>
> The reason I came here is because I've already tried but I didn't succeed. I
> really expected a more specific answer. Not just "You can fix it yourself,
> the code is open."
>
> Anyway, thanks. I'll Keep trying to fix this.
>
>
>
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681905.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Bugs to the Future


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Free Squid helper for dynamic content caching

2017-03-22 Thread Eduardo Carneiro 
Hi Yuri.

The reason I came here is because I've already tried but I didn't succeed. I
really expected a more specific answer. Not just "You can fix it yourself,
the code is open."

Anyway, thanks. I'll Keep trying to fix this.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681905.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Skype via squid

2017-03-22 Thread Amos Jeffries 
On 23/03/2017 2:44 a.m., Heiler Bemerguy wrote:
> 
> Hi dude,
> 
> I've noticed our users are being blocked by a rule which prevents
> CONNECTs to IP addresses instead of FQDN.
> 
> What puzzles me is WHY skype is trying to connect to IPs even after
> connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart
> from whitelisting Microsoft IPs.. ???

This has always been the case. Skype was originally a P2P application,
since end users normally do not have custom reverse-DNS entries for
personal domain names (and Skype no easy way to reliably find out even
if they do) those usually auto-negotiates its data connections using
raw-IP to bust their way through NAT breakages, then uses the results.

The domain name part at the beginning is a much more recent addition by
MS to use their generic live.co autenticaion APIs, and not actually a
part unique to Skype itself.


That is why the wiki config example combines a regex ACL for matching
raw-IP values in the URL, and the User-Agent header detection.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL list from a URL

2017-03-22 Thread Eliezer Croitoru 
Hey Alex,

I didn't meant by convert the StoreID helper to convert it into an external_acl 
helper
It has both OK and ERR and a "checklist" which would be a match or not.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: Alex Rousskov [mailto:rouss...@measurement-factory.com] 
Sent: Wednesday, March 22, 2017 3:51 PM
To: squid-users@lists.squid-cache.org
Cc: Eliezer Croitoru 
Subject: Re: [squid-users] URL list from a URL

On 03/21/2017 06:17 PM, Eliezer Croitoru wrote:
> The current StoreID helper can be converted pretty fast into what he needs.

Jason needs to block access. How can a [converted] StoreID helper block
access without becoming an external_acl helper?

Alex.

> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Alex Rousskov
> Sent: Tuesday, March 21, 2017 11:43 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] URL list from a URL
> 
> On 03/21/2017 02:30 PM, Jason B. Nance wrote:
> 
>> I should have mentioned that I'm not caching, I'm only using Squid
>> for whitelisting in this case.  Would you still say this is the right
>> path? 
> 
> No. You probably have two better options:
> 
> 1. Use a file with list of mirror URLs as an ACL parameter. Write a
> script that updates that file and reconfigures Squid as needed. Please
> keep in mind that Squid reconfiguration is currently a relatively
> heavy/intrusive operation, even if there were not changes except for
> that single ACL.
> 
> 2. Write an external_acl helper that will consult the mirror list. This
> will make each HTTP transaction a little slower (because it needs to go
> to the helper) but eliminates reconfigurations. The helper itself or
> some other script will still need to update the mirror list as needed,
> of course.
> 
> 
> HTH,
> 
> Alex.
> 
> 
> 
> 
>>> Hello,
>>>
>>> I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which 
>>> retrieves the list of URLs from another URL (similar to pointing to a 
>>> file).  In this specific use case it is to allow a Foreman server to sync 
>>> Yum content from the CentOS mirrors.  I tell Foreman to use the following 
>>> URL:
>>>
>>> http://mirrorlist.centos.org/?release=7=x86_64=updates
>>>
>>> Which returns a list of URLs, such as:
>>>
>>> http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/
>>> http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/
>>> http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/
>>> http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/
>>> http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/
>>> http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/
>>> http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/
>>> http://centos.host-engine.com/7.3.1611/updates/x86_64/
>>> http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/
>>> http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/
>>>
>>> Foreman then starts a new HTTP connection (not a redirect) to attempt to 
>>> connect to those in turn until it works.
>>>
>>> So I would like to configure Squid to allow the Foreman server access to 
>>> any of those URLs (the list changes somewhat often).
>>>
>>> I started to go down the external_acl_type but am wondering if I'm missing 
>>> something obvious.
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid stopped working after cache.log and access.log rotation

2017-03-22 Thread Jason B. Nance 
If you do "lsof /var/log | grep -i delete" does it show squid writing to a 
deleted access.log / cache.log? 

j 



From: "Chee M Gui"  
To: squid-users@lists.squid-cache.org 
Sent: Wednesday, March 22, 2017 10:17:32 AM 
Subject: [squid-users] Squid stopped working after cache.log and access.log 
rotation 


Hi All 

We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS. It ran 
fine at first but stopped working after a while. telnet server 3128 still 
works, i.e., opens a blank window, but Squid is just not accepting requests. 
Then we realized that there is no new access.log file. The access.log file 
stopped rotated at 6:24AM on 3/17/2017. It looks like Squid wasn't able to 
create a new access.log? We could not find any error message in syslog or the 
cache.log. We haven't rebooted the server because we want to know what went 
wrong. It isn't the firewall blocking Squid because Squid was working fine all 
the while until recently. Also after it stopped working, we disabled the 
firewall to see if it would work but it still didn't work. 

root@paproxy:/var/log/squid# ls -alt 
total 15536 
drwxr-xr-x 2 proxy proxy 4096 Mar 21 06:25 . 
-rw-r- 1 proxy proxy 63 Mar 21 06:25 cache.log 
drwxrwxr-x 9 root syslog 4096 Mar 21 06:25 .. 
-rw-r- 1 proxy proxy 63 Mar 20 06:25 cache.log.1 
-rw-r- 1 proxy proxy 83 Mar 19 06:25 cache.log.2.gz 
-rw-r- 1 proxy proxy 15759111 Mar 17 06:24 access.log.1 
-rw-r- 1 proxy proxy 117223 Mar 17 05:52 netdb.state 

Any ideas what went wrong? 

Thank you very much in anticipation. 

Gui 

___ 
squid-users mailing list 
squid-users@lists.squid-cache.org 
http://lists.squid-cache.org/listinfo/squid-users 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid stopped working after cache.log and access.log rotation

2017-03-22 Thread Antony Stone 
On Wednesday 22 March 2017 at 16:17:32, Chee M Gui wrote:

> Hi All
> 
> We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS.  It
> ran fine at first but stopped working after a while.   telnet server 3128
> still works, i.e., opens a blank window, but Squid is just not accepting
> requests.Then we realized that there is no new access.log file.   The
> access.log file stopped rotated at 6:24AM on 3/17/2017.It looks like
> Squid wasn't able to create a new access.log?  We could not find any error
> message in syslog or the cache.log.  We haven't rebooted the server
> because we want to know what went wrong.   It isn't the firewall blocking
> Squid because Squid was working fine all the while until recently.  Also
> after it stopped working, we disabled the firewall to see if it would work
> but it still didn't work.
> 
> root@paproxy:/var/log/squid# ls -alt
> total 15536
> drwxr-xr-x 2 proxy proxy  4096 Mar 21 06:25 .
> -rw-r- 1 proxy proxy63 Mar 21 06:25 cache.log
> drwxrwxr-x 9 root  syslog 4096 Mar 21 06:25 ..
> -rw-r- 1 proxy proxy63 Mar 20 06:25 cache.log.1
> -rw-r- 1 proxy proxy83 Mar 19 06:25 cache.log.2.gz
> -rw-r- 1 proxy proxy  15759111 Mar 17 06:24 access.log.1
> -rw-r- 1 proxy proxy117223 Mar 17 05:52 netdb.state
> 
> Any ideas what went wrong?

Any chance you've run out of disk space?


Antony.

-- 
I bought a book about anti-gravity.  The reviews say you can't put it down.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid stopped working after cache.log and access.log rotation

2017-03-22 Thread Chee M Gui 
Hi All

We recently installed Squid 3.5.12-1ubuntu7.3 on Ubuntu 16.04.2 LTS.  It
ran fine at first but stopped working after a while.   telnet server 3128
still works, i.e., opens a blank window, but Squid is just not accepting
requests.Then we realized that there is no new access.log file.   The
access.log file stopped rotated at 6:24AM on 3/17/2017.It looks like
Squid wasn't able to create a new access.log?  We could not find any error
message in syslog or the cache.log.  We haven't rebooted the server
because we want to know what went wrong.   It isn't the firewall blocking
Squid because Squid was working fine all the while until recently.  Also
after it stopped working, we disabled the firewall to see if it would work
but it still didn't work.

root@paproxy:/var/log/squid# ls -alt
total 15536
drwxr-xr-x 2 proxy proxy  4096 Mar 21 06:25 .
-rw-r- 1 proxy proxy63 Mar 21 06:25 cache.log
drwxrwxr-x 9 root  syslog 4096 Mar 21 06:25 ..
-rw-r- 1 proxy proxy63 Mar 20 06:25 cache.log.1
-rw-r- 1 proxy proxy83 Mar 19 06:25 cache.log.2.gz
-rw-r- 1 proxy proxy  15759111 Mar 17 06:24 access.log.1
-rw-r- 1 proxy proxy117223 Mar 17 05:52 netdb.state

Any ideas what went wrong?

Thank you very much in anticipation.

Gui
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid blocking own OCSP/AIA requests

2017-03-22 Thread Alex Rousskov 
On 03/22/2017 07:20 AM, Markus Wernig wrote:
> Small update:
> 
> - The URL ... is the AIA for the Root CA
> 
> Since squid is sslbumping the connection, it must be doing the AIA
> lookups (presumably for SSL verification). Does anybody have an idea why
> it is blocking its own requests?

My answer has not changed:

http://lists.squid-cache.org/pipermail/squid-users/2017-March/014773.html

Did you expect your update to change that answer?

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Free Squid helper for dynamic content caching

2017-03-22 Thread Yuri Voinov 
Things are changed in the web on regular basis. Nothing permanent in the
world.

So, store ID rules lost relevance and no longer work.

You can fix it yourself, the code is open.


22.03.2017 20:35, Eduardo Carneiro пишет:
> I have been using this helper for a while. It works very well.
> Congratulations!
>
> But I noticed that after squid 3.5.19, this helper doesn't work anymore. Is
> this a known problem? Is there any way to fix this?
>
> Best regards.
> Eduardo Carneiro
>
>
>
> --
> View this message in context: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681896.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Bugs to the Future


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL list from a URL

2017-03-22 Thread Jason B. Nance 
Thank you.  In regards to the external ACL helper, would I basically say 
something like:

external_acl_type foo %URL /path/to/my/helper

And then have my helper compare the contents of %URL to the mirror list and 
spit out "OK" for pass or "ERR" for fail?

Thanks,

j


- Original Message -
From: "Alex Rousskov" 
To: squid-users@lists.squid-cache.org
Cc: "Jason Nance" 
Sent: Tuesday, March 21, 2017 4:42:33 PM
Subject: Re: [squid-users] URL list from a URL

On 03/21/2017 02:30 PM, Jason B. Nance wrote:

> I should have mentioned that I'm not caching, I'm only using Squid
> for whitelisting in this case.  Would you still say this is the right
> path? 

No. You probably have two better options:

1. Use a file with list of mirror URLs as an ACL parameter. Write a
script that updates that file and reconfigures Squid as needed. Please
keep in mind that Squid reconfiguration is currently a relatively
heavy/intrusive operation, even if there were not changes except for
that single ACL.

2. Write an external_acl helper that will consult the mirror list. This
will make each HTTP transaction a little slower (because it needs to go
to the helper) but eliminates reconfigurations. The helper itself or
some other script will still need to update the mirror list as needed,
of course.


HTH,

Alex.




>> Hello,
>>
>> I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which 
>> retrieves the list of URLs from another URL (similar to pointing to a file). 
>>  In this specific use case it is to allow a Foreman server to sync Yum 
>> content from the CentOS mirrors.  I tell Foreman to use the following URL:
>>
>> http://mirrorlist.centos.org/?release=7=x86_64=updates
>>
>> Which returns a list of URLs, such as:
>>
>> http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/
>> http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/
>> http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/
>> http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/
>> http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/
>> http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/
>> http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/
>> http://centos.host-engine.com/7.3.1611/updates/x86_64/
>> http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/
>> http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/
>>
>> Foreman then starts a new HTTP connection (not a redirect) to attempt to 
>> connect to those in turn until it works.
>>
>> So I would like to configure Squid to allow the Foreman server access to any 
>> of those URLs (the list changes somewhat often).
>>
>> I started to go down the external_acl_type but am wondering if I'm missing 
>> something obvious.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Free Squid helper for dynamic content caching

2017-03-22 Thread Eduardo Carneiro 
I have been using this helper for a while. It works very well.
Congratulations!

But I noticed that after squid 3.5.19, this helper doesn't work anymore. Is
this a known problem? Is there any way to fix this?

Best regards.
Eduardo Carneiro



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Free-Squid-helper-for-dynamic-content-caching-tp4670617p4681896.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Skype via squid

2017-03-22 Thread Heiler Bemerguy 


Hi dude,

I've noticed our users are being blocked by a rule which prevents 
CONNECTs to IP addresses instead of FQDN.


What puzzles me is WHY skype is trying to connect to IPs even after 
connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart 
from whitelisting Microsoft IPs.. ???


LOG:

1490189501.442879 10.32.3.102 TCP_TUNNEL/200 8797 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.96 -
1490189502.241740 10.32.3.102 TCP_TUNNEL/200 6160 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189503.017741 10.32.3.102 TCP_TUNNEL/200 13808 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189510.193729 10.32.3.102 TCP_TUNNEL/200 8784 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189511.068779 10.32.3.102 TCP_TUNNEL/200 6160 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189512.162763 10.32.3.102 TCP_TUNNEL/200 7376 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189512.216816 10.32.3.102 TCP_TUNNEL/200 7376 CONNECT 
login.live.com:443 - HIER_DIRECT/131.253.61.68 -
1490189517.077  1 10.32.3.102 NONE/503 0 CONNECT 157.55.130.146:443 
- HIER_NONE/- -
1490189525.321  1 10.32.3.102 NONE/503 0 CONNECT 64.4.23.160:443 - 
HIER_NONE/- -
1490189526.333  1 10.32.3.102 NONE/503 0 CONNECT 111.221.77.165:443 
- HIER_NONE/- -
1490189527.345  1 10.32.3.102 NONE/503 0 CONNECT 157.55.130.144:443 
- HIER_NONE/- -
1490189528.354  1 10.32.3.102 NONE/503 0 CONNECT 111.221.77.149:443 
- HIER_NONE/- -
1490189529.368  1 10.32.3.102 NONE/503 0 CONNECT 157.55.235.164:443 
- HIER_NONE/- -
1490189531.375  1 10.32.3.102 NONE/503 0 CONNECT 157.56.52.20:443 - 
HIER_NONE/- -
1490189532.385  1 10.32.3.102 NONE/503 0 CONNECT 65.55.223.31:443 - 
HIER_NONE/- -
1490189533.393  1 10.32.3.102 NONE/503 0 CONNECT 157.56.52.21:443 - 
HIER_NONE/- -



--
Atenciosamente / Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL list from a URL

2017-03-22 Thread Alex Rousskov 
On 03/21/2017 06:17 PM, Eliezer Croitoru wrote:
> The current StoreID helper can be converted pretty fast into what he needs.

Jason needs to block access. How can a [converted] StoreID helper block
access without becoming an external_acl helper?

Alex.

> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Alex Rousskov
> Sent: Tuesday, March 21, 2017 11:43 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] URL list from a URL
> 
> On 03/21/2017 02:30 PM, Jason B. Nance wrote:
> 
>> I should have mentioned that I'm not caching, I'm only using Squid
>> for whitelisting in this case.  Would you still say this is the right
>> path? 
> 
> No. You probably have two better options:
> 
> 1. Use a file with list of mirror URLs as an ACL parameter. Write a
> script that updates that file and reconfigures Squid as needed. Please
> keep in mind that Squid reconfiguration is currently a relatively
> heavy/intrusive operation, even if there were not changes except for
> that single ACL.
> 
> 2. Write an external_acl helper that will consult the mirror list. This
> will make each HTTP transaction a little slower (because it needs to go
> to the helper) but eliminates reconfigurations. The helper itself or
> some other script will still need to update the mirror list as needed,
> of course.
> 
> 
> HTH,
> 
> Alex.
> 
> 
> 
> 
>>> Hello,
>>>
>>> I'm using Squid 3.5.20 and wonder if it is possible to define an ACL which 
>>> retrieves the list of URLs from another URL (similar to pointing to a 
>>> file).  In this specific use case it is to allow a Foreman server to sync 
>>> Yum content from the CentOS mirrors.  I tell Foreman to use the following 
>>> URL:
>>>
>>> http://mirrorlist.centos.org/?release=7=x86_64=updates
>>>
>>> Which returns a list of URLs, such as:
>>>
>>> http://repo1.dal.innoscale.net/centos/7.3.1611/updates/x86_64/
>>> http://linux.mirrors.es.net/centos/7.3.1611/updates/x86_64/
>>> http://reflector.westga.edu/repos/CentOS/7.3.1611/updates/x86_64/
>>> http://mirror.jax.hugeserver.com/centos/7.3.1611/updates/x86_64/
>>> http://ftp.linux.ncsu.edu/pub/CentOS/7.3.1611/updates/x86_64/
>>> http://mirror.nexcess.net/CentOS/7.3.1611/updates/x86_64/
>>> http://mirror.web-ster.com/centos/7.3.1611/updates/x86_64/
>>> http://centos.host-engine.com/7.3.1611/updates/x86_64/
>>> http://mirror.raystedman.net/centos/7.3.1611/updates/x86_64/
>>> http://mirror.linux.duke.edu/pub/centos/7.3.1611/updates/x86_64/
>>>
>>> Foreman then starts a new HTTP connection (not a redirect) to attempt to 
>>> connect to those in turn until it works.
>>>
>>> So I would like to configure Squid to allow the Foreman server access to 
>>> any of those URLs (the list changes somewhat often).
>>>
>>> I started to go down the external_acl_type but am wondering if I'm missing 
>>> something obvious.
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid blocking own OCSP/AIA requests

2017-03-22 Thread Markus Wernig 
Small update:

- The URL http://apps.identrust.com/roots/dstrootcax3.p7c is not the
OCSP responder, but the AIA for the Root CA (DST Root CA X3) embedded in
the issuing CA's certificate's CA Issuers.
- Same for
http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE:
AIA for Root CA.

Since squid is sslbumping the connection, it must be doing the AIA
lookups (presumably for SSL verification). Does anybody have an idea why
it is blocking its own requests?

Best /markus

On 03/21/2017 11:35 AM, Markus Wernig wrote:
> Hi all
> 
> I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as
> ecap_service. This works well.
> 
> One thing I've noticed though, are constant log entries like this in
> access.log:
> 
> 2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET
> http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/-
> text/html;charset=utf-8 -
> 2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT
> letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - -
> 
> It appears that this is the OCSP URI for Letsencrypt certificates.
> 
> And in fact every time this is logged, a CONNECT to a https uri is
> logged that is using a Letsencrypt certificate (like eg.
> https://letsencrypt.org).
> 
> Given that there is no client IP logged, I assume that squid is blocking
> its own outgoing OCSP request here (the browser is configured to NOT use
> OCSP).
> 
> The same seems to happen when there's no OCSP URI, but a regular AIA URI
> in the certificate:
> 
> 2017-03-21 10:36:19.773 +0100 00 - TCP_DENIED/403 3734 GET
> http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE
> - HIER_NONE/- text/html;charset=utf-8 -
> 2017-03-21 10:36:19.782 +0100 38 10.254.254.2 NONE/200 0 CONNECT
> swisssign.net:443 - HIER_DIRECT/swisssign.net - -
> 
> I do have "http_access allow localhost" in squid.conf, but since there's
> no IP associated with the request, this does not seem to help.
> 
> Is there a way to allow these outgoing internal requests? I've looked
> through the FAQ and wiki, but couldn't find anything on the topic.
> 
> Thanks & best
> 
> /markus
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 


-- 
Markus Wernig
Unix/Network Security Engineer
PGP: D9203D2A4AD9FCDEEF9DF7ACC6208E82E4DC
SIP/XMPP: mar...@wernig.net
Furch D25-SR Cut - Ovation CE C2078AX-5
-
http://xfer.ch - http://markus.wernig.net
-


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent/intercept Issues

2017-03-22 Thread Antony Stone 
On Wednesday 22 March 2017 at 11:59:14, christian brendan wrote:

> One more thing,
> Does this implies using two NICs (Network Interface Cards)?

No, this is not necessary.

> And the squid server has to be in-between clients and the internet?

That is the simpler way of doing it (in which case you would want two NICs, 
yes).

Basically your choices are:

1. Put the Squid server in the route between clients and the Internet (so, it 
has two NICs, each with an address on different networks), and an IPtables 
REDIRECT rule to send port 80 & 443 traffic to Squid.

2. Put your Squid server (with one NIC) wherever you like, having just a 
single IP address (and able to route to the Internet), and use policy routing 
on your Mikrotik router to send any packets from clients heading for port 80 & 
443 out on the Internet, to the Squid server instead (without doing DNAT and 
changing the destination address).  You still need the REDIRECT rule on the 
Squid server, and you must ensure that when Squid then makes its own request 
out to the Internet, that goes out, and does not get intercepted by the 
Mikrotik and sent back to Squid again :)


Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used a 
third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent/intercept Issues

2017-03-22 Thread christian brendan 
One more thing,
Does this implies using two NICs (Network Interface Cards)?
And the squid server has to be in-between clients and the internet?

Regards




On Tue, Mar 21, 2017 at 5:29 PM, christian brendan <
bosscb.chrisb...@gmail.com> wrote:

> Thanks a lot for the information.
> I will try this and give feedback.
> Best Regards
>
> On Tue, Mar 21, 2017 at 1:00 PM,  squid-cache.org> wrote:
>
>> Send squid-users mailing list submissions to
>> squid-users@lists.squid-cache.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.squid-cache.org/listinfo/squid-users
>> or, via email, send a message with subject or body 'help' to
>> squid-users-requ...@lists.squid-cache.org
>>
>> You can reach the person managing the list at
>> squid-users-ow...@lists.squid-cache.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of squid-users digest..."
>>
>>
>> Today's Topics:
>>
>>1. Re: Squid Transparent/intercept Issues (Antony Stone)
>>
>>
>> --
>>
>> Message: 1
>> Date: Tue, 21 Mar 2017 12:12:01 +0100
>> From: Antony Stone 
>> To: squid-users@lists.squid-cache.org
>> Subject: Re: [squid-users] Squid Transparent/intercept Issues
>> Message-ID: <201703211212.01346.antony.st...@squid.open.source.it>
>> Content-Type: Text/Plain;  charset="utf-8"
>>
>> On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:
>>
>> > > Today's Topics:
>> > >1. Re: Squid Transparent/intercept Issues (Antony Stone)
>> > >2. Re: SMP and AUFS (Matus UHLAR - fantomas)
>> > >3. Re: SMP and AUFS (Alex Rousskov)
>> > >4. Re: squid workers question (Alex Rousskov)
>> > >5. Re: squid workers question (Matus UHLAR - fantomas)
>> > >6. Re: SSL Bump issues (Alex Rousskov)
>> > >7. blocking or allowing specific youtube videos (Sohan Wijetunga)
>>
>> Please edit your reply when responding to a digest email, deleting
>> everything
>> not specific to your question.
>>
>> > > Date: Mon, 20 Mar 2017 16:56:17 +0100
>> > > From: Antony Stone
>> > > To: squid-users@lists.squid-cache.org
>> > > Subject: Re: [squid-users] Squid Transparent/intercept Issues
>> > >
>> > > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
>> > > > Hello Everyone,
>> > > >
>> > > > Squid Cache: Version 3.5.20
>> > > > OS: CentOS 7
>> > > >
>> > > > I have used squid for quite some times non transparently and it
>> works,
>> > > > problem kicks in when: http_port 3128 transparent is enabled.
>> > > > Access denied error page shows up when transparent is enabled
>> > > > ERRORThe requested URL could not be retrieved
>> > >
>> > > How are you getting the packets to the Squid server for interception?
>> > >
>> > > Is the Squid server in the default route between your clients and the
>> > > Internet, or are you redirecting the packets to the Squid server
>> somehow?
>> > >
>> > > Please give *details* of how you are intercepting and sending the
>> packets
>> > > to Squid (eg: iptables rules, and which machine/s the rules are
>> running
>> > > on).
>> > >
>> > >
>> > > Antony.
>>
>> > ​@Antony.Stone
>> > 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
>> > dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"
>> > dst-port=80 protocol=tcp \ src-address=10.24.7.100
>> to-addresses=10.24.7.101
>> > to-ports=3128
>>
>> Okay, so there's your problem, then.
>>
>> You must not use DSTNAT on a separate router to send packets to Squid for
>> intercept.
>>
>> (This used to work in older versions of Squid, but does not work any more
>> and
>> is documented on the wiki, for example at
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )
>>
>> Note the wording: "NOTE: This configuration is given for use on the squid
>> box."
>> That means the NAT rules *must* be running on the Squid box itself and
>> not (in
>> your case) on the Mikrotik router.
>>
>> > 3.​ It is not in default route, packets is been redirected.
>>
>> In that case you need to use policy routing to get the packets
>> *unchanged* to
>> the Squid box - see the above link, and also
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>
>> > ​4. There is no iptable rules, firewall is disabled for this test.
>>
>> You have to have a REDIRECT rule on the machine running Squid to get it
>> to see
>> the packets (once they are no longer being DNATted).
>>
>> Please try to follow the guidelines at
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>> and
>> then come back to us with details of what you've tried, if there are still
>> problems.
>>
>>
>> Regards,
>>
>>
>> Antony.
>>
>> --
>> A user interface is like a joke.
>> If you have to explain it, it didn't work.
>>
>>