Re: [squid-users] Office 365 Support for Squid Proxy

[Blason R]

I am thinking to put it in forwarding only mode. And being a office 365 I
don't see any reason for ssl-bump since I do have other device for handling
web traffic.

On Tue, Jun 13, 2017, 12:41 AM Eliezer Croitoru 
wrote:

> The main question is if it uses websockets or not and if you are using
> SSL-BUMP or not.
> If you are using SSL-BUMP it's one thing while if you are not it’s another
> story.
> Also it will be different if you are using the proxy in INTERCEPT mode or
> a regular forward proxy mode.
> We would be able to answer you more with more details on your setup.
>
> Eliezer
>
> 
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Blason R
> Sent: Monday, June 12, 2017 12:05 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Office 365 Support for Squid Proxy
>
> Hello All,
>
> If someone can confirm if squid can very well work with Office 365? If
> anyone has any documentation can someone please forward that to me? I do
> have almost around 400 Office 365 users hence wanted to know what
> configuration I might need for Office 365 traffic?
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Introducing Charcoal - Centralised URL Filter for squid

[Eliezer Croitoru]

Hey Nishant,

I want to offer you a more advanced helper that supports actual concurrency 
compared to the current perl helper on github,
which understands the protocol but do not use threads or any other method of 
concurrency.

Let me know if it's of any interest for you.
The skeleton is at:
http://wiki.squid-cache.org/EliezerCroitoru/GolangFakeHelper

I am willing to take my time and write the code for you. So..

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Nishant Sharma
Sent: Wednesday, June 14, 2017 1:37 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Introducing Charcoal - Centralised URL Filter for squid

Hi,

We are excited to invite early users to test drive Charcoal
(http://charcoal.io) - a Squid URL Rewriter for distributed proxies.

Charcoal is designed to help administrators manage access rules for the proxies 
at just one place with a GUI, instead of editing configuration of individual 
proxy servers.

It has come out of our need of managing ACLs for 100+ proxy servers on embedded 
devices (OpenWRT/LEDE) running at our customer offices across the geography of 
India. We are releasing it in the hope that it will be useful for Squid users 
who have to manage multiple proxy servers everyday.

The architecture is API key driven client-server, where a squid url-rewrite 
helper contacts server to query access controls for the incoming requests.

Current features:
-
- Supports Squid 2.x and 3.x
- 70+ pre-existing domains blacklist
- Custom destination groups/categories
- Custom source groups for IPs and Networks (usernames in the pipeline)
- As of now only domain filter support (no full url filtering)
- API key driven

Configuration:
--
- Download the helper from
https://raw.githubusercontent.com/Hopbox/charcoal-helper/master/squid/charcoal-helper.pl.
- Make sure IO::Socket module for Perl is installed.
- Add following lines to squid.conf after downloading the helper:

url_rewrite_program /path/to/charcoal-helper.pl YOUR_API_KEY 
url_rewrite_children X startup=Y idle=Z concurrency=1

YOUR_API_KEY for our hosted Charcoal service can be requested by filling in the 
form at http://charcoal.io or writing in to charc...@hopbox.in. 
The credentials for login to https://active.charcoal.io to manage the ACL will 
be emailed along with YOUR_API_KEY.

License:

URL Rewrite helper for squid is licensed under GPLv2.0 while Charcoal Server is 
licensed under AGPLv3.0.

GIT Repo:
-
Squid URL Rewrite helper can be downloaded from 
https://github.com/Hopbox/charcoal-helper

Git repository for Charcoal Server is at https://github.com/Hopbox/charcoal

Regards,
Nishant
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Introducing Charcoal - Centralised URL Filter for squid

[Nishant Sharma]

Hi Benjamin,

On Wednesday 14 June 2017 08:22 PM, Benjamin E. Nichols wrote:
This sounds great, and would you mind specifying the source of the 
blacklist data at the core of your services?


In other words, what I dare ask you is this, and im sure others might 
want to know, are you using the blacklists from shalla, UT1, or 
urlblacklist? Or have you developed your own domain management technology?




Thanks for the kind words.

For the test run, we are using Shalla.

I understand that quality of blacklists matters. It is also possible to 
mix-match multiple blacklists and that should be the ideal scenario with 
most of the bases covered. And that depends on the user-base and the 
financial aspects of sourcing the blacklists.


Right now, our first priority is to fix a handful of bugs reported just 
after the announcement.


Thanks & Regards,
Nishant
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Introducing Charcoal - Centralised URL Filter for squid

[Benjamin E. Nichols]

This sounds great, and would you mind specifying the source of the 
blacklist data at the core of your services?


In other words, what I dare ask you is this, and im sure others might 
want to know, are you using the blacklists from shalla, UT1, or 
urlblacklist? Or have you developed your own domain management technology?



--
Signed,

Benjamin E. Nichols

http://www.squidblacklist.org


On 6/14/2017 5:36 AM, Nishant Sharma wrote:

Hi,

We are excited to invite early users to test drive Charcoal 
(http://charcoal.io) - a Squid URL Rewriter for distributed proxies.


Charcoal is designed to help administrators manage access rules for 
the proxies at just one place with a GUI, instead of editing 
configuration of individual proxy servers.


It has come out of our need of managing ACLs for 100+ proxy servers on 
embedded devices (OpenWRT/LEDE) running at our customer offices across 
the geography of India. We are releasing it in the hope that it will 
be useful for Squid users who have to manage multiple proxy servers 
everyday.


The architecture is API key driven client-server, where a squid 
url-rewrite helper contacts server to query access controls for the 
incoming requests.


Current features:
-
- Supports Squid 2.x and 3.x
- 70+ pre-existing domains blacklist
- Custom destination groups/categories
- Custom source groups for IPs and Networks (usernames in the pipeline)
- As of now only domain filter support (no full url filtering)
- API key driven

Configuration:
--
- Download the helper from 
https://raw.githubusercontent.com/Hopbox/charcoal-helper/master/squid/charcoal-helper.pl.

- Make sure IO::Socket module for Perl is installed.
- Add following lines to squid.conf after downloading the helper:

url_rewrite_program /path/to/charcoal-helper.pl YOUR_API_KEY
url_rewrite_children X startup=Y idle=Z concurrency=1

YOUR_API_KEY for our hosted Charcoal service can be requested by 
filling in the form at http://charcoal.io or writing in to 
charc...@hopbox.in. The credentials for login to 
https://active.charcoal.io to manage the ACL will be emailed along 
with YOUR_API_KEY.


License:

URL Rewrite helper for squid is licensed under GPLv2.0 while Charcoal 
Server is licensed under AGPLv3.0.


GIT Repo:
-
Squid URL Rewrite helper can be downloaded from 
https://github.com/Hopbox/charcoal-helper


Git repository for Charcoal Server is at 
https://github.com/Hopbox/charcoal


Regards,
Nishant
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


--
Signed,

Benjamin E. Nichols

http://www.squidblacklist.org

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] cacheable object dose not match

[Amos Jeffries]

On 14/06/17 02:11, joseph wrote:

No. The cache file contains a TLV structure of metadata followed by the

right  but so it should be a TLV bindery and after that ??  HTTP/1.1 200 OK
wish is text clear or anything betwean thim as this  -->>
accept-encodingHTTP/1.1 200 OK
accept-encoding and status line  on one line also

1 accept-encoding should be befor status line ??
2 they should be  on one line  without  cr ??


The "accept-encoding" you see there is part of the metadata TLV for the 
"Vary" header. The letter "H" is the actual start of the ASCII portion 
of the file.




so i need to know befor reporting bug tks


I suggest you investigate the file(s) with the squid-purge and/or 
ufsdump tools. Both of those should be able to identify and validate the 
UFS/AUFS/diskd cache file contents for you in an easier to read format - 
such as displaying what the binary parts mean.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy

[Antony Stone]

On Wednesday 14 June 2017 16:58:01 Eliezer  Croitoru wrote:

> It depends on the equipment..
> What you should do is to use the switch to pass all traffic to the squid mac
> address and mirror all traffic to the probe node.

http://wiki.squid-cache.org/ConfigExamples/#Interception may give you some 
useful guidelines, depending on what your equipment is.

Alternatively you could do policy routing on the "Core Router", giving the 
internal IP address of the Squid server as the gateway for HTTP/S traffic, and 
then you do the standard Intercept NAT on the Squid machine so that it gets 
processed.

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

Squid then has the "Internet Router" as its gateway to the outside.

The important thing is *not* to do any Destination NAT on traffic to try to get 
it to hit the Squid box.  The destination IPs of the packets must remain 
unchanged (ie: wherever they were trying to get to on the Internet).


Regards,


Antony.

> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Norbert Naveen
> Sent: Wednesday, June 14, 2017 4:30 PM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP
> Proxy
> 
> Hello Admins ,
> 
> Pls refer to the Image as in
> 
> https://drive.google.com/open?id=0B_dDVNpzSGEKZmFPWHFLWlJJMUU
> 
> The Setup will be as attached  in URL Above …
> Server which will Host Squid will have Two Interfaces with 2 Different VLAN
> Tags
> Content Inspection Engine will REROUTE all HTTP Traffic Through the Links
> coming to Squid Server .
> Squid Server has to act as TRANSPARENT PROXY
> 
> One Possible way of doing it IP tables and Masquerading SRC IP
> But … Without Changing Src or Dst IP address . How to achieve the same ?
> 
> ALL HTTP Traffic will be forward from 1 to 2 and Squid will be in between
> We will have to Forward all traffic on 1 to 2 .. ?

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

   Please reply to the list;
 please *don't* CC me.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy

[Eliezer Croitoru]

It depends on the equipment..
What you should do is to use the switch to pass all traffic to the squid mac
address and mirror all traffic to the probe node.
What switch do you have there?

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
Behalf Of Norbert Naveen
Sent: Wednesday, June 14, 2017 4:30 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP
Proxy

Hello Admins , 

Pls refer to the Image as in 

https://drive.google.com/open?id=0B_dDVNpzSGEKZmFPWHFLWlJJMUU

The Setup will be as attached  in URL Above … 
Server which will Host Squid will have Two Interfaces with 2 Different VLAN
Tags 
Content Inspection Engine will REROUTE all HTTP Traffic Through the Links
coming to Squid Server . 
Squid Server has to act as TRANSPARENT PROXY

One Possible way of doing it IP tables and Masquerading SRC IP 
But … Without Changing Src or Dst IP address . How to achieve the same ? 

ALL HTTP Traffic will be forward from 1 to 2 and Squid will be in between 
We will have to Forward all traffic on 1 to 2 .. ?


Thanks 
Naveen


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy

[Norbert Naveen]

Hello Admins , 

 

Pls refer to the Image as in 

 

https://drive.google.com/open?id=0B_dDVNpzSGEKZmFPWHFLWlJJMUU

 

The Setup will be as attached  in URL Above . 

Server which will Host Squid will have Two Interfaces with 2 Different VLAN
Tags 

Content Inspection Engine will REROUTE all HTTP Traffic Through the Links
coming to Squid Server . 

Squid Server has to act as TRANSPARENT PROXY

 

One Possible way of doing it IP tables and Masquerading SRC IP 

But . Without Changing Src or Dst IP address . How to achieve the same ? 

 

ALL HTTP Traffic will be forward from 1 to 2 and Squid will be in between 

We will have to Forward all traffic on 1 to 2 .. ?

 

 

Thanks 

Naveen

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] source spoofing without tproxy?

[Yuri]

Nice shoot, Eliezer :-D


14.06.2017 19:28, Eliezer Croitoru пишет:
> Rephrase the "cheap nationally" into "cheat inernationally".
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Eliezer Croitoru
> Sent: Wednesday, June 14, 2017 11:09 AM
> To: 'David Kewley' ; squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] source spoofing without tproxy?
>
> Hey,
>
> This is a library I wrote that uses tproxy:
> https://github.com/elico/go-linux-tproxy
>
> It’s doable using some enthusiasm but technically you cannot spoof just any 
> IP since you need to be able to receive back this traffic.
> You cannot really "cheap nationally" the BGP protocol but only for specific 
> small areas which are all under your "domain" and management.
>
> All The Bests,
> Eliezer
>
> 
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of David Kewley
> Sent: Tuesday, June 13, 2017 4:48 AM
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] source spoofing without tproxy?
>
> I want my clients to explicitly address squid as a proxy (not use tproxy), 
> but have squid spoof the source addresses in the forwarded connection, so 
> that further hops know the original source address from the IPv4 headers.
>
> I could find no indication that anyone else has done this, and when I tried 
> various things, I could not get it working.
>
> Is this possible today? If not, is it worth considering as a future feature? 
> Or am I overlooking a reason that this cannot work even in theory?
>
> I got the nearly-equivalent functionality working for reverse proxying using 
> nginx, but so far I've found no way to do it with forward proxying. Nginx 
> doesn't do https forward proxying (no handling of CONNECT).
>
> If squid can't do what I'm looking for today, I would welcome pointers to 
> other possible approaches.
>
> Thanks,
> David
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Introducing Charcoal - Centralised URL Filter for squid

[Nishant Sharma]

Hi,

We are excited to invite early users to test drive Charcoal 
(http://charcoal.io) - a Squid URL Rewriter for distributed proxies.


Charcoal is designed to help administrators manage access rules for the 
proxies at just one place with a GUI, instead of editing configuration 
of individual proxy servers.


It has come out of our need of managing ACLs for 100+ proxy servers on 
embedded devices (OpenWRT/LEDE) running at our customer offices across 
the geography of India. We are releasing it in the hope that it will be 
useful for Squid users who have to manage multiple proxy servers everyday.


The architecture is API key driven client-server, where a squid 
url-rewrite helper contacts server to query access controls for the 
incoming requests.


Current features:
-
- Supports Squid 2.x and 3.x
- 70+ pre-existing domains blacklist
- Custom destination groups/categories
- Custom source groups for IPs and Networks (usernames in the pipeline)
- As of now only domain filter support (no full url filtering)
- API key driven

Configuration:
--
- Download the helper from 
https://raw.githubusercontent.com/Hopbox/charcoal-helper/master/squid/charcoal-helper.pl.

- Make sure IO::Socket module for Perl is installed.
- Add following lines to squid.conf after downloading the helper:

url_rewrite_program /path/to/charcoal-helper.pl YOUR_API_KEY
url_rewrite_children X startup=Y idle=Z concurrency=1

YOUR_API_KEY for our hosted Charcoal service can be requested by filling 
in the form at http://charcoal.io or writing in to charc...@hopbox.in. 
The credentials for login to https://active.charcoal.io to manage the 
ACL will be emailed along with YOUR_API_KEY.


License:

URL Rewrite helper for squid is licensed under GPLv2.0 while Charcoal 
Server is licensed under AGPLv3.0.


GIT Repo:
-
Squid URL Rewrite helper can be downloaded from 
https://github.com/Hopbox/charcoal-helper


Git repository for Charcoal Server is at https://github.com/Hopbox/charcoal

Regards,
Nishant
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] source spoofing without tproxy?

[Eliezer Croitoru]

Hey,

This is a library I wrote that uses tproxy:
https://github.com/elico/go-linux-tproxy

It’s doable using some enthusiasm but technically you cannot spoof just any IP 
since you need to be able to receive back this traffic.
You cannot really "cheap nationally" the BGP protocol but only for specific 
small areas which are all under your "domain" and management.

All The Bests,
Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of David Kewley
Sent: Tuesday, June 13, 2017 4:48 AM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] source spoofing without tproxy?

I want my clients to explicitly address squid as a proxy (not use tproxy), but 
have squid spoof the source addresses in the forwarded connection, so that 
further hops know the original source address from the IPv4 headers.

I could find no indication that anyone else has done this, and when I tried 
various things, I could not get it working.

Is this possible today? If not, is it worth considering as a future feature? Or 
am I overlooking a reason that this cannot work even in theory?

I got the nearly-equivalent functionality working for reverse proxying using 
nginx, but so far I've found no way to do it with forward proxying. Nginx 
doesn't do https forward proxying (no handling of CONNECT).

If squid can't do what I'm looking for today, I would welcome pointers to other 
possible approaches.

Thanks,
David

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users