Re: [squid-users] Office 365 Support for Squid Proxy
I am thinking to put it in forwarding only mode. And being a office 365 I don't see any reason for ssl-bump since I do have other device for handling web traffic. On Tue, Jun 13, 2017, 12:41 AM Eliezer Croitoruwrote: > The main question is if it uses websockets or not and if you are using > SSL-BUMP or not. > If you are using SSL-BUMP it's one thing while if you are not it’s another > story. > Also it will be different if you are using the proxy in INTERCEPT mode or > a regular forward proxy mode. > We would be able to answer you more with more details on your setup. > > Eliezer > > > http://ngtech.co.il/lmgtfy/ > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Blason R > Sent: Monday, June 12, 2017 12:05 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Office 365 Support for Squid Proxy > > Hello All, > > If someone can confirm if squid can very well work with Office 365? If > anyone has any documentation can someone please forward that to me? I do > have almost around 400 Office 365 users hence wanted to know what > configuration I might need for Office 365 traffic? > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Introducing Charcoal - Centralised URL Filter for squid
Hey Nishant, I want to offer you a more advanced helper that supports actual concurrency compared to the current perl helper on github, which understands the protocol but do not use threads or any other method of concurrency. Let me know if it's of any interest for you. The skeleton is at: http://wiki.squid-cache.org/EliezerCroitoru/GolangFakeHelper I am willing to take my time and write the code for you. So.. Eliezer Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Nishant Sharma Sent: Wednesday, June 14, 2017 1:37 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] Introducing Charcoal - Centralised URL Filter for squid Hi, We are excited to invite early users to test drive Charcoal (http://charcoal.io) - a Squid URL Rewriter for distributed proxies. Charcoal is designed to help administrators manage access rules for the proxies at just one place with a GUI, instead of editing configuration of individual proxy servers. It has come out of our need of managing ACLs for 100+ proxy servers on embedded devices (OpenWRT/LEDE) running at our customer offices across the geography of India. We are releasing it in the hope that it will be useful for Squid users who have to manage multiple proxy servers everyday. The architecture is API key driven client-server, where a squid url-rewrite helper contacts server to query access controls for the incoming requests. Current features: - - Supports Squid 2.x and 3.x - 70+ pre-existing domains blacklist - Custom destination groups/categories - Custom source groups for IPs and Networks (usernames in the pipeline) - As of now only domain filter support (no full url filtering) - API key driven Configuration: -- - Download the helper from https://raw.githubusercontent.com/Hopbox/charcoal-helper/master/squid/charcoal-helper.pl. - Make sure IO::Socket module for Perl is installed. - Add following lines to squid.conf after downloading the helper: url_rewrite_program /path/to/charcoal-helper.pl YOUR_API_KEY url_rewrite_children X startup=Y idle=Z concurrency=1 YOUR_API_KEY for our hosted Charcoal service can be requested by filling in the form at http://charcoal.io or writing in to charc...@hopbox.in. The credentials for login to https://active.charcoal.io to manage the ACL will be emailed along with YOUR_API_KEY. License: URL Rewrite helper for squid is licensed under GPLv2.0 while Charcoal Server is licensed under AGPLv3.0. GIT Repo: - Squid URL Rewrite helper can be downloaded from https://github.com/Hopbox/charcoal-helper Git repository for Charcoal Server is at https://github.com/Hopbox/charcoal Regards, Nishant ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Introducing Charcoal - Centralised URL Filter for squid
Hi Benjamin, On Wednesday 14 June 2017 08:22 PM, Benjamin E. Nichols wrote: This sounds great, and would you mind specifying the source of the blacklist data at the core of your services? In other words, what I dare ask you is this, and im sure others might want to know, are you using the blacklists from shalla, UT1, or urlblacklist? Or have you developed your own domain management technology? Thanks for the kind words. For the test run, we are using Shalla. I understand that quality of blacklists matters. It is also possible to mix-match multiple blacklists and that should be the ideal scenario with most of the bases covered. And that depends on the user-base and the financial aspects of sourcing the blacklists. Right now, our first priority is to fix a handful of bugs reported just after the announcement. Thanks & Regards, Nishant ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Introducing Charcoal - Centralised URL Filter for squid
This sounds great, and would you mind specifying the source of the blacklist data at the core of your services? In other words, what I dare ask you is this, and im sure others might want to know, are you using the blacklists from shalla, UT1, or urlblacklist? Or have you developed your own domain management technology? -- Signed, Benjamin E. Nichols http://www.squidblacklist.org On 6/14/2017 5:36 AM, Nishant Sharma wrote: Hi, We are excited to invite early users to test drive Charcoal (http://charcoal.io) - a Squid URL Rewriter for distributed proxies. Charcoal is designed to help administrators manage access rules for the proxies at just one place with a GUI, instead of editing configuration of individual proxy servers. It has come out of our need of managing ACLs for 100+ proxy servers on embedded devices (OpenWRT/LEDE) running at our customer offices across the geography of India. We are releasing it in the hope that it will be useful for Squid users who have to manage multiple proxy servers everyday. The architecture is API key driven client-server, where a squid url-rewrite helper contacts server to query access controls for the incoming requests. Current features: - - Supports Squid 2.x and 3.x - 70+ pre-existing domains blacklist - Custom destination groups/categories - Custom source groups for IPs and Networks (usernames in the pipeline) - As of now only domain filter support (no full url filtering) - API key driven Configuration: -- - Download the helper from https://raw.githubusercontent.com/Hopbox/charcoal-helper/master/squid/charcoal-helper.pl. - Make sure IO::Socket module for Perl is installed. - Add following lines to squid.conf after downloading the helper: url_rewrite_program /path/to/charcoal-helper.pl YOUR_API_KEY url_rewrite_children X startup=Y idle=Z concurrency=1 YOUR_API_KEY for our hosted Charcoal service can be requested by filling in the form at http://charcoal.io or writing in to charc...@hopbox.in. The credentials for login to https://active.charcoal.io to manage the ACL will be emailed along with YOUR_API_KEY. License: URL Rewrite helper for squid is licensed under GPLv2.0 while Charcoal Server is licensed under AGPLv3.0. GIT Repo: - Squid URL Rewrite helper can be downloaded from https://github.com/Hopbox/charcoal-helper Git repository for Charcoal Server is at https://github.com/Hopbox/charcoal Regards, Nishant ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Signed, Benjamin E. Nichols http://www.squidblacklist.org ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cacheable object dose not match
On 14/06/17 02:11, joseph wrote: No. The cache file contains a TLV structure of metadata followed by the right but so it should be a TLV bindery and after that ?? HTTP/1.1 200 OK wish is text clear or anything betwean thim as this -->> accept-encodingHTTP/1.1 200 OK accept-encoding and status line on one line also 1 accept-encoding should be befor status line ?? 2 they should be on one line without cr ?? The "accept-encoding" you see there is part of the metadata TLV for the "Vary" header. The letter "H" is the actual start of the ASCII portion of the file. so i need to know befor reporting bug tks I suggest you investigate the file(s) with the squid-purge and/or ufsdump tools. Both of those should be able to identify and validate the UFS/AUFS/diskd cache file contents for you in an easier to read format - such as displaying what the binary parts mean. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy
On Wednesday 14 June 2017 16:58:01 Eliezer Croitoru wrote: > It depends on the equipment.. > What you should do is to use the switch to pass all traffic to the squid mac > address and mirror all traffic to the probe node. http://wiki.squid-cache.org/ConfigExamples/#Interception may give you some useful guidelines, depending on what your equipment is. Alternatively you could do policy routing on the "Core Router", giving the internal IP address of the Squid server as the gateway for HTTP/S traffic, and then you do the standard Intercept NAT on the Squid machine so that it gets processed. http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect Squid then has the "Internet Router" as its gateway to the outside. The important thing is *not* to do any Destination NAT on traffic to try to get it to hit the Squid box. The destination IPs of the packets must remain unchanged (ie: wherever they were trying to get to on the Internet). Regards, Antony. > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Norbert Naveen > Sent: Wednesday, June 14, 2017 4:30 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP > Proxy > > Hello Admins , > > Pls refer to the Image as in > > https://drive.google.com/open?id=0B_dDVNpzSGEKZmFPWHFLWlJJMUU > > The Setup will be as attached in URL Above … > Server which will Host Squid will have Two Interfaces with 2 Different VLAN > Tags > Content Inspection Engine will REROUTE all HTTP Traffic Through the Links > coming to Squid Server . > Squid Server has to act as TRANSPARENT PROXY > > One Possible way of doing it IP tables and Masquerading SRC IP > But … Without Changing Src or Dst IP address . How to achieve the same ? > > ALL HTTP Traffic will be forward from 1 to 2 and Squid will be in between > We will have to Forward all traffic on 1 to 2 .. ? -- If you want to be happy for an hour, get drunk. If you want to be happy for a year, get married. If you want to be happy for a lifetime, get a garden. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy
It depends on the equipment.. What you should do is to use the switch to pass all traffic to the squid mac address and mirror all traffic to the probe node. What switch do you have there? Eliezer http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Norbert Naveen Sent: Wednesday, June 14, 2017 4:30 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy Hello Admins , Pls refer to the Image as in https://drive.google.com/open?id=0B_dDVNpzSGEKZmFPWHFLWlJJMUU The Setup will be as attached in URL Above … Server which will Host Squid will have Two Interfaces with 2 Different VLAN Tags Content Inspection Engine will REROUTE all HTTP Traffic Through the Links coming to Squid Server . Squid Server has to act as TRANSPARENT PROXY One Possible way of doing it IP tables and Masquerading SRC IP But … Without Changing Src or Dst IP address . How to achieve the same ? ALL HTTP Traffic will be forward from 1 to 2 and Squid will be in between We will have to Forward all traffic on 1 to 2 .. ? Thanks Naveen ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid Transparent HTTP Proxy - 2 ETH Links - HTTP Proxy
Hello Admins , Pls refer to the Image as in https://drive.google.com/open?id=0B_dDVNpzSGEKZmFPWHFLWlJJMUU The Setup will be as attached in URL Above . Server which will Host Squid will have Two Interfaces with 2 Different VLAN Tags Content Inspection Engine will REROUTE all HTTP Traffic Through the Links coming to Squid Server . Squid Server has to act as TRANSPARENT PROXY One Possible way of doing it IP tables and Masquerading SRC IP But . Without Changing Src or Dst IP address . How to achieve the same ? ALL HTTP Traffic will be forward from 1 to 2 and Squid will be in between We will have to Forward all traffic on 1 to 2 .. ? Thanks Naveen ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] source spoofing without tproxy?
Nice shoot, Eliezer :-D 14.06.2017 19:28, Eliezer Croitoru пишет: > Rephrase the "cheap nationally" into "cheat inernationally". > > > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > -Original Message- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Eliezer Croitoru > Sent: Wednesday, June 14, 2017 11:09 AM > To: 'David Kewley'; squid-users@lists.squid-cache.org > Subject: Re: [squid-users] source spoofing without tproxy? > > Hey, > > This is a library I wrote that uses tproxy: > https://github.com/elico/go-linux-tproxy > > It’s doable using some enthusiasm but technically you cannot spoof just any > IP since you need to be able to receive back this traffic. > You cannot really "cheap nationally" the BGP protocol but only for specific > small areas which are all under your "domain" and management. > > All The Bests, > Eliezer > > > http://ngtech.co.il/lmgtfy/ > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of David Kewley > Sent: Tuesday, June 13, 2017 4:48 AM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] source spoofing without tproxy? > > I want my clients to explicitly address squid as a proxy (not use tproxy), > but have squid spoof the source addresses in the forwarded connection, so > that further hops know the original source address from the IPv4 headers. > > I could find no indication that anyone else has done this, and when I tried > various things, I could not get it working. > > Is this possible today? If not, is it worth considering as a future feature? > Or am I overlooking a reason that this cannot work even in theory? > > I got the nearly-equivalent functionality working for reverse proxying using > nginx, but so far I've found no way to do it with forward proxying. Nginx > doesn't do https forward proxying (no handling of CONNECT). > > If squid can't do what I'm looking for today, I would welcome pointers to > other possible approaches. > > Thanks, > David > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users signature.asc Description: OpenPGP digital signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Introducing Charcoal - Centralised URL Filter for squid
Hi, We are excited to invite early users to test drive Charcoal (http://charcoal.io) - a Squid URL Rewriter for distributed proxies. Charcoal is designed to help administrators manage access rules for the proxies at just one place with a GUI, instead of editing configuration of individual proxy servers. It has come out of our need of managing ACLs for 100+ proxy servers on embedded devices (OpenWRT/LEDE) running at our customer offices across the geography of India. We are releasing it in the hope that it will be useful for Squid users who have to manage multiple proxy servers everyday. The architecture is API key driven client-server, where a squid url-rewrite helper contacts server to query access controls for the incoming requests. Current features: - - Supports Squid 2.x and 3.x - 70+ pre-existing domains blacklist - Custom destination groups/categories - Custom source groups for IPs and Networks (usernames in the pipeline) - As of now only domain filter support (no full url filtering) - API key driven Configuration: -- - Download the helper from https://raw.githubusercontent.com/Hopbox/charcoal-helper/master/squid/charcoal-helper.pl. - Make sure IO::Socket module for Perl is installed. - Add following lines to squid.conf after downloading the helper: url_rewrite_program /path/to/charcoal-helper.pl YOUR_API_KEY url_rewrite_children X startup=Y idle=Z concurrency=1 YOUR_API_KEY for our hosted Charcoal service can be requested by filling in the form at http://charcoal.io or writing in to charc...@hopbox.in. The credentials for login to https://active.charcoal.io to manage the ACL will be emailed along with YOUR_API_KEY. License: URL Rewrite helper for squid is licensed under GPLv2.0 while Charcoal Server is licensed under AGPLv3.0. GIT Repo: - Squid URL Rewrite helper can be downloaded from https://github.com/Hopbox/charcoal-helper Git repository for Charcoal Server is at https://github.com/Hopbox/charcoal Regards, Nishant ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] source spoofing without tproxy?
Hey, This is a library I wrote that uses tproxy: https://github.com/elico/go-linux-tproxy It’s doable using some enthusiasm but technically you cannot spoof just any IP since you need to be able to receive back this traffic. You cannot really "cheap nationally" the BGP protocol but only for specific small areas which are all under your "domain" and management. All The Bests, Eliezer http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of David Kewley Sent: Tuesday, June 13, 2017 4:48 AM To: squid-users@lists.squid-cache.org Subject: [squid-users] source spoofing without tproxy? I want my clients to explicitly address squid as a proxy (not use tproxy), but have squid spoof the source addresses in the forwarded connection, so that further hops know the original source address from the IPv4 headers. I could find no indication that anyone else has done this, and when I tried various things, I could not get it working. Is this possible today? If not, is it worth considering as a future feature? Or am I overlooking a reason that this cannot work even in theory? I got the nearly-equivalent functionality working for reverse proxying using nginx, but so far I've found no way to do it with forward proxying. Nginx doesn't do https forward proxying (no handling of CONNECT). If squid can't do what I'm looking for today, I would welcome pointers to other possible approaches. Thanks, David ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users