[squid-users] R: Go to intranet server through Squid

2018-05-17 Thread Troiano Alessio 
If you do not define any exception all the web requests are forwarded to squid 
proxy. So, the only thing you have to check is that squid can reach the server 
192.168.10.10 (routing and/or firewall policy). Also check that squid uses your 
local DNS server and resolves the correct IP address.


Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati 
esclusivamente al destinatario indicato e considerarsi dal contenuto 
strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o 
avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire 
immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo 
allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia 
o archiviazione del presente messaggio da parte di chi non ne è il destinatario 
è strettamente proibito e può dar luogo a responsabilità di carattere civile e 
penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della 
normativa vigente.

The contents of this email message and any attachments are intended solely for 
the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has 
been addressed to you in error, please immediately notify the sender and then 
delete this message and any attachments from your system. If you are not the 
intended recipient, you are hereby notified that any use, dissemination, 
copying, or storage of this message or its attachments is strictly prohibited. 
Unauthorized disclosure and/or use of information contained in this email 
message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is 
digitally signed by the sender
-Messaggio originale-
Da: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Per conto di 
Roberto Carna
Inviato: giovedì 17 maggio 2018 21:40
A: squid-us...@squid-cache.org
Oggetto: [squid-users] Go to intranet server through Squid

Hi people, I have a Squid 3.1.20 for web browsing.

I have a local intranet server called "intranet.com.ar.com" resolving to 
192.168.10.10. This resolution is defined in my local DNS servers and in 
/etc/hosts file from Squid.

Is there any way to send the web connections to intranet.company.com through 
the Squid proxy and not defining an excecption in the each user browsers ?

Thanks a lot, regards.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Running Squid fully as root

2018-05-17 Thread Antony Stone 
On Thursday 17 May 2018 at 22:24:40, Aaron Hall wrote:

> Greetings everyone.
> 
> Does anyone a "proper" way to run squid directly as "root" rather than the
> squid user on linux?

Why do you want to?

There are good reasons not to do this.  What is a good reason to want to do 
this?

> Basic internet searches don't appear to give much of an answer.

That may be a clue that it's not a good idea to try to do it :)


Antony.

-- 
It may not seem obvious, but (6 x 5 + 5) x 5 - 55 equals 5!

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Running Squid fully as root

2018-05-17 Thread Aaron Hall 
Greetings everyone.

Does anyone a "proper" way to run squid directly as "root" rather than the
squid user on linux?

Basic internet searches don't appear to give much of an answer.

OS: Centos 7.x
Squid Ver: 3.5.20

Cheers.
--
Aaron Hall
The Paranoids
Network Security
aaron.h...@oath.com
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Go to intranet server through Squid

2018-05-17 Thread Roberto Carna 
Hi people, I have a Squid 3.1.20 for web browsing.

I have a local intranet server called "intranet.com.ar.com" resolving
to 192.168.10.10. This resolution is defined in my local DNS servers
and in /etc/hosts file from Squid.

Is there any way to send the web connections to intranet.company.com
through the Squid proxy and not defining an excecption in the each
user browsers ?

Thanks a lot, regards.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

2018-05-17 Thread Marcus Kool 

I do not block my Kaspersky AV.
Do you want the Kaspersky software contact the servers of Kaspersky ?

On 17/05/18 09:30, Vacheslav wrote:

Yeah all that I know, The million dollar question is should I continue blocking 
it?

-Original Message-
From: squid-users  On Behalf Of 
Marcus Kool
Sent: Thursday, May 17, 2018 3:22 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

195.122.177.165 is an IP address of Kaspersky (see whois 195.122.177.165).
ufdbguardd blocks this IP address since it is configured to do so which is 
indicated by 'https-option', most likely because the config has
 option enforce-https-with-hostname on # default is off.

Marcus


On 17/05/18 08:03, Vacheslav wrote:

I have this:
acl {
 allSystems  {
### EDIT THE NEXT LINE FOR LOCAL CONFIGURATION:
pass
   alwaysallow
   # !always-block
!ms-data-collection
   !adult !security
!proxies !malware !warez
   !gambling !violence !drugs
  !phishtank !spyware
   chat dating !games religion  finance jobs shops sports travel news
   webmail forum socialnet youtube
 !webtv webradio audiovideo
   !ads
 searchengine
   # with "logall on" or "logpass on" it makes sense to have the category 
"checked" in the ACL.
   any
   # NOTE: ALL categories are part of the ACL for logging purposes.
   # Only when logall is off, one can remove the allowed categories 
from the ACL.
 }

I don't have a similar config acl.

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Thursday, May 17, 2018 1:56 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

On 17/05/18 17:45, Vacheslav wrote:

Peace,

When I configured Kaspersky to use proxy, I started getting as an example:

BLOCK -10.96.0.104 config https-option
195.122.177.165:443 CONNECT

I have require https hostname. Kaspersky is updating fine.

Anyone has an idea what Kaspersky is connecting ?



That is a custom log format, you have not provided any info about what each 
field is. So no, we don't have much of a clue what it means.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Auth bearer support for forward proxy

2018-05-17 Thread Panagiotis Bariamis 
Hello ,
Only thing I have found concerning the subject is this 4 years old thread :

>From: Amos Jeffries 
>Date: Sun, 08 Jun 2014 14:46:09 +1200
>Message-ID: <5393ce71.5070...@treenet.co.nz>
>To: "ietf-http...@w3.org" 

>I have implemented Bearer authentication support in Squid and have found
>a noticible lack of support in clients for the 407 status Proxy-Auth*
>headers, even where Bearer support is advertized and working via 401
>status WWW-Auth*.

>Can any of the client implementers (Browsers in particular) please point
>out if they do support Bearer login to a proxy and what restrictions
>they have on it actually working?
>
>Amos Jeffries
>The Squid Software Foundation

Does  anyone know if browsers have implemented since then support for
bearer authentication for Proxy-Auth ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with HTTP/2

2018-05-17 Thread Amos Jeffries 
On 18/05/18 00:23, Chanaka Lakmal wrote:
> Hi,
> 
> Does Squid supports HTTP/2 protocol? If so, what is the version it supports?
> 

No and "sort of". Squid does not yet support it natively. Squid does
support h2 tunneled inside TLS (except when SSL-Bumping) in the same way
HTTPS has always been supported.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

2018-05-17 Thread Vacheslav 
Yeah all that I know, The million dollar question is should I continue blocking 
it?

-Original Message-
From: squid-users  On Behalf Of 
Marcus Kool
Sent: Thursday, May 17, 2018 3:22 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

195.122.177.165 is an IP address of Kaspersky (see whois 195.122.177.165).
ufdbguardd blocks this IP address since it is configured to do so which is 
indicated by 'https-option', most likely because the config has
option enforce-https-with-hostname on # default is off.

Marcus


On 17/05/18 08:03, Vacheslav wrote:
> I have this:
> acl {
> allSystems  {
>### EDIT THE NEXT LINE FOR LOCAL CONFIGURATION:
>pass
>  alwaysallow
>  # !always-block
>   !ms-data-collection
>  !adult !security
>   !proxies !malware !warez
>  !gambling !violence !drugs
> !phishtank !spyware
>  chat dating !games religion  finance jobs shops sports travel news
>  webmail forum socialnet youtube
> !webtv webradio audiovideo
>  !ads
> searchengine
>  # with "logall on" or "logpass on" it makes sense to have the 
> category "checked" in the ACL.
>  any
>  # NOTE: ALL categories are part of the ACL for logging purposes.
>  # Only when logall is off, one can remove the allowed categories 
> from the ACL.
> }
> 
> I don't have a similar config acl.
> 
> -Original Message-
> From: squid-users  On Behalf Of 
> Amos Jeffries
> Sent: Thursday, May 17, 2018 1:56 PM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] kaspersky and ufdbguard
> 
> On 17/05/18 17:45, Vacheslav wrote:
>> Peace,
>>
>> When I configured Kaspersky to use proxy, I started getting as an example:
>>
>> BLOCK -10.96.0.104 config https-option
>> 195.122.177.165:443 CONNECT
>>
>> I have require https hostname. Kaspersky is updating fine.
>>
>> Anyone has an idea what Kaspersky is connecting ?
>>
> 
> That is a custom log format, you have not provided any info about what each 
> field is. So no, we don't have much of a clue what it means.
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with HTTP/2

2018-05-17 Thread Chanaka Lakmal 
Hi,

Does Squid supports HTTP/2 protocol? If so, what is the version it supports?

Regards,
Chanaka Lakmal
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

2018-05-17 Thread Marcus Kool 

195.122.177.165 is an IP address of Kaspersky (see whois 195.122.177.165).
ufdbguardd blocks this IP address since it is configured to do so which is 
indicated by 'https-option', most likely because the config has
   option enforce-https-with-hostname on # default is off.

Marcus


On 17/05/18 08:03, Vacheslav wrote:

I have this:
acl {
allSystems  {
   ### EDIT THE NEXT LINE FOR LOCAL CONFIGURATION:
   pass
   alwaysallow
   # !always-block
!ms-data-collection
   !adult !security
!proxies !malware !warez
   !gambling !violence !drugs
  !phishtank !spyware
   chat dating !games religion  finance jobs shops sports travel news
   webmail forum socialnet youtube
!webtv webradio audiovideo
   !ads
searchengine
   # with "logall on" or "logpass on" it makes sense to have the category 
"checked" in the ACL.
   any
   # NOTE: ALL categories are part of the ACL for logging purposes.
   # Only when logall is off, one can remove the allowed categories 
from the ACL.
}

I don't have a similar config acl.

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Thursday, May 17, 2018 1:56 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

On 17/05/18 17:45, Vacheslav wrote:

Peace,

When I configured Kaspersky to use proxy, I started getting as an example:

BLOCK -10.96.0.104 config https-option
195.122.177.165:443 CONNECT

I have require https hostname. Kaspersky is updating fine.

Anyone has an idea what Kaspersky is connecting ?



That is a custom log format, you have not provided any info about what each 
field is. So no, we don't have much of a clue what it means.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

2018-05-17 Thread Vacheslav 
I have this: 
acl {
   allSystems  {
  ### EDIT THE NEXT LINE FOR LOCAL CONFIGURATION:
  pass 
   alwaysallow
   # !always-block
!ms-data-collection
   !adult !security
!proxies !malware !warez
   !gambling !violence !drugs 
  !phishtank !spyware
   chat dating !games religion  finance jobs shops sports travel news
   webmail forum socialnet youtube
   !webtv webradio audiovideo
   !ads
   searchengine
   # with "logall on" or "logpass on" it makes sense to have the 
category "checked" in the ACL.
   any
   # NOTE: ALL categories are part of the ACL for logging purposes.
   # Only when logall is off, one can remove the allowed categories 
from the ACL.
   }

I don't have a similar config acl.

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Thursday, May 17, 2018 1:56 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] kaspersky and ufdbguard

On 17/05/18 17:45, Vacheslav wrote:
> Peace,
> 
> When I configured Kaspersky to use proxy, I started getting as an example:
> 
> BLOCK -10.96.0.104 config https-option
> 195.122.177.165:443 CONNECT
> 
> I have require https hostname. Kaspersky is updating fine.
> 
> Anyone has an idea what Kaspersky is connecting ?
> 

That is a custom log format, you have not provided any info about what each 
field is. So no, we don't have much of a clue what it means.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] kaspersky and ufdbguard

2018-05-17 Thread Amos Jeffries 
On 17/05/18 17:45, Vacheslav wrote:
> Peace,
> 
> When I configured Kaspersky to use proxy, I started getting as an example:
> 
> BLOCK -    10.96.0.104 config https-option 
> 195.122.177.165:443 CONNECT
> 
> I have require https hostname. Kaspersky is updating fine.
> 
> Anyone has an idea what Kaspersky is connecting ?
> 

That is a custom log format, you have not provided any info about what
each field is. So no, we don't have much of a clue what it means.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com

2018-05-17 Thread Ahmad, Sarfaraz 
Guys,

Any thoughts ?

Regards,
Sarfaraz

-Original Message-
From: Ahmad, Sarfaraz 
Sent: Wednesday, May 16, 2018 10:36 AM
To: 'Marcus Kool' ; 
squid-users@lists.squid-cache.org
Subject: RE: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com

I see a message similar to Marcus' in cache.log.

2018/05/16 00:20:10 kid1| ERROR: negotiating TLS on FD 77: error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

And I am running squid-4.0.24.

Sarfaraz

-Original Message-
From: squid-users  On Behalf Of 
Marcus Kool
Sent: Wednesday, May 16, 2018 1:41 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] TCP FIN,ACK after ServerHelloDone with pcmag.com

The proxies that I used for the test have Squid 4.0.22 and Squid 4.0.23.

Marcus


On 15/05/18 15:40, Amos Jeffries wrote:
> On 16/05/18 01:32, Marcus Kool wrote:
>> pcmag.com also does not load here, although my config parameters are 
>> slightly different.
>> The certificate is indeed huge...
>> Do you have
>>     ERROR: negotiating TLS on FD NNN: error:14090086:SSL 
>> routines:ssl3_get_server_certificate:certificate verify failed 
>> (1/-1/0) or other errors in cache.log ?
>>
>> Marcus
>>
> 
> Are these Squid-4.0.24 ? There is a regression[1] in the cafile= 
> parameter handling in the latest release.
>   
> 
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Very High Response Times to Certain Websites with Squid

2018-05-17 Thread Amos Jeffries 
On 17/05/18 16:15, Justin & Roseanne James wrote:
> 
> I'm not doing anything special. Squid is running transparently and I
> have iptables rules setup to forward port 80 and 443 traffic
> appropriately from my firewall to my squid box.

Traffic must be *routed* between machines. The NAT step must be done
only on the Squid machine itself.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users