Re: [squid-users] Regarding Squid SSL cipher filtering

2019-02-02 Thread Alex Rousskov 
On 2/1/19 4:04 PM, john doe wrote:

> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.

> I see that "sslproxy_cipher" config property would allow me to do it.
> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?
> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.

If you want to restrict ciphers used by clients establishing a TLS
connection with the origin server (via a CONNECT tunnel through Squid)
but you do not want to bump client-origin traffic that uses permitted
ciphers, then you have several options, including:

* Deny access to clients that offer banned ciphers to servers. Requires
either a silent TCP connection termination or bumping to serve an error
page. Requires TLS Client Hello analysis that is only supported in v4+
(via an external ACL and %>handshake).

* Deny access to servers that select banned ciphers (from the list of
all ciphers offered by clients). Requires either a silent TCP connection
termination or bumping to serve an error page. Requires TLS Server Hello
analysis that is only supported in v4+ (via an external ACL and
%ssl::negotiated_cipher.

Sorry, I ran out of time to polish and detail the above further, but
others on the list can help you if you need more information.


Cheers,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid doesn't execute url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

2019-02-02 Thread eliezer 
Can we change the default from "startup=0" to "startup=1" ?

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Saturday, February 2, 2019 14:33
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid doesn't execute url_rewrite_program 
/usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

On 2/02/19 7:56 am, Roberto Carna wrote:
> Dear Amos, thanks for your comments.
> 
> I realized that I have some clues in cache.log:
> 
> 2019/02/01 15:51:44 kid1| helperOpenServers: Starting 0/20 'squidGuard'
> processes
> 2019/02/01 15:51:44 kid1| helperOpenServers: No 'squidGuard' processes
> needed.
> 2019/02/01 15:51:44 kid1| helperOpenServers: Starting 0/5
> 'squid_ldap_auth' processes
> 2019/02/01 15:51:44 kid1| helperOpenServers: No 'squid_ldap_auth'
> processes needed.
> 
> These lines appears after I execute "systemctl reload squid".
> 
> Users and rights are OK.
> 
> Please can you help me one more time?
> 

The above log lines indicate that Squid is waiting for traffic before
going to the trouble of starting helpers. This is the default since
Squid-3.2.

If you want to change that the relevant directives for these two helpers
are:
 
  under "children"

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid doesn't execute url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

2019-02-02 Thread Amos Jeffries 
On 2/02/19 7:56 am, Roberto Carna wrote:
> Dear Amos, thanks for your comments.
> 
> I realized that I have some clues in cache.log:
> 
> 2019/02/01 15:51:44 kid1| helperOpenServers: Starting 0/20 'squidGuard'
> processes
> 2019/02/01 15:51:44 kid1| helperOpenServers: No 'squidGuard' processes
> needed.
> 2019/02/01 15:51:44 kid1| helperOpenServers: Starting 0/5
> 'squid_ldap_auth' processes
> 2019/02/01 15:51:44 kid1| helperOpenServers: No 'squid_ldap_auth'
> processes needed.
> 
> These lines appears after I execute "systemctl reload squid".
> 
> Users and rights are OK.
> 
> Please can you help me one more time?
> 

The above log lines indicate that Squid is waiting for traffic before
going to the trouble of starting helpers. This is the default since
Squid-3.2.

If you want to change that the relevant directives for these two helpers
are:
 
  under "children"

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Regarding Squid SSL cipher filtering

2019-02-02 Thread Amos Jeffries 
On 2/02/19 12:04 pm, john doe wrote:
> Hi Squid-Community,
> 
> I've a question for which I haven't been able to find answer.
> 
> I'm using Squid 3.5 as a forward proxy and want to limit the SSL ciphers
> allowed.
> I see that "sslproxy_cipher" config property would allow me to do it.

The sslproxy_* directives (as of v4 called tls_outgoing_options) are for
TLS/SSL control of connections to servers.

The https_port and http_port directives have options for TLS/SSL on
connections from clients.

The cache_peer directive has options for fine tuning or locking down
TLS/SSL to each peer server.


> But what is unclear to me is whether just setting that list is enough or
> it needs SSL-Bump too?

For TLS interactions between the client and server (CONNECT tunnels)
then Yes, you need to MITM (SSL-Bump) to interact with their crypto.

For TLS between client and proxy, then no. Squid is in control already -
at least of the proxy end of the connection.



> Pardon my ignorance around this. I'm not sure if Squid has access to the
> cipher list.
> 

None needed. Nobody knows everything about Squid (even us official and
logn-term devs). Help is what this list is for :-)

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users