date:20210510

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Aniruddha Gore

I am in PST. Yeah I dont see any error in that log. Do I need to do something 
about ssl_bump, etc?

Aniruddha Gore
Sent from Outlook.com

From: squid-users  on behalf of 
Matus UHLAR - fantomas 
Sent: Monday, May 10, 2021 11:12 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] HTTPS request times out going through Squid proxy

>>1620413633.857  42280  TAG_NONE/500 0 CONNECT :443 - 
>>HIER_DIRECT/13.107.246.70 -

% date -d @1620413633.857
Fri May  7 20:53:53 CEST 2021

which timezone are you in?

I'd expect an error to be shown at the time of your request.

On 10.05.21 17:43, Aniruddha Gore wrote:
>My bad, here is cache.log lines from that same day:

>2021/05/07 02:50:34 kid1| Set Current Directory to /var/cache/squid
>2021/05/07 02:50:34 kid1| Starting Squid Cache version 3.5.28 for 
>x86_64-unknown-cygwin...
>2021/05/07 02:50:34 kid1| Service Name: squid
>2021/05/07 02:50:34 kid1| Process ID 5300
>2021/05/07 02:50:34 kid1| Process Roles: worker
>2021/05/07 02:50:34 kid1| With 3200 file descriptors available
>2021/05/07 02:50:34 kid1| Initializing IP Cache...
>2021/05/07 02:50:34 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
>directory
>2021/05/07 02:50:34 kid1| DNS Socket created at [::], FD 5
>2021/05/07 02:50:34 kid1| DNS Socket created at 0.0.0.0, FD 6
>2021/05/07 02:50:34 kid1| Adding nameserver 8.8.8.8 from squid.conf
>2021/05/07 02:50:34 kid1| Adding nameserver 208.67.222.222 from squid.conf
>2021/05/07 02:50:35 kid1| Logfile: opening log daemon:/var/log/squid/access.log
>2021/05/07 02:50:35 kid1| Logfile Daemon: opening log /var/log/squid/access.log
>2021/05/07 02:50:35 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
>2021/05/07 02:50:35 kid1| Store logging disabled
>2021/05/07 02:50:35 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
>2021/05/07 02:50:35 kid1| Target number of buckets: 1008
>2021/05/07 02:50:35 kid1| Using 8192 Store buckets
>2021/05/07 02:50:35 kid1| Max Mem  size: 262144 KB
>2021/05/07 02:50:35 kid1| Max Swap size: 0 KB
>2021/05/07 02:50:35 kid1| Using Least Load store dir selection
>2021/05/07 02:50:35 kid1| Set Current Directory to /var/cache/squid
>2021/05/07 02:50:35 kid1| Finished loading MIME types and icons.
>2021/05/07 02:50:35 kid1| HTCP Disabled.
>2021/05/07 02:50:35 kid1| Squid plugin modules loaded: 0
>2021/05/07 02:50:35 kid1| Adaptation support is off.
>2021/05/07 02:50:35 kid1| Accepting HTTP Socket connections at local=[::]:3128 
>remote=[::] FD 10 flags=9
>2021/05/07 02:50:36 kid1| storeLateRelease: released 0 objects
>2021/05/07 10:24:37 kid1| Set Current Directory to /var/cache/squid
>2021/05/07 10:24:37 kid1| Starting Squid Cache version 3.5.28 for 
>x86_64-unknown-cygwin...
>2021/05/07 10:24:37 kid1| Service Name: squid
>2021/05/07 10:24:37 kid1| Process ID 25760
>2021/05/07 10:24:37 kid1| Process Roles: worker
>2021/05/07 10:24:37 kid1| With 3200 file descriptors available
>2021/05/07 10:24:37 kid1| Initializing IP Cache...
>2021/05/07 10:24:37 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
>directory
>2021/05/07 10:24:37 kid1| DNS Socket created at [::], FD 5
>2021/05/07 10:24:37 kid1| DNS Socket created at 0.0.0.0, FD 6
>2021/05/07 10:24:37 kid1| Adding nameserver 8.8.8.8 from squid.conf
>2021/05/07 10:24:37 kid1| Adding nameserver 208.67.222.222 from squid.conf
>2021/05/07 10:24:38 kid1| Logfile: opening log daemon:/var/log/squid/access.log
>2021/05/07 10:24:38 kid1| Logfile Daemon: opening log /var/log/squid/access.log
>2021/05/07 10:24:38 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
>2021/05/07 10:24:38 kid1| Store logging disabled
>2021/05/07 10:24:38 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
>2021/05/07 10:24:38 kid1| Target number of buckets: 1008
>2021/05/07 10:24:38 kid1| Using 8192 Store buckets
>2021/05/07 10:24:38 kid1| Max Mem  size: 262144 KB
>2021/05/07 10:24:38 kid1| Max Swap size: 0 KB
>2021/05/07 10:24:38 kid1| Using Least Load store dir selection
>2021/05/07 10:24:38 kid1| Set Current Directory to /var/cache/squid
>2021/05/07 10:24:38 kid1| Finished loading MIME types and icons.
>2021/05/07 10:24:38 kid1| HTCP Disabled.
>2021/05/07 10:24:38 kid1| Squid plugin modules loaded: 0
>2021/05/07 10:24:38 kid1| Adaptation support is off.
>2021/05/07 10:24:38 kid1| Accepting HTTP Socket connections at local=[::]:3128 
>remote=[::] FD 10 flags=9
>2021/05/07 10:24:39 kid1| storeLateRelease: released 0 objects
>2021/05/07 10:26:22 kid1| Set Current Directory to /var/cache/squid
>2021/05/07 10:26:22 kid1| Starting Squid Cache version 3.5.28 for 
>x86_64-unknown-cygwin...
>2021/05/07 10:26:22 kid1| Service Name: squid
>2021/05/07 10:26:22 kid1| Process ID 16944
>2021/05/07 10:26:22 kid1| Process Roles: worker
>2021/05/07 10:26:22 kid1| With 3200 file descriptors available
>2021/05/07 10:26:22 kid1| Initializing IP Cache...
>2021/05/07 10:26:22 kid1| parseEtcHosts: /etc/hosts: (2) No such

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Matus UHLAR - fantomas


1620413633.857  42280  TAG_NONE/500 0 CONNECT :443 - 
HIER_DIRECT/13.107.246.70 -


% date -d @1620413633.857
Fri May  7 20:53:53 CEST 2021

which timezone are you in?

I'd expect an error to be shown at the time of your request.

On 10.05.21 17:43, Aniruddha Gore wrote:

My bad, here is cache.log lines from that same day:



2021/05/07 02:50:34 kid1| Set Current Directory to /var/cache/squid
2021/05/07 02:50:34 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2021/05/07 02:50:34 kid1| Service Name: squid
2021/05/07 02:50:34 kid1| Process ID 5300
2021/05/07 02:50:34 kid1| Process Roles: worker
2021/05/07 02:50:34 kid1| With 3200 file descriptors available
2021/05/07 02:50:34 kid1| Initializing IP Cache...
2021/05/07 02:50:34 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2021/05/07 02:50:34 kid1| DNS Socket created at [::], FD 5
2021/05/07 02:50:34 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/05/07 02:50:34 kid1| Adding nameserver 8.8.8.8 from squid.conf
2021/05/07 02:50:34 kid1| Adding nameserver 208.67.222.222 from squid.conf
2021/05/07 02:50:35 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2021/05/07 02:50:35 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2021/05/07 02:50:35 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2021/05/07 02:50:35 kid1| Store logging disabled
2021/05/07 02:50:35 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2021/05/07 02:50:35 kid1| Target number of buckets: 1008
2021/05/07 02:50:35 kid1| Using 8192 Store buckets
2021/05/07 02:50:35 kid1| Max Mem  size: 262144 KB
2021/05/07 02:50:35 kid1| Max Swap size: 0 KB
2021/05/07 02:50:35 kid1| Using Least Load store dir selection
2021/05/07 02:50:35 kid1| Set Current Directory to /var/cache/squid
2021/05/07 02:50:35 kid1| Finished loading MIME types and icons.
2021/05/07 02:50:35 kid1| HTCP Disabled.
2021/05/07 02:50:35 kid1| Squid plugin modules loaded: 0
2021/05/07 02:50:35 kid1| Adaptation support is off.
2021/05/07 02:50:35 kid1| Accepting HTTP Socket connections at local=[::]:3128 
remote=[::] FD 10 flags=9
2021/05/07 02:50:36 kid1| storeLateRelease: released 0 objects
2021/05/07 10:24:37 kid1| Set Current Directory to /var/cache/squid
2021/05/07 10:24:37 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2021/05/07 10:24:37 kid1| Service Name: squid
2021/05/07 10:24:37 kid1| Process ID 25760
2021/05/07 10:24:37 kid1| Process Roles: worker
2021/05/07 10:24:37 kid1| With 3200 file descriptors available
2021/05/07 10:24:37 kid1| Initializing IP Cache...
2021/05/07 10:24:37 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2021/05/07 10:24:37 kid1| DNS Socket created at [::], FD 5
2021/05/07 10:24:37 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/05/07 10:24:37 kid1| Adding nameserver 8.8.8.8 from squid.conf
2021/05/07 10:24:37 kid1| Adding nameserver 208.67.222.222 from squid.conf
2021/05/07 10:24:38 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2021/05/07 10:24:38 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2021/05/07 10:24:38 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2021/05/07 10:24:38 kid1| Store logging disabled
2021/05/07 10:24:38 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2021/05/07 10:24:38 kid1| Target number of buckets: 1008
2021/05/07 10:24:38 kid1| Using 8192 Store buckets
2021/05/07 10:24:38 kid1| Max Mem  size: 262144 KB
2021/05/07 10:24:38 kid1| Max Swap size: 0 KB
2021/05/07 10:24:38 kid1| Using Least Load store dir selection
2021/05/07 10:24:38 kid1| Set Current Directory to /var/cache/squid
2021/05/07 10:24:38 kid1| Finished loading MIME types and icons.
2021/05/07 10:24:38 kid1| HTCP Disabled.
2021/05/07 10:24:38 kid1| Squid plugin modules loaded: 0
2021/05/07 10:24:38 kid1| Adaptation support is off.
2021/05/07 10:24:38 kid1| Accepting HTTP Socket connections at local=[::]:3128 
remote=[::] FD 10 flags=9
2021/05/07 10:24:39 kid1| storeLateRelease: released 0 objects
2021/05/07 10:26:22 kid1| Set Current Directory to /var/cache/squid
2021/05/07 10:26:22 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2021/05/07 10:26:22 kid1| Service Name: squid
2021/05/07 10:26:22 kid1| Process ID 16944
2021/05/07 10:26:22 kid1| Process Roles: worker
2021/05/07 10:26:22 kid1| With 3200 file descriptors available
2021/05/07 10:26:22 kid1| Initializing IP Cache...
2021/05/07 10:26:22 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2021/05/07 10:26:22 kid1| DNS Socket created at [::], FD 5
2021/05/07 10:26:22 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/05/07 10:26:22 kid1| Adding nameserver 8.8.8.8 from squid.conf
2021/05/07 10:26:22 kid1| Adding nameserver 208.67.222.222 from squid.conf
2021/05/07 10:26:22 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2021/05/07 10:26:22 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2021/05/07 10:26:22 kid1| WARNING: no_suid: setuid(0): (22)

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Aniruddha Gore

My bad, here is cache.log lines from that same day:

2021/05/07 02:50:34 kid1| Set Current Directory to /var/cache/squid
2021/05/07 02:50:34 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2021/05/07 02:50:34 kid1| Service Name: squid
2021/05/07 02:50:34 kid1| Process ID 5300
2021/05/07 02:50:34 kid1| Process Roles: worker
2021/05/07 02:50:34 kid1| With 3200 file descriptors available
2021/05/07 02:50:34 kid1| Initializing IP Cache...
2021/05/07 02:50:34 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2021/05/07 02:50:34 kid1| DNS Socket created at [::], FD 5
2021/05/07 02:50:34 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/05/07 02:50:34 kid1| Adding nameserver 8.8.8.8 from squid.conf
2021/05/07 02:50:34 kid1| Adding nameserver 208.67.222.222 from squid.conf
2021/05/07 02:50:35 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2021/05/07 02:50:35 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2021/05/07 02:50:35 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2021/05/07 02:50:35 kid1| Store logging disabled
2021/05/07 02:50:35 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2021/05/07 02:50:35 kid1| Target number of buckets: 1008
2021/05/07 02:50:35 kid1| Using 8192 Store buckets
2021/05/07 02:50:35 kid1| Max Mem  size: 262144 KB
2021/05/07 02:50:35 kid1| Max Swap size: 0 KB
2021/05/07 02:50:35 kid1| Using Least Load store dir selection
2021/05/07 02:50:35 kid1| Set Current Directory to /var/cache/squid
2021/05/07 02:50:35 kid1| Finished loading MIME types and icons.
2021/05/07 02:50:35 kid1| HTCP Disabled.
2021/05/07 02:50:35 kid1| Squid plugin modules loaded: 0
2021/05/07 02:50:35 kid1| Adaptation support is off.
2021/05/07 02:50:35 kid1| Accepting HTTP Socket connections at local=[::]:3128 
remote=[::] FD 10 flags=9
2021/05/07 02:50:36 kid1| storeLateRelease: released 0 objects
2021/05/07 10:24:37 kid1| Set Current Directory to /var/cache/squid
2021/05/07 10:24:37 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2021/05/07 10:24:37 kid1| Service Name: squid
2021/05/07 10:24:37 kid1| Process ID 25760
2021/05/07 10:24:37 kid1| Process Roles: worker
2021/05/07 10:24:37 kid1| With 3200 file descriptors available
2021/05/07 10:24:37 kid1| Initializing IP Cache...
2021/05/07 10:24:37 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2021/05/07 10:24:37 kid1| DNS Socket created at [::], FD 5
2021/05/07 10:24:37 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/05/07 10:24:37 kid1| Adding nameserver 8.8.8.8 from squid.conf
2021/05/07 10:24:37 kid1| Adding nameserver 208.67.222.222 from squid.conf
2021/05/07 10:24:38 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2021/05/07 10:24:38 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2021/05/07 10:24:38 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2021/05/07 10:24:38 kid1| Store logging disabled
2021/05/07 10:24:38 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2021/05/07 10:24:38 kid1| Target number of buckets: 1008
2021/05/07 10:24:38 kid1| Using 8192 Store buckets
2021/05/07 10:24:38 kid1| Max Mem  size: 262144 KB
2021/05/07 10:24:38 kid1| Max Swap size: 0 KB
2021/05/07 10:24:38 kid1| Using Least Load store dir selection
2021/05/07 10:24:38 kid1| Set Current Directory to /var/cache/squid
2021/05/07 10:24:38 kid1| Finished loading MIME types and icons.
2021/05/07 10:24:38 kid1| HTCP Disabled.
2021/05/07 10:24:38 kid1| Squid plugin modules loaded: 0
2021/05/07 10:24:38 kid1| Adaptation support is off.
2021/05/07 10:24:38 kid1| Accepting HTTP Socket connections at local=[::]:3128 
remote=[::] FD 10 flags=9
2021/05/07 10:24:39 kid1| storeLateRelease: released 0 objects
2021/05/07 10:26:22 kid1| Set Current Directory to /var/cache/squid
2021/05/07 10:26:22 kid1| Starting Squid Cache version 3.5.28 for 
x86_64-unknown-cygwin...
2021/05/07 10:26:22 kid1| Service Name: squid
2021/05/07 10:26:22 kid1| Process ID 16944
2021/05/07 10:26:22 kid1| Process Roles: worker
2021/05/07 10:26:22 kid1| With 3200 file descriptors available
2021/05/07 10:26:22 kid1| Initializing IP Cache...
2021/05/07 10:26:22 kid1| parseEtcHosts: /etc/hosts: (2) No such file or 
directory
2021/05/07 10:26:22 kid1| DNS Socket created at [::], FD 5
2021/05/07 10:26:22 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/05/07 10:26:22 kid1| Adding nameserver 8.8.8.8 from squid.conf
2021/05/07 10:26:22 kid1| Adding nameserver 208.67.222.222 from squid.conf
2021/05/07 10:26:22 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2021/05/07 10:26:22 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2021/05/07 10:26:22 kid1| WARNING: no_suid: setuid(0): (22) Invalid argument
2021/05/07 10:26:22 kid1| Store logging disabled
2021/05/07 10:26:22 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2021/05/07 10:26:22 kid1| Target number of buckets: 1008
2021/05/07 10:26:22 kid1| Using 8192 Store buckets
2021/05/07 10:26:22 kid1|

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Matus UHLAR - fantomas

On 10.05.21 16:31, Aniruddha Gore wrote:

Matus, I see multiple lines like the following in access.log:

1620413633.857 42280 TAG_NONE/500 0 CONNECT :443 -
HIER_DIRECT/13.107.246.70 -

There is no other information in those logs.

cache.log is different logfile, I have asked for that one.
I hope windows version of squid doesn't send cache log to system event log.

On 10.05.21 07:52, Aniruddha Gore wrote:

Any help I could use? :) The gist is: I have squid running on machine A,
and an app on machine B. The app sets proxy (A's ip address and squid
port #) when making HTTP requests but the requests are failing.

When I run Squid on the same machine where my application is running it
works fine, but when I run Squid with the same exact default config on a
different machine it doesn't. I supply other machine's IP address and
port (3128) on command line to my app, and it simply takes it and sets web
proxy property on CPPRest SDK's http_config object.

The access.log file has many lines like the following:
1620409014.520 42289 TAG_NONE/500 0 CONNECT :443 -
HIER_DIRECT/13.107.246.70 -

looks like the application correctly asks SQUID for CONNECT but something
happens after that.
Is there anything in cache.log for that time?

When capturing network calls via Wireshark (on this other machine where
Squid is running), the CONNECT call succeeds but the following TCP call
seems to fail with a RESET status (Wireshark is highlighting it in
Yellow). Here's the frame if I am doing it right:

well, the CONNECT is send, but later squid replies with 500 internal error

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.squid-cache.org%2FSquidFaq%2FSquidLogs%23Squid_result_codesdata=04%7C01%7C%7Cdc69a637d58a4576c96408d9138f29c0%7C84df9e7fe9f640afb435%7C1%7C0%7C637562327862884909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=%2FQkaYj8Qg3zlUkUo6DEVUGnWIyr2ztSC0p0kmqcOcD8%3Dreserved=0

the wireshark details don't show any message from squid. Maybe there is
none.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

2021-05-10 Thread L . P . H . van Belle

Your firewall rules seems off. 



192.168.1.32??? is your client, as i seen in 
the log. 



But your showing 10.3.141.0/24 so.. 

?

Try/look at this. Change interfaces where needed offcourse. 



iptables ? -p tcp \

--dport 80 -j REDIRECT --to-port 3128 -m comment --comment "Squid-Intercept 
80->3128"



iptables -p tcp \

--dport 443 -j REDIRECT --to-ports 3129 -m comment --comment "Squid-Intercept 
443->3129"



iptables ? -o INTERNET_INTERFACE \

-j MASQUERADE -m comment --comment "IP-Masq allow internet"

?


Greetz, 

?

Louis

?



Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens jean 
francois hasson

Verzonden: zondag 3 januari 2021 19:15

Aan: squid-users@lists.squid-cache.org

Onderwerp: Re: [squid-users] Setting up a transparent http and https proxy 
server using squid 4.6

?

Hi,

After reading more information on this kind of error I captured a few 
transactions with Wireshark running on the raspberry pi hosting squid 4.6 and 
opensll 1.1.1d. I captured some transactions when trying to access ebay.fr 
which is currently not successful with the setup I have with the error of 
inappropriate fallback mentioned below.

I am not familiar with TLS transactions so I will try to present a high level 
view of the transactions between the raspberry pi and the ebay.fr server. I 
hope you can guide me as to what I should focus on to understand, if possible, 
the issue I have.

A bird's eye view of the transactions from Wireshark over time is :

 23 0.175795327??? 192.168.1.32? 192.168.1.1?? DNS? 
71 Standard query 0x057e A www.ebay.fr

 24 0.214678299??? 192.168.1.1?? 192.168.1.32? DNS? 
165??? Standard query response 0x057e A www.ebay.fr CNAME 
slot11847.ebay.com.edgekey.net CNAME e11847.g.akamaiedge.net A 23.57.6.166

 25 0.301067317??? 192.168.1.32? 23.57.6.166?? TCP? 
74 53934 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186690 TSecr=0 WS=128

 26 0.302488046??? 192.168.1.32? 23.57.6.166?? TCP? 
74 53936 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 
TSval=365186691 TSecr=0 WS=128

 27 0.328959454??? 23.57.6.166?? 192.168.1.32? TCP? 
74 443 53934 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 
TSval=3470404062 TSecr=365186690 WS=128

 28 0.329115340??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718 
TSecr=3470404062

 29 0.329752684??? 192.168.1.32? 23.57.6.166?? TLSv1.2? 
583??? Client Hello

 30 0.330530288??? 23.57.6.166?? 192.168.1.32? TCP? 
74 443 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 
TSval=3470404064 TSecr=365186691 WS=128

 31 0.330644819??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53936 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719 
TSecr=3470404064

 32 0.331192579??? 192.168.1.32? 23.57.6.166?? TLSv1.2? 
583??? Client Hello

 35 0.351054404??? 192.168.1.32? 192.168.1.98? TCP? 
54 5900 49903 [ACK] Seq=14256 Ack=97 Win=501 Len=0

 36 0.363323884??? 23.57.6.166?? 192.168.1.32? TCP? 
66 443 53934 [ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096 
TSecr=365186719

 37 0.364291801??? 23.57.6.166?? 192.168.1.32? TLSv1.2? 
1514?? Server Hello

 38 0.364347270??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186753 
TSecr=3470404096

 39 0.365482999??? 23.57.6.166?? 192.168.1.32? TCP? 
1514?? 443 53934 [PSH, ACK] Seq=1449 Ack=518 Win=64768 Len=1448 
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]

 40 0.365535030??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186754 
TSecr=3470404096

 41 0.366217999??? 23.57.6.166?? 192.168.1.32? TCP? 
1266?? 443 53934 [PSH, ACK] Seq=2897 Ack=518 Win=64768 Len=1200 
TSval=3470404096 TSecr=365186719 [TCP segment of a reassembled PDU]

 42 0.366279041??? 192.168.1.32? 23.57.6.166?? TCP? 
66 53934 443 [ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186755 
TSecr=3470404096

 43 0.366321697??? 23.57.6.166?? 192.168.1.32? TCP? 
74 [TCP Retransmission] 443 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 
MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128

 44 0.366410135??? 192.168.1.32? 23.57.6.166?? TCP? 
66 [TCP Dup ACK 31#1] 53936 443 [ACK] Seq=518 Ack=1 Win=64256 Len=0 
TSval=365186755 TSecr=3470404064

 45 0.366709770??? 23.57.6.166?? 192.168.1.32? TLSv1.2? 
991??? Certificate,

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Aniruddha Gore

Matus, I see multiple lines like the following in access.log:

1620413633.857  42280  TAG_NONE/500 0 CONNECT :443 - 
HIER_DIRECT/13.107.246.70 -

There is no other information in those logs.

Aniruddha Gore
Sent from Outlook.com

From: squid-users  on behalf of 
Matus UHLAR - fantomas 
Sent: Monday, May 10, 2021 1:39 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] HTTPS request times out going through Squid proxy

On 10.05.21 07:52, Aniruddha Gore wrote:
>Any help I could use?  :) The gist is: I have squid running on machine A,
> and an app on machine B.  The app sets proxy (A's ip address and squid
> port #) when making HTTP requests but the requests are failing.

>When I run Squid on the same machine where my application is running it
> works fine, but when I run Squid with the same exact default config on a
> different machine it doesn't.  I supply other machine's IP address and
> port (3128) on command line to my app, and it simply takes it and sets web
> proxy property on CPPRest SDK's http_config object.

>The access.log file has many lines like the following:
>1620409014.520  42289  TAG_NONE/500 0 CONNECT :443 - 
>HIER_DIRECT/13.107.246.70 -

looks like the application correctly asks SQUID for CONNECT but something
happens after that.
Is there anything in cache.log for that time?

>When capturing network calls via Wireshark (on this other machine where
> Squid is running), the CONNECT call succeeds but the following TCP call
> seems to fail with a RESET status (Wireshark is highlighting it in
> Yellow).  Here's the frame if I am doing it right:

well, the CONNECT is send, but later squid replies with 500 internal error

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.squid-cache.org%2FSquidFaq%2FSquidLogs%23Squid_result_codesdata=04%7C01%7C%7Cdc69a637d58a4576c96408d9138f29c0%7C84df9e7fe9f640afb435%7C1%7C0%7C637562327862884909%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=%2FQkaYj8Qg3zlUkUo6DEVUGnWIyr2ztSC0p0kmqcOcD8%3Dreserved=0

the wireshark details don't show any message from squid. Maybe there is
none.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fantomas.sk%2Fdata=04%7C01%7C%7Cdc69a637d58a4576c96408d9138f29c0%7C84df9e7fe9f640afb435%7C1%7C0%7C637562327862894867%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=cG%2FSXRy9Pn23Rzg9OqEKHwZP3tJZRk5Ckm527qZrjGM%3Dreserved=0
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.squid-cache.org%2Flistinfo%2Fsquid-usersdata=04%7C01%7C%7Cdc69a637d58a4576c96408d9138f29c0%7C84df9e7fe9f640afb435%7C1%7C0%7C637562327862894867%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=FzZeIhD54BRaLwTpkQeJh4b8lutAaCw1I48UfwYyPK8%3Dreserved=0
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL BUMP

2021-05-10 Thread Stephane Simon

Hello,
I try to configure https  with ssl bump.I use redhat 8.

i follow https://blog.microlinux.fr/squid-https-centos-7/when i restart squid, 
he doesn't cooperate and say:
"FATAL: The usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 
64MB helpers are crashing too rapidly, need help!"

i don't know how to fix this error..i dont know why i've this error ^^

Does someone have an idea please ?

squid.conf:
http_port 3130http_port 3128 intercepthttps_port 3129 intercept ssl-bump \  
cert=/etc/squid/ssl_cert/certificat.pem \  generate-host-certificates=on \  
dynamic_cert_mem_cache_size=64MB
#SSL certificate generationsslcrtd_program 
usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 
64MBsslcrtd_children 32 startup=5 idle=1
# SSL-Bumpacl step1 at_step SslBump1ssl_bump peek step1ssl_bump bump all

THANKS
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] compile squid with tumbleweed

2021-05-10 Thread vacheslav


yes, from the browser..

squid cache last showed:

2021/04/02 15:52:47 kid1| Logfile: opening log 
daemon:/var/log/squid/access.log
2021/04/02 15:52:47 kid1| Logfile Daemon: opening log 
/var/log/squid/access.log

2021/04/02 15:52:47 kid1| Unlinkd pipe opened on FD 40
2021/04/02 15:52:47 kid1| Local cache digest enabled; rebuild/rewrite 
every 3600/3600 sec

2021/04/02 15:52:47 kid1| Store logging disabled
2021/04/02 15:52:47 kid1| Swap maxSize 3072000 + 1048576 KB, estimated 
316967 objects

2021/04/02 15:52:47 kid1| Target number of buckets: 15848
2021/04/02 15:52:47 kid1| Using 16384 Store buckets
2021/04/02 15:52:47 kid1| Max Mem  size: 1048576 KB
2021/04/02 15:52:47 kid1| Max Swap size: 3072000 KB
2021/04/02 15:52:47 kid1| Rebuilding storage in /var/cache/squid (clean log)
2021/04/02 15:52:47 kid1| Using Least Load store dir selection
2021/04/02 15:52:47 kid1| Set Current Directory to /var/cache/squid
2021/04/02 15:52:47 kid1| Finished loading MIME types and icons.
2021/04/02 15:52:47 kid1| HTCP Disabled.
2021/04/02 15:52:47 kid1| Pinger socket opened on FD 45
2021/04/02 15:52:47 kid1| Squid plugin modules loaded: 0
2021/04/02 15:52:47 kid1| Adaptation support is off.
2021/04/02 15:52:47 kid1| Accepting SSL bumped HTTP Socket connections 
at local=0.0.0.0:8080 remote=[::] FD 43 flags=9
2021/04/02 15:52:47| WARNING: BCP 177 violation. Detected non-functional 
IPv6 loopback.

2021/04/02 15:52:47| pinger: Initialising ICMP pinger ...
2021/04/02 15:52:47| pinger: ICMP socket opened.
2021/04/02 15:52:47| pinger: ICMPv6 socket opened
2021/04/02 15:52:47 kid1| Store rebuilding is 19.99% complete
2021/04/02 15:52:47 kid1| Done reading /var/cache/squid swaplog (20010 
entries)

2021/04/02 15:52:47 kid1| Finished rebuilding storage from disk.
2021/04/02 15:52:47 kid1| 20010 Entries scanned
2021/04/02 15:52:47 kid1| 0 Invalid entries.
2021/04/02 15:52:47 kid1| 0 With invalid flags.
2021/04/02 15:52:47 kid1| 20010 Objects loaded.
2021/04/02 15:52:47 kid1| 0 Objects expired.
2021/04/02 15:52:47 kid1| 0 Objects cancelled.
2021/04/02 15:52:47 kid1| 0 Duplicate URLs purged.
2021/04/02 15:52:47 kid1| 0 Swapfile clashes avoided.
2021/04/02 15:52:47 kid1|   Took 0.26 seconds (76538.52 objects/sec).
2021/04/02 15:52:47 kid1| Beginning Validation Procedure
2021/04/02 15:52:47 kid1|   Completed Validation Procedure
2021/04/02 15:52:47 kid1|   Validated 20010 Entries
2021/04/02 15:52:47 kid1|   store_swap_size = 1355568.00 KB
2021/04/02 15:52:47 kid1| WARNING: 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 
4MB #Hlpr1 exited
2021/04/02 15:52:47 kid1| Too few 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 
4MB processes are running (need 1/32)

2021/04/02 15:52:47 kid1| Closing HTTP(S) port 0.0.0.0:8080
2021/04/02 15:52:47 kid1| storeDirWriteCleanLogs: Starting...
2021/04/02 15:52:47 kid1|   Finished.  Wrote 20010 entries.
2021/04/02 15:52:47 kid1|   Took 0.01 seconds (3978131.21 entries/sec).
2021/04/02 15:52:47 kid1| FATAL: The 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 
4MB helpers are crashing too rapidly, need help!


squid log last showed:


1617367631.100    868 10.0.28.26 TCP_REFRESH_MODIFIED_ABORTED/200 13935 
GET http://spastv.ru/ - HIER_DIRECT/84.201.153.140 text/html
1617367725.880  0 10.0.28.26 NONE/000 0 NONE 
error:transaction-end-before-headers - HIER_NONE/- -
1617367845.916  0 10.0.28.26 NONE/000 0 NONE 
error:transaction-end-before-headers - HIER_NONE/- -


which is an every minute check


sudo systemctl status squid
● squid.service - Squid caching proxy
 Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; 
vendor preset: disabled)
 Active: failed (Result: exit-code) since Sun 2021-04-04 21:58:13 
+03; 5s ago

   Docs: man:squid(8)
    Process: 28198 
ExecStartPre=/usr/libexec/squid/initialize_cache_if_needed.sh 
(code=exited, status=0/SUCCESS)
    Process: 28202 ExecStart=/usr/sbin/squid -FC (code=exited, 
status=0/SUCCESS)

   Main PID: 28203 (code=exited, status=1/FAILURE)

Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process 
28355 started
Apr 04 21:58:12 proxy (squid-1)[28355]: FATAL: The 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4>
Apr 04 21:58:12 proxy squid[28203]: Squid Parent: squid-1 process 28355 
exited with status 1
Apr 04 21:58:12 proxy squid[28203]: Squid Parent: (squid-1) process 
28405 started
Apr 04 21:58:13 proxy (squid-1)[28405]: FATAL: The 
/usr/libexec/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4>
Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405 
exited with status 1
Apr 04 21:58:13 proxy squid[28203]: Squid Parent: squid-1 process 28405 
will not be restarted for 3600 seconds due to repea>
Apr 04 21:58:13 proxy squid[28203]: Exiting due to repeated, frequent 
failures
Apr 04 21:58:13 proxy systemd[1]: squid.service: Main process exited,

Re: [squid-users] compile squid with tumbleweed

2021-05-10 Thread Vacheslav

hmm, thanks for both of you.. i regenerated new certificates using 
Eliazer's method and now squid restarted but it is refusing connections..
i normally configure port 8080 as the proxy port in the browser, and i 
am thinking there needs to be another port for ssl bumping?


now the configuration is like this:




# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 8080

##sslproxy_capath /home/zouhairy/demoCA

http_port 8080 ssl-bump  cert=/etc/squid/certs/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB




ssl_bump peek all
ssl_bump splice all



#tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE 
cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS


# Uncomment and adjust the following to add a disk cache directory.
# Updates: chrome and acrobat
#refresh_pattern -i gvt1.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 80% 
129600 reload-into-ims
#refresh_pattern -i adobe.com/.*\.(exe|ms[i|u|f|p]|dat|zip|psf) 43200 
80% 129600 reload-into-ims




range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1



cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

cache_mem 1024 MB

netdb_filename none

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?)   0   0%  0
refresh_pattern .   0   20% 
4320

url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode 
sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -m 4 -l 
/var/log/squid/

url_rewrite_children 16 startup=8 idle=2 concurrency=4
#debug_options ALL,1 33,2 28,9


On 4/2/21 2:02 PM, Amos Jeffries wrote:

On 1/04/21 11:41 pm, Majed Zouhairy wrote:


to enable ssl bumping.

specifically those commands:

/usr/share/ssl/misc/CA.pl -newca
/usr/share/ssl/misc/CA.pl -newreq
/usr/share/ssl/misc/CA.pl -sign
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der




sudo squid -z

asks for certificate password
then

Enter PEM pass phrase:
2021/04/01 13:17:03| Created PID file (/run/squid.pid)
zouhairy@proxy:~> 2021/04/01 13:17:03 kid1| WARNING: BCP 177 
violation. Detected non-functional IPv6 loopback.

Enter PEM pass phrase:
2021/04/01 13:17:03 kid1| FATAL: No valid signing certificate 
configured for HTTP_port 0.0.0.0:8080


That says there is no CA certificate found in the file configured for 
that ports tls-cert= option. Squid requires a signing (CA) certificate 
and its private key in order to perform SSL-Bump.


With "squid -k parse" Squid should tell you what it is loading from that 
file.





squid conf:


...


http_port 8080 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem 
key=/etc/squid/certs/newkey.pem capath=/home/zouhairy/demoCA






ssl_bump peek all
ssl_bump splice all

sslproxy_cert_error allow all





Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:5 Denial of Service in HTTP Response Processing

2021-05-10 Thread squid3


__

Squid Proxy Cache Security Update Advisory SQUID-2021:5
__

Advisory ID:   | SQUID-2021:5
Date:  | May 10, 2021
Summary:   | Denial of Service in HTTP Response Processing
Affected versions: | Squid 2.x -> 2.7.STABLE9
   | Squid 3.x -> 3.5.28
   | Squid 4.x -> 4.14
   | Squid 5.x -> 5.0.5
Fixed in version:  | Squid 4.15, 5.0.6
__


__

Problem Description:

 Due to an input validation bug Squid is vulnerable to a Denial
 of Service against all clients using the proxy.

__

Severity:

 This problem allows a remote server to perform Denial of Service
 when delivering HTTP Response messages. The issue trigger is a
 header which can be expected to exist in HTTP traffic without
 any malicious intent by the server.

CVSS Score of 8.8


__

Updated Packages:

This bug is fixed by Squid versions 4.15 and 5.0.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 



Squid 5:
 



 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid older than 4.15 have not been tested and should be
 assumed to be vulnerable.

 All Squid-5.x up to and including 5.0.5 are vulnerable.

__

Workaround:

 There are no known workarounds to this issue.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by Alex Rousskov of The Measurement Factory.

__

Revision history:

 2021-03-05 22:11:43 UTC Initial Report
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:3 Denial of Service issue in Cache Manager

2021-05-10 Thread squid3


__

Squid Proxy Cache Security Update Advisory SQUID-2021:3
__

Advisory ID:   | SQUID-2021:3
Date:  | May 10, 2021
Summary:   | Denial of Service issue in Cache Manager
Affected versions: | Squid 1.x -> 3.5.28
   | Squid 4.x -> 4.14
   | Squid 5.x -> 5.0.4
Fixed in version:  | Squid 4.15 and 5.0.5
__

  
__

Problem Description:

 Due to an incorrect parser validation bug Squid is vulnerable to
 a Denial of Service attack against the Cache Manager API.

__

Severity:

 This problem allows a trusted client to trigger memory leaks
 which over time lead to a Denial of Service against Squid and
 the machine it is operating on.

 This attack is limited to clients with Cache Manager API access
 privilege.

CVSS Score of 7.8
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:H/MAV:N/MAC:H/MPR:H/MUI:N/MS:C/MC:X/MI:X/MA:H=3.1

__

Updated Packages:

This bug is fixed by Squid versions 4.15 and 5.0.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 



Squid 5:
 



 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid older than 3.5.28 have not been tested and should be
 assumed to be vulnerable.

 All Squid-4.x up to and including 4.14 are vulnerable.

 All Squid-5.x up to and including 5.0.4 are vulnerable.

__

Workaround:

Either,

 Disable Cache Manager access entirely if not needed.

 Place the following line in squid.conf before lines containing
 "allow" :

   http_access deny manager

Or,

 Harden Cache Manager access privileges.

 For example; require authentication or other access controls in
 http_access beyond the default IP address restriction.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2021-03-03 17:02:25 UTC Initial Report
 2021-03-16 01:59:45 UTC Patch Released
 2021-03-17 06:19:09 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:4 Multiple issues in HTTP Range header

2021-05-10 Thread squid3


__

Squid Proxy Cache Security Update Advisory SQUID-2021:4
__

Advisory ID:   | SQUID-2021:4
Date:  | May 10, 2021
Summary:   | Multiple issues in HTTP Range header
Affected versions: | Squid 2.5 -> 2.7.STABLE9
   | Squid 3.x -> 3.5.28
   | Squid 4.x -> 4.14
   | Squid 5.x -> 5.0.5
Fixed in version:  | Squid 4.16, 5.0.6
__

  
  
  
__

Problem Description:

 Due to an incorrect input validation bug Squid is vulnerable to
 a Denial of Service attack against all clients using the proxy.

 Due to an incorrect memory management bug Squid is vulnerable to
 a Denial of Service attack against all clients using the proxy.

 Due to an integer overflow bug Squid is vulnerable to a Denial
 of Service attack against all clients using the proxy.

__

Severity:

 These problems all allow a trusted client to perform Denial of
 Service when making HTTP Range requests.

 The integer overflow problem allows a remote server to perform
 Denial of Service when delivering responses to HTTP Range
 requests. The issue trigger is a header which can be expected to
 exist in HTTP traffic without any malicious intent.

CVSS Score of 8.0


__

Updated Packages:

This bug is fixed by Squid versions 4.15 and 5.0.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 



Squid 5:
 



 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid older than 3.5.28 have not been tested and should be
 assumed to be vulnerable.

 All Squid-4.x up to and including 4.14 are vulnerable.

 All Squid-5.x up to and including 5.0.5 are vulnerable.

__

Workaround:

 There are no workarounds known for these problems.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by Alex Rousskov of The Measurement Factory.

__

Revision history:

 2021-03-19 06:49:52 UTC Initial Report of Denial of Service
 2021-03-24 08:51:08 UTC Additional Report of Use-After-Free
 2021-03-25 21:57:07 UTC Additional Report of integer-overflow
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:2 Denial of Service in HTTP Response Processing

2021-05-10 Thread squid3


__

Squid Proxy Cache Security Update Advisory SQUID-2021:2
__

Advisory ID:   | SQUID-2021:2
Date:  | May 10, 2021
Summary:   | Denial of Service in HTTP Response Processing
Affected versions: | Squid 4.x -> 4.14
   | Squid 5.x -> 5.0.5
Fixed in version:  | Squid 4.15, 5.0.6
__

  
__

Problem Description:

 Due to an input validation bug Squid is vulnerable to a Denial
 of Service against all clients using the proxy.

__

Severity:

 This problem allows a remote server to perform Denial of Service
 when delivering HTTP Response messages. The issue trigger is a
 header which can be expected to exist in HTTP traffic without any
 malicious intent by the server.

CVSS Score of 7.9


__

Updated Packages:

 This bug is fixed by Squid versions 4.15 and 5.0.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 



 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid older than 4.0 are not vulnerable.

 All Squid-4.x up to and including 4.14 are vulnerable.

 All Squid-5.x up to and including 5.0.5 are vulnerable.

__

Workaround:

 There are no known workarounds for this vulnerability.

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by Alex Rousskov of The Measurement Factory.

__

Revision history:

 2021-03-08 19:45:14 UTC Initial Report
 2021-03-16 15:45:11 UTC Patch Released
 2021-03-18 01:33:50 UTC CVE Allocation
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:1 Denial of Service in URN processing

2021-05-10 Thread squid3


__

Squid Proxy Cache Security Update Advisory SQUID-2021:1
__

Advisory ID:   | SQUID-2021:1
Date:  | May 10, 2021
Summary:   | Denial of Service in URN processing
Affected versions: | Squid 2.0 -> 4.14
   | Squid 5.x -> 5.0.5
Fixed in version:  | Squid 4.15 and 5.0.6
__

  
__

Problem Description:

 Due to a buffer management bug Squid is vulnerable to a
 Denial of service attack against the server it is operating on.

 This attack is limited to proxies which attempt to resolve a
 "urn:" resource identifier. Support for this resolving is enabled
 by default in all Squid.

__

Severity:

 This problem allows a malicious server in collaboration with a
 trusted client to consume arbitrarily large amounts of memory
 on the server running Squid.

 Lack of available memory resources impacts all services on the
 machine running Squid. Once initiated the DoS situation will
 persist until Squid is shutdown.

CVSS Score of 8.5


__

Updated Packages:

This bug is fixed by Squid versions 4.15 and 5.0.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 



 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid older than 3.5.28 have not been tested and should be
 assumed to be vulnerable.

 All Squid-4.x up to and including 4.14 are vulnerable.

 All Squid-5.x up to and including 5.0.5 are vulnerable.

__

Workaround:

 Disable URN processing by the proxy. Add these lines to
 squid.conf:

   acl URN proto URN
   http_access deny URN

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__

Revision history:

 2021-02-22 06:55:38 UTC Initial Report
 2021-02-24 00:53:21 UTC Patch Released
 2021-03-17 06:19:09 UTC CVE Assignment
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] Squid 5.0.6 beta is available

2021-05-10 Thread squid3


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-5.0.6 beta release!


This release is a security release resolving several issues found in
the prior Squid releases.


The major changes to be aware of since 5.0.4:

 * SQUID-2020:11 HTTP Request Smuggling
   (CVE-2020-25097)

This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid
security controls.

See the advisory for patches:
 




 * SQUID-2021:1 Denial of Service in URN processing
   (CVE-2021-28651)

This problem allows a malicious server in collaboration with a
trusted client to consume arbitrarily large amounts of memory
on the server running Squid.

Lack of available memory resources impacts all services on the
machine running Squid. Once initiated the DoS situation will
persist until Squid is shutdown.

See the advisory for patches:
 




 * SQUID-2021:2 Denial of Service in HTTP Response Processing
   (CVE-2021-28662)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without any
malicious intent by the server.

See the advisory for patches:
 




 * SQUID-2021:3 Denial of Service issue in Cache Manager
   (CVE-2021-28652)

This problem allows a trusted client to trigger memory leaks
which over time lead to a Denial of Service against Squid and
the machine it is operating on.

This attack is limited to clients with Cache Manager API access
privilege.

See the advisory for patches:
 




 * SQUID-2021:4 Multiple issues in HTTP Range header
   (CVE-2021-31806, CVE-2021-31807, CVE-2021-31808)

These problems all allow a trusted client to perform Denial of
Service when making HTTP Range requests.

The CVE-2021-31808 problem allows a remote server to perform
Denial of Service when delivering responses to HTTP Range
requests. The issue trigger is a header which can be expected
to exist in HTTP traffic without any malicious intent.

See the advisory for patches:
 




 * SQUID-2021:5 Denial of Service in HTTP Response Processing
   (CVE pending allocation)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without
any malicious intent by the server.

See the advisory for patches:
 




 * TLS/1.3 support improvements

Prior to TLS v1.3 Squid could detect and fetch missing intermediate
server certificates by parsing TLS ServerHello. TLS v1.3 encrypts the
relevant part of the handshake, making such "prefetch" impossible.

This release contains a workaround that should be able to identify
the missing certificates on most (but maybe not all) TLS connections.

This release enhances existing error detailing code so that more
information is logged via the existing %err_code, %err_detail,
%ssl::negotiated_version logformat
codes.

Fix certificate validation error handling. This has an immediate
positive effect on the existing reporting of the client
certificate validation errors.


 * Regression in CONNECT URI syntax

Since Peering support for SSL-Bump feature was added CONNECT
request URI have not always contained a port. Squid-5.0.5
and later now correctly send a port number on all requests.


  All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v5/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] Squid 4.15 is available

2021-05-10 Thread squid3


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.15 release!


This release is a security release resolving several issues found in
the prior Squid releases.


The major changes to be aware of since 4.13:

 * SQUID-2020:11 HTTP Request Smuggling
   (CVE-2020-25097)

This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid
security controls.

See the advisory for patches:
 




 * SQUID-2021:1 Denial of Service in URN processing
   (CVE-2021-28651)

This problem allows a malicious server in collaboration with a
trusted client to consume arbitrarily large amounts of memory
on the server running Squid.

Lack of available memory resources impacts all services on the
machine running Squid. Once initiated the DoS situation will
persist until Squid is shutdown.

See the advisory for patches:
 




 * SQUID-2021:2 Denial of Service in HTTP Response Processing
   (CVE-2021-28662)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without any
malicious intent by the server.

See the advisory for patches:
 




 * SQUID-2021:3 Denial of Service issue in Cache Manager
   (CVE-2021-28652)

This problem allows a trusted client to trigger memory leaks
which over time lead to a Denial of Service against Squid and
the machine it is operating on.

This attack is limited to clients with Cache Manager API access
privilege.

See the advisory for patches:
 




 * SQUID-2021:4 Multiple issues in HTTP Range header
   (CVE-2021-31806, CVE-2021-31807, CVE-2021-31808)

These problems all allow a trusted client to perform Denial of
Service when making HTTP Range requests.

The CVE-2021-31808 problem allows a remote server to perform
Denial of Service when delivering responses to HTTP Range
requests. The issue trigger is a header which can be expected
to exist in HTTP traffic without any malicious intent.

See the advisory for patches:
 




 * SQUID-2021:5 Denial of Service in HTTP Response Processing
   (CVE pending allocation)

This problem allows a remote server to perform Denial of Service
when delivering HTTP Response messages. The issue trigger is a
header which can be expected to exist in HTTP traffic without
any malicious intent by the server.

See the advisory for patches:
 




  All users of Squid are urged to upgrade as soon as possible.


See the ChangeLog for the full list of changes in this and earlier
releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
  http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2020:11 HTTP Request Smuggling

2021-05-10 Thread Amos Jeffries


__

Squid Proxy Cache Security Update Advisory SQUID-2020:11
__

Advisory ID:   | SQUID-2020:11
Date:  | Oct 4, 2020
Summary:   | HTTP Request Smuggling
Affected versions: | Squid 2.x -> 2.7.STABLE9
   | Squid 3.x -> 3.5.28
   | Squid 4.x -> 4.13
   | Squid 5.x -> 5.0.4
Fixed in version:  | Squid 4.14 and 5.0.5
__

  
__

Problem Description:

 Due to improper input validation Squid is vulnerable to an HTTP
 Request Smuggling attack.

__

Severity:

 This problem allows a trusted client to perform HTTP Request
 Smuggling and access services otherwise forbidden by Squid
 security controls.

CVSS Score of 9.3


__

Updated Packages:

 This bug is fixed by Squid versions 4.14 and 5.0.5.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 All Squid with squid.conf containing "uri_whitespace deny" are
 not vulnerable.

 All Squid with squid.conf containing "uri_whitespace encode" are
 not vulnerable.

 All Squid-4.x up to and including 4.13 without uri_whitespace in
 squid.conf are vulnerable.

 All Squid-4.x up to and including 4.13 with uri_whitespace in
 squid.conf configured to "allow" are vulnerable.

 All Squid-4.x up to and including 4.13 with uri_whitespace in
 squid.conf configured to "chop" are vulnerable.

 All Squid-4.x up to and including 4.13 with uri_whitespace in
 squid.conf configured to "strip" are vulnerable.

 All Squid-5.x up to and including 5.0.4 without uri_whitespace
 in squid.conf are vulnerable.

 All Squid-5.x up to and including 5.0.4 with uri_whitespace in
 squid.conf configured to "allow" are vulnerable.

 All Squid-5.x up to and including 5.0.4 with uri_whitespace in
 squid.conf configured to "chop" are vulnerable.

 All Squid-5.x up to and including 5.0.4 with uri_whitespace in
 squid.conf configured to "strip" are vulnerable.

__

Workaround:

Either,

  Configure squid.conf with uri_whitespace deny

Or,

  Configure squid.conf with uri_whitespace encode

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Jianjun Chen from ICSI,
 Berkeley.

 Fixed by Amos Jeffries of Treehouse Networks Ltd and
 Alex Rousskov of The Measurement Factory.

__

Revision history:

 2020-09-01 03:58:36 UTC Initial Report
 2020-09-03 03:03:24 UTC CVE Allocation
 2020-09-04 04:38:30 UTC Patches released
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Matus UHLAR - fantomas


On 10.05.21 07:52, Aniruddha Gore wrote:

Any help I could use?  :) The gist is: I have squid running on machine A,
and an app on machine B.  The app sets proxy (A's ip address and squid
port #) when making HTTP requests but the requests are failing.



When I run Squid on the same machine where my application is running it
works fine, but when I run Squid with the same exact default config on a
different machine it doesn't.  I supply other machine's IP address and
port (3128) on command line to my app, and it simply takes it and sets web
proxy property on CPPRest SDK's http_config object.



The access.log file has many lines like the following:
1620409014.520  42289  TAG_NONE/500 0 CONNECT :443 - 
HIER_DIRECT/13.107.246.70 -


looks like the application correctly asks SQUID for CONNECT but something
happens after that.
Is there anything in cache.log for that time?
 

When capturing network calls via Wireshark (on this other machine where
Squid is running), the CONNECT call succeeds but the following TCP call
seems to fail with a RESET status (Wireshark is highlighting it in
Yellow).  Here's the frame if I am doing it right:


well, the CONNECT is send, but later squid replies with 500 internal error 


https://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes

the wireshark details don't show any message from squid. Maybe there is
none. 
--

Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS request times out going through Squid proxy

2021-05-10 Thread Aniruddha Gore

Any help I could use? :) The gist is: I have squid running on machine A, and an 
app on machine B. The app sets proxy (A's ip address and squid port #) when 
making HTTP requests but the requests are failing.

Aniruddha Gore
Sent from Outlook.com

From: squid-users  on behalf of 
Aniruddha Gore 
Sent: Friday, May 7, 2021 10:57 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] HTTPS request times out going through Squid proxy

I spoke too soon, so embarrassed 

When I run Squid on the same machine where my application is running it works 
fine, but when I run Squid with the same exact default config on a different 
machine it doesn't. I supply other machine's IP address and port (3128) on 
command line to my app, and it simply takes it and sets web proxy property on 
CPPRest SDK's http_config object.

The access.log file has many lines like the following:
1620409014.520  42289  TAG_NONE/500 0 CONNECT :443 - 
HIER_DIRECT/13.107.246.70 -

When capturing network calls via Wireshark (on this other machine where Squid 
is running), the CONNECT call succeeds but the following TCP call seems to fail 
with a RESET status (Wireshark is highlighting it in Yellow). Here's the frame 
if I am doing it right:

Frame 317: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on 
interface \Device\NPF_{5DF77CC1-9630-47C0-883C-EB71B3CB5012}, id 0
Interface id: 0 (\Device\NPF_{5DF77CC1-9630-47C0-883C-EB71B3CB5012})
Encapsulation type: Ethernet (1)
Arrival Time: May  7, 2021 10:36:16.229675000 Pacific Daylight Time
[Time shift for this packet: 0.0 seconds]
Epoch Time: 1620408976.229675000 seconds
[Time delta from previous captured frame: 0.009061000 seconds]
[Time delta from previous displayed frame: 3.998702000 seconds]
[Time since reference or first frame: 8.098563000 seconds]
Frame Number: 317
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: IntelCor_5a:b3:e2 (c8:09:a8:5a:b3:e2), Dst: IntelCor_4e:5e:85 
(34:02:86:4e:5e:85)
Internet Protocol Version 4, Src: 192.168.1.13, Dst: 192.168.1.10
Transmission Control Protocol, Src Port: 5526, Dst Port: 3128, Seq: 112, Ack: 
1, Len: 0
Source Port: 5526
Destination Port: 3128
[Stream index: 7]
[TCP Segment Len: 0]
Sequence Number: 112(relative sequence number)
Sequence Number (raw): 3926084777
[Next Sequence Number: 112(relative sequence number)]
Acknowledgment Number: 1(relative ack number)
Acknowledgment number (raw): 363949443
0101  = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
000.   = Reserved: Not set
...0   = Nonce: Not set
 0...  = Congestion Window Reduced (CWR): Not set
 .0..  = ECN-Echo: Not set
 ..0.  = Urgent: Not set
 ...1  = Acknowledgment: Set
  0... = Push: Not set
  .1.. = Reset: Set
  ..0. = Syn: Not set
  ...0 = Fin: Not set
[TCP Flags: ···A·R··]
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 256]
Checksum: 0x50b9 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]

From: squid-users  on behalf of 
Aniruddha Gore 
Sent: Friday, May 7, 2021 2:14 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] HTTPS request times out going through Squid proxy

Matus, thanks a ton for your responses. I removed https_port and things started 
working again. Unfortunately, I am not sure what I was doing wrong before 
adding https_port. Well, it works now 

From: squid-users  on behalf of 
Matus UHLAR - fantomas 
Sent: Friday, May 7, 2021 12:16 AM
To: squid-users@lists.squid-cache.org 
Subject: Re: [squid-users] HTTPS request times out going through Squid proxy

On 07.05.21 06:52, Aniruddha Gore wrote:
>Thanks Matus for responding 

no need for private copy, mailing list is enough.

>Following is what the relevant line in squid.conf:
>
># Squid normally listens to port 3128
>http_port 3128
>
>I suspect you might be pointing out that there is no https_port configured.

no. https_port is used for reverse proxying, not for forward proxying of
HTTPS requests.

> While I was adding https_port, I noticed no process is listening on port
> 3128 (doesn't appear in output of netstat -aon on Windows).  So now the
> calls are failing with "WinHttpSendRequest: 12029: A connection with the
> server could not be established" 

>have you set up your squid host:port as HTTP proxy in the application?
- means: have you set up the

Re: [squid-users] HTTPS request times out going through Squid proxy

Re: [squid-users] HTTPS request times out going through Squid proxy

Re: [squid-users] HTTPS request times out going through Squid proxy

Re: [squid-users] HTTPS request times out going through Squid proxy

Re: [squid-users] Setting up a transparent http and https proxy server using squid 4.6

Re: [squid-users] HTTPS request times out going through Squid proxy

[squid-users] SSL BUMP

Re: [squid-users] compile squid with tumbleweed

Re: [squid-users] compile squid with tumbleweed

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:5 Denial of Service in HTTP Response Processing

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:3 Denial of Service issue in Cache Manager

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:4 Multiple issues in HTTP Range header

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:2 Denial of Service in HTTP Response Processing

[squid-users] [squid-announce] [ADVISORY] SQUID-2021:1 Denial of Service in URN processing

[squid-users] [squid-announce] Squid 5.0.6 beta is available

[squid-users] [squid-announce] Squid 4.15 is available

[squid-users] [squid-announce] [ADVISORY] SQUID-2020:11 HTTP Request Smuggling

Re: [squid-users] HTTPS request times out going through Squid proxy

Re: [squid-users] HTTPS request times out going through Squid proxy

19 matches

Site Navigation

Mail list logo

Footer information