[squid-users] Random trouble with image downloads

2022-02-24 Thread Dave Blanchard 
OK, I've got Squid mostly working fine, but have noticed a problem with certain 
image downloads, which in at least one case are coming from 
storage.googleapis.com. (Profile images for a forum.) It's as if Squid 
sometimes randomly fails to download and correctly cache a given image, and 
instead caches a broken or zero'd file. If I try to open that image in a new 
browser tab, sometimes it will just be blank, and other times the browser 
reports ERR_EMPTY_RESPONSE "The server didn't send any data." In the former 
case the image access shows up in the Squid access log as 
TCP_REFRESH_UNMODIFIED, and in the latter case it doesn't show up at all. If I 
download it manually using wget with no proxy, it downloads fine. What could 
possibly be happening here?

-- 
Dave Blanchard 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Getting SSL Connection Errors

2022-02-24 Thread Eliezer Croitoru 
Hey Usama,

 

There are more missing details on the system.

If you provide the OS and squid details I might be able to provide a script 
that will pull most of the relevant details on the system.

I don’t know about this specific issue yet and it seems like there is a SSL 
related issue and it might not be even related to Squid.

(@Alex Or @Chrisots might know better then me)

 

All The Bests,

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users  On Behalf Of 
Usama Mehboob
Sent: Thursday, February 24, 2022 23:45
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Getting SSL Connection Errors

 

Hi I have a squid running on a linux box ( about 16GB ram and 4 cpu ) -- it 
runs fine for the most part but when I am launching multiple jobs that are 
connecting with salesforce BulkAPI, sometimes connections are dropped. its not 
predictable and happens only when there is so much load on squid. Can anyone 
shed some light on this? what can I do? is it a file descriptor issue?

I see only these error messages from the cache logs
```
PeerConnector.cc(639) handleNegotiateError: Error (error:04091068:rsa 
routines:INT_RSA_VERIFY:bad signature) but, hold write on SSL connection on FD 
109
```

Config file 
visible_hostname squid 

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8   # RFC1918 possible internal 
network
acl localnet src 172.16.0.0/12   # RFC1918 possible 
internal network
acl localnet src 192.168.0.0/16   # RFC1918 possible 
internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) 
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
###acl Safe_ports port 21 # ftp testing after blocking itp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#http_access allow CONNECT SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
#http_port 3128
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept 
http_access allow SSL_ports #-- this allows every https website
acl step1 at_step SslBump1 
acl step2 at_step SslBump2 
acl step3 at_step SslBump3 
ssl_bump peek step1 all 

# Deny requests to proxy instance metadata 
acl instance_metadata dst 169.254.169.254 
http_access deny instance_metadata 

# Filter HTTP Only requests based on the whitelist 
#acl allowed_http_only dstdomain .veevasourcedev.com 
  .google.com   .pypi.org 
  .youtube.com  
#acl allowed_http_only dstdomain .amazonaws.com  
#acl allowed_http_only dstdomain .veevanetwork.com   
.veevacrm.com   .veevacrmdi.com   
.veeva.com   .veevavault.com   
.vaultdev.com   .veevacrmqa.com  
#acl allowed_http_only dstdomain .documentforce.com   
 .sforce.com   .force.com   
.forceusercontent.com   .force-user-content.com 
  .lightning.com   
.salesforce.com   .salesforceliveagent.com 
  .salesforce-communities.com 
  .salesforce-experience.com 
  .salesforce-hub.com 
  .salesforce-scrt.com

Re: [squid-users] is there any squid 4.x version has delay_pools working?

2022-02-24 Thread Eliezer Croitoru 
Hey Ahmad,

 

Can you please give more details on the specific issue or issues you have
verified in 4.17?

What exactly doesn't work in delay_pools? Plain HTTP download or upload
speed?

Is it only on HTTP or also on CONNECT or HTTPS or SSL-BUMP connections?

 

Eliezer

 

*   I was thinking about creating a webinar about Squid ssl(TLS) bump

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com  

 

From: squid-users  On Behalf Of
Ahmad Alzaeem
Sent: Friday, February 25, 2022 02:14
To: squid-users@lists.squid-cache.org
Subject: [squid-users] is there any squid 4.x version has delay_pools
working?

 

I tried many squid 4.x versions and none of them has delay_pools to work .

I have it to work on 3.x versions .

 

is there any specific 4.x version that ws tested with delay pools to work ?

 

 

i would like to report it as bug at least in

squid-4.17 which i tested today .

 

Regards 

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] is there any squid 4.x version has delay_pools working?

2022-02-24 Thread Ahmad Alzaeem 
I tried many squid 4.x versions and none of them has delay_pools to work .
I have it to work on 3.x versions .

is there any specific 4.x version that ws tested with delay pools to work ?


i would like to report it as bug at least in squid-4.17 
 which i 
tested today .

Regards 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Dave Blanchard 
On Thu, 24 Feb 2022 15:07:53 -0500
Alex Rousskov  wrote:

> > What is the replacement for client-first?
> 
> A "good" answer depends on what exactly you are trying to achieve; 
> details matter. A "dumb" answer (i.e. a direct replacement without 
> considering your true needs and Squid bugs) is:
> 
>ssl_bump bump all

That's what I had tried first, and was banging my head on the wall for hours 
trying to get it to work right--though the "ssl_bump peek" was in there also, 
on the suggestion of various tutorials. Now I just tried it again, with only 
that line...and it works perfectly! No problem. SMH... 

This tutorial situation is really out of control. Sadly, this is what can be 
expected to happen when the syntax is changed with every version. Now we're in 
a real mess. I hope the Squid developers will make up their minds on how they 
want the syntax to be structured, build it that way, then LEAVE IT ALONE!

> > I prefer to handle the certificate validation externally
> 
> It is a common need. Squid supports external certificate validator 
> programs (a.k.a. helpers). Look for sslcrtvalidator_program in 
> squid.conf.documented. For communication details, see the following 
> wikip age and src/security/cert_validators/fake/
> 
> https://wiki.squid-cache.org/Features/AddonHelpers

Awesome! That's very useful. 

Thanks a lot for your help!

-- 
Dave Blanchard 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Getting SSL Connection Errors

2022-02-24 Thread Usama Mehboob 
Hi I have a squid running on a linux box ( about 16GB ram and 4 cpu ) -- it
runs fine for the most part but when I am launching multiple jobs that are
connecting with salesforce BulkAPI, sometimes connections are dropped. its
not predictable and happens only when there is so much load on squid. Can
anyone shed some light on this? what can I do? is it a file descriptor
issue?

I see only these error messages from the cache logs
```
PeerConnector.cc(639) handleNegotiateError: Error (error:04091068:rsa
routines:INT_RSA_VERIFY:bad signature) but, hold write on SSL connection on
FD 109
```
Config file 
visible_hostname squid

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
###acl Safe_ports port 21 # ftp testing after blocking itp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#http_access allow CONNECT SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
#http_port 3128
http_port 3129 intercept
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
http_access allow SSL_ports #-- this allows every https website
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all

# Deny requests to proxy instance metadata
acl instance_metadata dst 169.254.169.254
http_access deny instance_metadata

# Filter HTTP Only requests based on the whitelist
#acl allowed_http_only dstdomain .veevasourcedev.com .google.com .pypi.org .
youtube.com
#acl allowed_http_only dstdomain .amazonaws.com
#acl allowed_http_only dstdomain .veevanetwork.com .veevacrm.com .
veevacrmdi.com .veeva.com .veevavault.com .vaultdev.com .veevacrmqa.com
#acl allowed_http_only dstdomain .documentforce.com  .sforce.com .force.com
.forceusercontent.com .force-user-content.com .lightning.com .salesforce.com
.salesforceliveagent.com .salesforce-communities.com .
salesforce-experience.com .salesforce-hub.com .salesforce-scrt.com .
salesforce-sites.com .site.com .sfdcopens.com .sfdc.sh .trailblazer.me .
trailhead.com .visualforce.com


# Filter HTTPS requests based on the whitelist
acl allowed_https_sites ssl::server_name .pypi.org .pythonhosted.org .
tfhub.dev .gstatic.com .googleapis.com
acl allowed_https_sites ssl::server_name .amazonaws.com
acl allowed_https_sites ssl::server_name .documentforce.com  .sforce.com .
force.com .forceusercontent.com .force-user-content.com .lightning.com .
salesforce.com .salesforceliveagent.com .salesforce-communities.com .
salesforce-experience.com .salesforce-hub.com .salesforce-scrt.com .
salesforce-sites.com .site.com .sfdcopens.com .sfdc.sh .trailblazer.me .
trailhead.com .visualforce.com
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all


connect_timeout 60 minute
read_timeout 60 minute
write_timeout 60 minute
request_timeout 60 minute

## http filtering ###
#http_access allow localnet allowed_http_only
#http_access allow localhost allowed_http_only
http_access allow localnet allowed_https_sites
http_access allow localhost allowed_https_sites
# And finally deny all other access to this proxy
http_access deny all

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Alex Rousskov 

On 2/24/22 14:38, Dave Blanchard wrote:

> ssl_bump client-first all


What is the replacement for client-first?


A "good" answer depends on what exactly you are trying to achieve; 
details matter. A "dumb" answer (i.e. a direct replacement without 
considering your true needs and Squid bugs) is:


  ssl_bump bump all

Please do not misinterpret my statement as if that dumb answer is never 
good or correct. It all depends on your needs.




I prefer to handle the certificate validation externally


It is a common need. Squid supports external certificate validator 
programs (a.k.a. helpers). Look for sslcrtvalidator_program in 
squid.conf.documented. For communication details, see the following 
wikip age and src/security/cert_validators/fake/


https://wiki.squid-cache.org/Features/AddonHelpers


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Dave Blanchard 
On Thu, 24 Feb 2022 14:22:25 -0500
Alex Rousskov  wrote:

> [...]
>
> action is supposed to be doing. Legacy actions mentioned there, 
> including client-first, should be treated as unsupported, having unknown 
> side effects, and meant to be removed from Squid (yesterday). YMMV.

What is the replacement for client-first? That line is the only way I could get 
this thing working right. I think the first working config was with 
server-first instead, but IIRC it was still passing through the server 
certificate somehow rather than using the locally generated certificate. Only 
with client-first did it have the desired effect. Maybe I need to set 
generate-host-certificates to 'off.'

I prefer to handle the certificate validation externally via a different means, 
i.e. not using the browser or Squid, because neither the browser nor the 
certificate authority is trustworthy. The 'chain of trust' argument for SSL is 
total bunk; none of these people can actually be trusted. If the certificate is 
automatically checked for validity every time one visits a site, then the 
shadowy people running the certificate authority can effectively track one's 
every move on the internet, and of course that data will be sold or given away 
to other shadowy people. Needless to say, censoring some inconvenient web site 
would be as simple as them revoking or invalidating the site's certificate, 
especially with the browser so "helpfully" refusing to allow one to bypass the 
revoked/invalid certificate.

-- 
Dave Blanchard 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Alex Rousskov 

On 2/24/22 13:24, Dave Blanchard wrote:

ssl_bump client-first all
ssl_bump stare all
ssl_bump splice localhost


Bugs notwithstanding, the above configuration is equivalent to the 
configuration below:


ssl_bump client-first all

The following wiki page can be used to find out what each ssl_bump 
action is supposed to be doing. Legacy actions mentioned there, 
including client-first, should be treated as unsupported, having unknown 
side effects, and meant to be removed from Squid (yesterday). YMMV.


https://wiki.squid-cache.org/Features/SslPeekAndSplice

squid.conf.documented documents how multiple ssl_bump rules are handled, 
but that documentation is difficult to interpret correctly without the 
step documentation at the above wiki page.


Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved! - correction

2022-02-24 Thread Dave Blanchard 
On Thu, 24 Feb 2022 12:24:35 -0600
Dave Blanchard  wrote:

> (Note for any other confused noobs reading this: this configuration 
> apparently requires Squid to be compiled with --with openssl and 
> --with-ssl-crtd options on the 'configure' command line; or at least it did 
> in older versions, and presumably still does.)

CORRECTION: that's --enable-ssl-crtd , not --with. 

Replace /usr/libexec in the given config with the actual path to your 
security_file_certgen binary, and run this command once to generate the initial 
SSL database:

security_file_certgen -c -s /path/to/ssl_database -M 32MB 

'/path/to' must already exist, and 'ssl_database' itself must not, for this 
command to succeed. Hope this helps somebody.

-- 
Dave Blanchard 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Dave Blanchard 
On Thu, 24 Feb 2022 11:08:48 -0500
Alex Rousskov  wrote:

> On 2/23/22 22:09, Dave Blanchard wrote:
> > OK--I solved the problem by removing the "ssl_bump bump all" line.
> > Works fine now.
> 
> > Damn, this proxy is a TOTAL PAIN IN THE ASS!! to configure. It seems
> > like 90% of the tutorials out there are junk, largely because things
> > keep changing from version to version, obsoleting them.
> 
> This email thread is a good example. The original ssl_bump config shared 
> in the beginning of the thread did not make sense at all. Squid bugs 
> notwithstanding, the implied second config (the one with "ssl_bump bump 
> all" line removed) should not cache any HTTPS transactions either. 
> However, folks will read this thread, copy the original config, maybe 
> remove the "bump" line, and expect things to "work" because the 
> "problem" was "solved" for somebody else.
> 

Sorry, it was irresponsible of me to forget to mention that I changed the 
'peek' line to 'stare', and added in another line. The final config, not 
counting the other default config items which were left unchanged, is as 
follows:

http_port 3128 ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=32MB \
   cert=/path/to/cert.pem \
   key=/path/to/cert.pem

sslcrtd_program /usr/libexec/security_file_certgen -s /path/to/ssl_database -M 
32MB

ssl_bump client-first all
ssl_bump stare all
ssl_bump splice localhost

(Note for any other confused noobs reading this: this configuration apparently 
requires Squid to be compiled with --with openssl and --with-ssl-crtd options 
on the 'configure' command line; or at least it did in older versions, and 
presumably still does.)

This final config works perfectly to cache SSL items, and has greatly increased 
the utility of my slow connection.

> 
> > Please add more concrete examples to the Wiki reference pages!
> 
> IMHO, SslBump is too nuanced/complex to be able to reuse simple 
> configurations without understanding their meaning. We should improve 
> documentation a lot, but it takes a village to do that, and "more 
> examples" is hardly the answer.
> 
> Alex.

Although I am sure the reference material is extremely valuable, as a 
non-expert I found it frustrating, as there almost NO concrete examples on each 
reference page, which SHOW the given config option being used in real world 
configurations. This is a common problem to a lot of 'man' pages in the Linux 
world for example which have page after page of information that is essentially 
useless unless one is already an expert, or extremely tedious to parse through, 
because it does not give concrete examples. 

On other sections of the wiki there are more explanatory texts showing various 
how-to scenarios, but again, I couldn't find a single one that showed this 
exact configuration here and briefly explained why/how it works, step by step 
according to what Squid is doing at each step. I ended up finding the key parts 
of the above config on a third party tutorial page ("How I saved countless 
gigabytes of data with Squid caching" or something like that), while deleting 
several lines from that config which were apparently unneeded/outdated. 
Actually I thought I had read somewhere that the 'client-first' line is itself 
outdated, but Squid doesn't complain about it, so maybe not. Anyhow, it works. 

I don't understand exactly *how* it works, because I don't have time to study 
all the internal workings of Squid at this time; just needed to quickly get a 
proxy up and running to solve this problem and move on to other work. As it 
was, I had like two dozen browser tabs open reading different things, only to 
slowly and painfully piece together what turns out to be a very simple config.

-- 
Dave Blanchard 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Alex Rousskov 

On 2/23/22 22:09, Dave Blanchard wrote:

OK--I solved the problem by removing the "ssl_bump bump all" line.
Works fine now.



Damn, this proxy is a TOTAL PAIN IN THE ASS!! to configure. It seems
like 90% of the tutorials out there are junk, largely because things
keep changing from version to version, obsoleting them.


This email thread is a good example. The original ssl_bump config shared 
in the beginning of the thread did not make sense at all. Squid bugs 
notwithstanding, the implied second config (the one with "ssl_bump bump 
all" line removed) should not cache any HTTPS transactions either. 
However, folks will read this thread, copy the original config, maybe 
remove the "bump" line, and expect things to "work" because the 
"problem" was "solved" for somebody else.




Please add more concrete examples to the Wiki reference pages!


IMHO, SslBump is too nuanced/complex to be able to reuse simple 
configurations without understanding their meaning. We should improve 
documentation a lot, but it takes a village to do that, and "more 
examples" is hardly the answer.


Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Question regarding tcp handshake

2022-02-24 Thread Felipe Polanco 
Hi,

A question Regarding TCP handshake.

Does squid first complete the tcp handshake on its users and then a second
handshake on the destination IP or as soon as it receives the TCP SYN flag
it does the same with the destination.

This is for transparent mode.

Thanks,
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Dave Blanchard 
Hi Eliezer, this is on a custom Linux distro. I was using Traffic Server after 
the failed initial foray into Squid-land, but it also wasn't caching SSL, and 
it's even more poorly documented. Also, annoyingly, TS was updating its on-disk 
stat file every five seconds, slowly but steadily wearing out my SSD drive. I 
tried to patch the source code to fix the problem, and found the code is too 
cruddy to deal with. It's the sort of code base where the obvious fix doesn't 
work because the code is doing the same thing in like 5 different random 
places, with half the relevant code being dead and unused. Found some really 
dumb shit, like a command line option to enable debugging, that doesn't 
work--the code doesn't even use the variable it sets! So in disgust I came back 
to Squid, and am glad to finally have this thing working right. My network 
connection is only 128kbit, but now quite usable with the caching proxy and 
other optimizations. 

Dave


On Thu, 24 Feb 2022 09:38:43 +0200
"Eliezer Croitoru"  wrote:

> Hey Dave,
> 
> Lots of tutorials and documentation are out there but ... or out of sync
> or..
> not good from 0.
> 
> What OS are you running squid ontop?
> 
> Eliezer
> 
> * We are trying to give good examples.
> 
> 
> Eliezer Croitoru
> NgTech, Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1...@gmail.com
> 
> -Original Message-
> From: squid-users  On Behalf Of
> Dave Blanchard
> Sent: Thursday, February 24, 2022 05:09
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] Trying to set up SSL cache - solved!
> 
> OK--I solved the problem by removing the "ssl_bump bump all" line. Works
> fine now.
> 
> Damn, this proxy is a TOTAL PAIN IN THE ASS!! to configure. It seems like
> 90% of the tutorials out there are junk, largely because things keep
> changing from version to version, obsoleting them. That having been said, it
> does have a lot of features and when it's eventually configured right it
> does work, so there's that. It's a lot like CUPS, in that way, or sendmail.
> 
> Please add more concrete examples to the Wiki reference pages! Thank you.
> 
> -- 
> Dave Blanchard 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 


-- 
Dave Blanchard 
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trying to set up SSL cache - solved!

2022-02-24 Thread Matus UHLAR - fantomas 

On 23.02.22 21:09, Dave Blanchard wrote:

OK--I solved the problem by removing the "ssl_bump bump all" line. Works fine 
now.

Damn, this proxy is a TOTAL PAIN IN THE ASS!!  to configure.


configuring proxy is very easy, bumping SSL is not.

Since SSL is designed to encrypt traffic between ende - client (browser) and 
server, you need to effectively do man-in-the-middle attack on proxied 
connection.


You need to create certificate authority, install it in your browser (OS), 
insert your certificate on squid and hope that your browser won't reject 
your authority because of DANE DNS records telling browser that remote 
server's certificate should be only signed by their certificate 
authority, not by yours.


Especially when browser uses DNS-over-HTTP to avoid your DNS server that is 
able to provide incorrect data to it.


It seems like 90% of the tutorials out there are junk, largely because 
things keep changing from version to version, obsoleting them.


unfortunately, this exactly happens.

 That having been said, 
it does have a lot of features and when it's eventually configured right 
it does work, so there's that.  It's a lot like CUPS, in that way, or 
sendmail.


Please add more concrete examples to the Wiki reference pages! Thank you.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users