date:20240304

[squid-users] [squid-announce] [ADVISORY] SQUID-2024:1 Denial of Service in HTTP Chunked Decoding

2024-03-04 Thread Amos Jeffries


__

Squid Proxy Cache Security Update Advisory SQUID-2024:1
__

Advisory ID:   | SQUID-2024:1
Date:  | Mar 4, 2024
Summary:   | Denial of Service in HTTP Chunked Decoding
Affected versions: | Squid 3.5.27 -> 3.5.28
   | Squid 4.x -> 4.17
   | Squid 5.x -> 5.9
   | Squid 6.x -> 6.7
Fixed in version:  | Squid 6.8
__

Problem Description:

 Due to an Uncontrolled Recursion bug, Squid may be vulnerable to
 a Denial of Service attack against HTTP Chunked decoder.

__

Severity:

 This problem allows a remote attacker to perform Denial of
 Service when sending a crafted chunked encoded HTTP Message.

__

Updated Packages:

This bug is fixed by Squid version 6.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 6:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid older than 3.5.27 are not vulnerable.

 All Squid 3.5.27 to 4.17 have not been tested and should be
 assumed to be vulnerable.

 All Squid-5.x up to and including 5.9 are vulnerable.

 All Squid-6.x up to and including 6.7 are vulnerable.

__

Workaround:

  **There is no workaround for this issue**
__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by The Measurement Factory.

__

Revision history:

 2023-10-12 11:53:02 UTC Initial Report
 2023-10-31 11:35:02 UTC Patches Released
 2024-03-04 06:27:00 UTC Fixed Version Released
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2024:2 Denial of Service in HTTP Header parser

2024-03-04 Thread Amos Jeffries


__

Squid Proxy Cache Security Update Advisory SQUID-2024:2
__

Advisory ID:   | SQUID-2024:2
Date:  | Feb 15, 2024
Summary:   | Denial of Service in HTTP Header parser
Affected versions: | Squid 3.x -> 3.5.28
   | Squid 4.x -> 4.17
   | Squid 5.x -> 5.9
   | Squid 6.x -> 6.4
Fixed in version:  | Squid 6.5
__

Problem Description:

 Due to a Collapse of Data into Unsafe Value bug,
 Squid may be vulnerable to a Denial of Service
 attack against HTTP header parsing.

__

Severity:

 This problem allows a remote client or a remote server to
 perform Denial of Service when sending oversized headers in
 HTTP messages.

 In versions of Squid prior to 6.5 this can be achieved if the
 request_header_max_size or reply_header_max_size settings are
 unchanged from the default.

 In Squid version 6.5 and later, the default setting of these
 parameters is safe. Squid will emit a critical warning in
 cache.log if the administrator is setting these parameters to
 unsafe values. Squid will not at this time prevent these settings
 from being changed to unsafe values.

__

Updated Packages:

Hardening against this issue is added to Squid version 6.5.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 6:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Run the following command to identify how (and whether)
 your Squid has been configured with relevant settings:

squid -k parse 2>&1 | grep header_max_size

 All Squid-3.0 up to and including 6.4 without header_max_size
 settings are vulnerable.

 All Squid-3.0 up to and including 6.4 with either header_max_size
 setting over 21 KB are vulnerable.

 All Squid-3.0 up to and including 6.4 with both header_max_size
 settings below 21 KB are not vulnerable.

 All Squid-6.5 and later without header_max_size configured
 are not vulnerable.

 All Squid-6.5 and later configured with both header_max_size
 settings below 64 KB are not vulnerable.

 All Squid-6.5 and later configured with either header_max_size
 setting over 64 KB are vulnerable.

__

Workaround:

For Squid older than 6.5, add to squid.conf:

  request_header_max_size 21 KB
  reply_header_max_size 21 KB


For Squid 6.5 and later, remove request_header_max_size
 and reply_header_max_size from squid.conf

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by The Measurement Factory.

__

Revision history:

 2023-10-12 11:53:02 UTC Initial Report
 2023-10-25 11:47:19 UTC Patches Released
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:11 Denial of Service in Cache Manager

2024-03-04 Thread Amos Jeffries


__

  Squid Proxy Cache Security Update Advisory SQUID-2023:11
__

Advisory ID:   | SQUID-2023:11
Date:  | Jan 24, 2024
Summary:   | Denial of Service in Cache Manager
Affected versions: | Squid 2.x -> 2.7.STABLE9
   | Squid 3.x -> 3.5.28
   | Squid 4.x -> 4.17
   | Squid 5.x -> 5.9
   | Squid 6.x -> 6.5
Fixed in version:  | Squid 6.6
__

Problem Description:

 Due to a hanging pointer reference bug Squid is vulnerable to a
 Denial of Service attack against Cache Manager error responses.

__

Severity:

 This problem allows a trusted client to perform Denial of Service
 when generating error pages for Client Manager reports.

__

Updated Packages:

  This bug is fixed by Squid version 6.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 5:
 

Squid 6:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 Squid older than 5.0.5 have not been tested and should be assumed
 to be vulnerable.

 All Squid-5.x up to and including 5.9 are vulnerable.

 All Squid-6.x up to and including 6.5 are vulnerable.

__

Workaround:

 Prevent access to Cache Manager using Squid's main access
 control:

  http_access deny manager

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by The Measurement Factory.

__

Revision history:

 2023-10-12 11:53:02 UTC Initial Report
 2023-11-12 09:33:20 UTC Patches Released
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:10 Denial of Service in HTTP Request parsing

2024-03-04 Thread Amos Jeffries


__

  Squid Proxy Cache Security Update Advisory SQUID-2023:10
__

Advisory ID:   | SQUID-2023:10
Date:  | Dec 10, 2023
Summary:   | Denial of Service in HTTP Request parsing
Affected versions: | Squid 2.6 -> 2.7.STABLE9
   | Squid 3.1 -> 3.5.28
   | Squid 4.x -> 4.17
   | Squid 5.x -> 5.9
   | Squid 6.x -> 6.5
Fixed in version:  | Squid 6.6
__

Problem Description:

 Due to an Uncontrolled Recursion bug, Squid may be vulnerable to a
 Denial of Service attack against HTTP Request parsing.

__

Severity:

This problem allows a remote client to perform Denial of Service attack
by sending a large X-Forwarded-For header when the
follow_x_forwarded_for feature is configured.

__

Updated Packages:

This bug is fixed by Squid version 6.6.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 5:
 

Squid 6:
 

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__

Determining if your version is vulnerable:

 To check for follow_x_forwarded_for run the following command:

  `squid -k parse 2>&1 |grep follow_x_forwarded_for`


 All Squid configured without follow_x_forwarded_for are not
 vulnerable.

 All Squid older than 5.0.5 have not been tested and should be
 assumed to be vulnerable when configured with
 follow_x_forwarded_for.

 All Squid-5.x up to and including 5.9 are vulnerable when
 configured with follow_x_forwarded_for.

 All Squid-6.x up to and including 6.5 are vulnerable when
 configured with follow_x_forwarded_for.

__

Workaround:

 Remove all follow_x_forwarded_for lines from squid.conf

__

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the  mailing list is your
 primary support point. For subscription details see
 .

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 .

 For reporting of security sensitive bugs send an email to the
  mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__

Credits:

 This vulnerability was discovered by Joshua Rogers of Opera
 Software.

 Fixed by Thomas Leroy of the SUSE security team.

__

Revision history:

 2023-10-12 11:53:02 UTC Initial Report
 2023-11-28 07:35:46 UTC Patches Released
__
END
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Amos Jeffries


On 5/03/24 08:03, Dragos Pacher wrote:

Hello,

I am a Squid beginner and we would like to use Squid inside our 
organization only as a HTTPS traffic inspection/logging tool for some 
3rd party apps that we bought,
something close to what a "MITM proxy" is called but we will not do 
that, instead we use a self signed certificate and the 3rd party app 
owners know this. Everything is

100% completely legal. (Ps: I am the IT lead).



FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in 
security terminology, "proxy" means "intermediary" in networking 
terminology.

 So that term just means "intermediary intermediary", yeah.



Any serious HTTPS inspection/logging by Squid needs some form of 
SSL-Bump configuration and those 3rd-party Apps MUST be configured with 
trust for the self-signed root CA you are using.



Without that nothing Squid (or any other proxy) does will allow traffic 
inspection beyond the initial TLS handshake.




Assuming that you have checked that detail, on to your issue ...


We will be using Squid only internally, no outside access. Here is my 
issue with the current knowledge of Squid: POC running well on 3 servers 
but on the 4th I get no IPv6

sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 10.10.0.16:3128         0.0.0.0:*   
LISTEN      2891391/(squid-1)



Your problem is the https(s)_port "port" configuration parameter.


This Squid is configured to listen like:

  http_port 10.10.0.16:3128

or

  http_port example.com:3128

(when example.com has only address 10.10.0.16)


The "http_port" receives port 80 syntax traffic, it may also be
"https_port" which receives port 443 syntax traffic.




and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 x.x.x.x:52386    x.x.x.x:443     ESTABLISHED 
997651/(squid-1)
tcp6       0      0 :::3128                 :::*   
  LISTEN      997651/(squid-1)



These Squid are configured to listen like:

 http_port 3128


Ensure that the machine/server the 4th Squid is running on has its 
http(s)_port line matching the other three machines port value.


At this point do not care about the "mode" or options later in the line. 
Your issue is solely the "port" parameter.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Dragos Pacher

Thank you Alex,

Indeed something is listening on this port, but it looks to be Squid:
root@A2-3:/# nc -6 -l 3128
nc: Address already in use

root@A2-3:/# lsof -i:3128
COMMAND PID  USER   FD   TYPEDEVICE SIZE/OFF NODE NAME
squid   3480423 proxy   25u  IPv4 283726201  0t0  TCP A2-3:3128 (LISTEN)

but the socket is IPV4 only on the problem host:
root@A2-3:/# lsof -a -i4 -i6 -itcp | grep 3128
squid 3480423   proxy   25u  IPv4 283726201  0t0  TCP A2-3:3128 
(LISTEN)

compared to a 'healthy' server:
root@A2-2:~# lsof -a -i4 -i6 -itcp | grep 3128
squid  997651   proxy   12u  IPv6 254219302  0t0  TCP 
A2-2:3128->x.x.x.x:46816 (ESTABLISHED)
squid  997651   proxy   25u  IPv6 241163587  0t0  TCP *:3128 
(LISTEN)

As I know a IPV6 socket accepts both v4 and v6 connections but a V4 socket only 
V4 connections, and this looks to be the symptom. 

This is what I found in the cache.log:
2024/03/04 16:09:28 kid1| With 100 file descriptors available
2024/03/04 16:09:28 kid1| Initializing IP Cache...
2024/03/04 16:09:28 kid1| DNS IPv6 socket created at [::], FD 9
2024/03/04 16:09:28 kid1| DNS IPv4 socket created at 0.0.0.0, FD 10

so it looks like it creates the IPv6 socket but it's not working somehow:
root@A2-3:/# telnet ::1 3128
Trying ::1...
telnet: Unable to connect to remote host: Connection refused

Unfortunately nothing else relevant to me in the cache.log, I enabled 
debugging, to what email can I 
send the archive for you to look at it, please?

Thank you,

Dragos

Sent with Proton Mail secure email.

On Monday, March 4th, 2024 at 9:43 PM, Alex Rousskov 
 wrote:

> On 2024-03-04 14:03, Dragos Pacher wrote:
> 
> > POC running well on 3 servers but on the 4th I get no IPv6
> > sockets:
> > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 10.10.0.16:3128 0.0.0.0:*
> > LISTEN 2891391/(squid-1)
> 
> 
> Are there any other processes listening on IPv6 addresses on this
> problematic host?
> 
> Does something like "nc -6 -l 3128" listen on an IPv6 address on this
> problematic host?
> 
> If possible, please also check cache.log for messages mentioning IPv6
> and "BCP 177"; I know you shared syslog output, but I am a bit worried
> that syslog might be missing some relevant early debugging messages.
> 
> 
> If nothing helps, consider sharing a pointer to compressed Squid startup
> cache.log after adding "debug_options ALL,2 50,3" to your squid.conf. We
> do not need to see any transactions, just Squid startup steps. Still,
> this log may contain some sensitive details, so share privately if needed.
> 
> 
> Thank you,
> 
> Alex.
> 
> 
> > and on the other 3 I have IPv6:
> > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
> > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED
> > 997651/(squid-1)
> > tcp6 0 0 :::3128 :::*
> > LISTEN 997651/(squid-1)
> > tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428
> > ESTABLISHED 997651/(squid-1)
> 
> 
> 
> 
> 
> 
> > This creates a problem for us since the apps I monitor are not starting
> > since their start routine is IPV6 only and then they switch to
> > IPv4/IPV6, but the start is IPV6 alone.
> > 
> > Therefore my questions are as follows:
> > 
> > 1. How can I make it listen on both IPV6/IPV4 like on the other servers?
> > 2. Any configuration improvement suggestions?
> > 
> > Please find all details here:
> > So far I did a POC on 4 servers, here is the full config, nothing
> > sophisticated since this is where my Squid knowledge took me so far.
> > Running Squid 6.7 with some basic options
> > on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
> > squid -v
> > Squid Cache: Version 6.7
> > Service Name: squid
> > This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
> > '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
> > '--datadir=/share/squid' '--sysconfdir=/etc/squid'
> > '--with-default-user=proxy' '--with-logdir=/var/log/squid'
> > '--enable-ssl-crtd' '--with-openssl'
> > 
> > and here is the syslog of Squid start:
> > Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing
> > Configuration File: /etc/squid/squid.conf (depth 0)
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty
> > ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The
> > "Hs" formatting code is deprecated. Use the ">Hs" instead.
> > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID
> > file (/var/run/squid.pid)
> > Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
> > Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process
> > 3094665 started
> > Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1|
> > Processing Configuration File: /etc/squid/squid.conf (depth 0)
> > Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING:
> > empty A

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Alex Rousskov


On 2024-03-04 14:03, Dragos Pacher wrote:


POC running well on 3 servers but on the 4th I get no IPv6
sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 10.10.0.16:3128         0.0.0.0:*   
LISTEN      2891391/(squid-1)


Are there any other processes listening on IPv6 addresses on this 
problematic host?


Does something like "nc -6 -l 3128" listen on an IPv6 address on this 
problematic host?


If possible, please also check cache.log for messages mentioning IPv6 
and "BCP 177"; I know you shared syslog output, but I am a bit worried 
that syslog might be missing some relevant early debugging messages.



If nothing helps, consider sharing a pointer to compressed Squid startup 
cache.log after adding "debug_options ALL,2 50,3" to your squid.conf. We 
do not need to see any transactions, just Squid startup steps. Still, 
this log may contain some sensitive details, so share privately if needed.



Thank you,

Alex.




and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp        0      0 x.x.x.x:52386    x.x.x.x:443     ESTABLISHED 
997651/(squid-1)
tcp6       0      0 :::3128                 :::*   
  LISTEN      997651/(squid-1)
tcp6       0      0 10.10.0.12:3128         10.20.0.1:39428   
  ESTABLISHED 997651/(squid-1)






This creates a problem for us since the apps I monitor are not starting 
since their start routine is IPV6 only and then they switch to 
IPv4/IPV6, but the start is IPV6 alone.


Therefore my questions are as follows:

 1. How can I make it listen on both IPV6/IPV4 like on the other servers?
 2. Any configuration improvement suggestions?


Please find all details here:
So far I did a POC on 4 servers, here is the full config, nothing 
sophisticated since this is where my Squid knowledge took me so far. 
Running Squid 6.7 with some basic options

on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
squid -v
Squid Cache: Version 6.7
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: 
  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' 
'--datadir=/share/squid' '--sysconfdir=/etc/squid' 
'--with-default-user=proxy' '--with-logdir=/var/log/squid' 
'--enable-ssl-crtd' '--with-openssl'


and here is the syslog of Squid start:
Mar  4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing 
Configuration File: /etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty 
ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The 
"Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID 
file (/var/run/squid.pid)

Mar  4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
Mar  4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 
3094665 started
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| 
Processing Configuration File: /etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: 
empty ACL: acl broken_sites ssl::server_name 
"/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: 
The "Hs" formatting code is deprecated. Use the ">Hs" instead.
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set 
Current Directory to /var/cache/squid
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating 
missing swap directories
Mar  4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No 
cache_dir stores are configured.
Mar  4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 
3094665 exited with status 0
Mar  4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID 
file (/var/run/squid.pid)
Mar  4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl 
broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code 
is deprecated. Use the ">Hs" instead.

Mar  4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid)
Mar  4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids
Mar  4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 
3094668 started
Mar  4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar  4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl 
broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar  4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code 
is deprecated. Use the ">Hs" instead.
Mar  4 16:09:28 A2-3 squid[3094668]: Set Current Directory to 
/var/cache/squid
Mar  4 16:09:28 A2-3 squid[3094668]: Sta

[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

2024-03-04 Thread Dragos Pacher

Hello,

I am a Squid beginner and we would like to use Squid inside our organization 
only as a HTTPS traffic inspection/logging tool for some 3rd party apps that we 
bought,
something close to what a "MITM proxy" is called but we will not do that, 
instead we use a self signed certificate and the 3rd party app owners know 
this. Everything is
100% completely legal. (Ps: I am the IT lead).

We will be using Squid only internally, no outside access. Here is my issue 
with the current knowledge of Squid: POC running well on 3 servers but on the 
4th I get no IPv6
sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1)

and on the other 3 I have IPv6:
ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED 997651/(squid-1)
tcp6 0 0 :::3128 :::* LISTEN 997651/(squid-1)
tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428 ESTABLISHED 997651/(squid-1)

This creates a problem for us since the apps I monitor are not starting since 
their start routine is IPV6 only and then they switch to IPv4/IPV6, but the 
start is IPV6 alone.

Therefore my questions are as follows:

- How can I make it listen on both IPV6/IPV4 like on the other servers?
- Any configuration improvement suggestions?

Please find all details here:
So far I did a POC on 4 servers, here is the full config, nothing sophisticated 
since this is where my Squid knowledge took me so far. Running Squid 6.7 with 
some basic options
on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64
squid -v
Squid Cache: Version 6.7
Service Name: squidThis binary uses OpenSSL 3.0.2 15 Mar 2022. configure 
options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' 
'--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' 
'--with-logdir=/var/log/squid' '--enable-ssl-crtd' '--with-openssl'

and here is the syslog of Squid start:
Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server...
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing 
Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty ACL: 
acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The "Hs" 
formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID file 
(/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 3094665 
started
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Processing 
Configuration File: /etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: empty 
ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: The "Hs" 
formatting code is deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set Current 
Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating missing 
swap directories
Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No cache_dir 
stores are configured.
Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 3094665 
exited with status 0
Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID file 
(/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl broken_sites 
ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code is 
deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid)
Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids
Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 3094668 
started
Mar 4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: 
/etc/squid/squid.conf (depth 0)
Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl broken_sites 
ssl::server_name "/etc/squid/ssl_broken_sites.txt"
Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code is 
deprecated. Use the ">Hs" instead.
Mar 4 16:09:28 A2-3 squid[3094668]: Set Current Directory to /var/cache/squid
Mar 4 16:09:28 A2-3 squid[3094668]: Starting Squid Cache version 6.7 for 
x86_64-pc-linux-gnu...
Mar 4 16:09:28 A2-3 squid[3094668]: Service Name: squid
Mar 4 16:09:28 A2-3 squid[3094668]: Process ID 3094668
Mar 4 16:09:28 A2-3 squid[3094668]: Process Roles: worker
Mar 4 16:09:28 A2-3 squid[3094668]: With 100 file descriptors available
Mar 4 16:09:28 A2-3 squid[3094668]: Initializing IP Cache...
Mar 4 16:09:28 A2-3 squid[3094668]: DNS IPv6 socket created at [::], FD 9

Re: [squid-users] Squid delay_access with external acl

2024-03-04 Thread Alex Rousskov

On 2024-03-04 06:31, Szilárd Horváth wrote:

Thank you so much your answer but this solution isn't work.

Please note that I did not (try to) offer a solution. I only tried to 
correct a specific problem in a specific configuration statement.

I hope that Francesco will continue to guide you towards the solution 
that works in your environment. It may be useful to know what exactly 
does not work at this point (e.g., the transaction never gets a 
limited=yes annotation, which you can check by logging %note to 
access.log, OR the transaction is annotated as expected but is not 
delayed as expected).

Good luck,

Alex.

Please check 
my config maybe i made a mistake. Or maybe have you any other solution?
I can use proxy users from QUOTA_EXCEEDED_USERS.acl which contain e-mail 
address or get from ldap with external_acl_type overkvota 
children-max=10 children-startup=10 ttl=600 negative_ttl=600 %LOGIN 
/usr/lib/squid/ext_ldap_group_acl -Z -v 3 -P -p 389 -h ldapm1.x.hu 
-s sub -D cn=squid_proxy,o=services -W /etc/squid/secret -b o= -f 
"(&(mail=%u)(objectclass=InetorgPerson)(InternetUser=true)(QuotaExceeded=true))"

*acl QUOTA_EXCEEDED_USERS ext_user "/etc/squid/QUOTA_EXCEEDED_USERS.acl"*
*acl markAsLimited annotate_transaction limited=yes*
*acl markedAsLimited note limited yes*
*http_access allow QUOTA_EXCEEDED_USERS markAsLimited !all
*
*delay_pools 1
delay_class 1 1
delay_parameters 1 32000/32000
delay_access 1 allow markedAsLimited
delay_access 1 deny all*
br,
Szilard

Alex Rousskov  02/20/2024, 04:52 PM >>>

On 2024-02-20 03:14, Francesco Chemolli wrote:

 > acl users ext_user foo bar gazonk
 > http_access allow users all # always allow

The above does not always allow. What you meant it probably this:

# This rule never matches. It is used for its side effect:
# The rule evaluates users ACL, caching evaluation result.
http_access allow users !all

 > delay_access 3 allow users
 >
 > should do the trick

... but sometimes will not. Wiki recommendation to "exploit caching" is
an ugly outdated hack that should be avoided. The correct solution these
days is to use annotate_transaction ACL to mark the transaction
accordingly. Here is an untested sketch:

acl fromUserThatShouldBeLimited ext_user ...
acl markAsLimited annotate_transaction limited=yes
acl markedAsLimited note limited yes

# This rule never matches; used for its annotation side effect.
http_access allow fromUserThatShouldBeLimited markAsLimited !all

delay_access 3 allow markedAsLimited

HTH,

Alex.

 > On Tue, Feb 20, 2024 at 2:15 PM Szilárd Horváth wrote:
 >
 > Good Day!
 >
 > I try to make limitation bandwidth for some user group. I have an
 > external acl which get the users from ldap database server. In the
 > old version of config we blocked the internet with http_access deny
 > GROUP, but now i try to allow the internet which has limited
 > bandwidth. I know that the delay_access work with only fast ACL and
 > external acl or proxy_auth acl are slow. I already tried some
 > opportunity but i couldn't solve.
 >
 > Maybe have you any solution for this? Or any idea how can limitation
 > the bandwidth for some user? I need use the username (e-mail address
 > format) because that use to login to the proxy.
 >
 > Version: Squid Cache: Version 5.6
 >
 > Thank you so much and i am waiting for your answer!
 >
 > Have a good day!
 >
 > Br,
 > Szilard Horvath
 >
 > ___
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > 
 > https://lists.squid-cache.org/listinfo/squid-users
 > 
 >
 >
 >
 > --
 > Francesco
 >
 > ___
 > squid-users mailing list
 > squid-users@lists.squid-cache.org
 > https://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid delay_access with external acl

2024-03-04 Thread Szilárd Horváth

Hi Alex,
 
Thank you so much your answer but this solution isn't work. Please check
my config maybe i made a mistake. Or maybe have you any
other solution? 
 
I can use proxy users from QUOTA_EXCEEDED_USERS.acl which contain e-mail
address or get from ldap with external_acl_type overkvota
children-max=10 children-startup=10 ttl=600 negative_ttl=600 %LOGIN
/usr/lib/squid/ext_ldap_group_acl -Z -v 3 -P -p 389 -h
ldapm1.x.hu -s sub -D cn=squid_proxy,o=services -W /etc/squid/secret
-b o= -f
"(&(mail=%u)(objectclass=InetorgPerson)(InternetUser=true)(QuotaExceeded=true))"
 
acl QUOTA_EXCEEDED_USERS ext_user "/etc/squid/QUOTA_EXCEEDED_USERS.acl"
acl markAsLimited annotate_transaction limited=yes
acl markedAsLimited note limited yes
http_access allow QUOTA_EXCEEDED_USERS markAsLimited !all

 
delay_pools 1
delay_class 1 1
delay_parameters 1 32000/32000
delay_access 1 allow markedAsLimited
delay_access 1 deny all
 
br,
Szilard


>>> Alex Rousskov  02/20/2024, 04:52
PM >>>
On 2024-02-20 03:14, Francesco Chemolli wrote:

> acl users ext_user foo bar gazonk
> http_access allow users all # always allow

The above does not always allow. What you meant it probably this:

# This rule never matches. It is used for its side effect:
# The rule evaluates users ACL, caching evaluation result.
http_access allow users !all


> delay_access 3 allow users
>
> should do the trick

... but sometimes will not. Wiki recommendation to "exploit caching" is
an ugly outdated hack that should be avoided. The correct solution these
days is to use annotate_transaction ACL to mark the transaction
accordingly. Here is an untested sketch:

acl fromUserThatShouldBeLimited ext_user ...
acl markAsLimited annotate_transaction limited=yes
acl markedAsLimited note limited yes

# This rule never matches; used for its annotation side effect.
http_access allow fromUserThatShouldBeLimited markAsLimited !all

delay_access 3 allow markedAsLimited

HTH,

Alex.



> On Tue, Feb 20, 2024 at 2:15 PM Szilárd Horváth wrote:
>
> Good Day!
>
> I try to make limitation bandwidth for some user group. I have an
> external acl which get the users from ldap database server. In the
> old version of config we blocked the internet with http_access deny
> GROUP, but now i try to allow the internet which has limited
> bandwidth. I know that the delay_access work with only fast ACL and
> external acl or proxy_auth acl are slow. I already tried some
> opportunity but i couldn't solve.
>
> Maybe have you any solution for this? Or any idea how can limitation
> the bandwidth for some user? I need use the username (e-mail address
> format) because that use to login to the proxy.
>
> Version: Squid Cache: Version 5.6
>
> Thank you so much and i am waiting for your answer!
>
> Have a good day!
>
> Br,
> Szilard Horvath
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> 
> https://lists.squid-cache.org/listinfo/squid-users
> 
>
>
>
> --
> Francesco
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] [ADVISORY] SQUID-2024:1 Denial of Service in HTTP Chunked Decoding

[squid-users] [squid-announce] [ADVISORY] SQUID-2024:2 Denial of Service in HTTP Header parser

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:11 Denial of Service in Cache Manager

[squid-users] [squid-announce] [ADVISORY] SQUID-2023:10 Denial of Service in HTTP Request parsing

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers

Re: [squid-users] Squid delay_access with external acl

Re: [squid-users] Squid delay_access with external acl

10 matches

Site Navigation

Mail list logo

Footer information