Re: [squid-users] ACL based DNS server list

[Odhiambo Washington]

On Wed, Oct 26, 2022 at 4:27 AM Sneaker Space LTD 
wrote:

> Hello,
>
> Is there a way to use specific DNS servers based on the user or connecting
> IP address that is making the connection by using acls or any other method?
> If so, can someone send an example.
>

If you are using BIND, you can always use the "VIEWS" feature, but I think
this has to be done outside Squid.
However, nothing is impossible in this world except for changing the value
of Pi from 3.14-something  :)

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [SPAM] [ext] Squid 5.1 memory usage

[Odhiambo Washington]

On Fri, Oct 8, 2021 at 12:24 PM Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:

> * Steve Hill :
> >
> > I'm seeing high memory usage on Squid 5.1.  Caching is disabled, so I'd
> > expect memory usage to be fairly low (and it was under Squid 3.5), but
> some
> > workers are growing pretty large.  I'm using ICAP and SSL bump.
>
> https://bugs.squid-cache.org/show_bug.cgi?id=5132
> is somewhat related
>

There's squid-5.2. Does it also have this problem?



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to forward squid access.log to a remote server

[Odhiambo Washington]

On Thu, May 27, 2021 at 10:15 PM simon ben  wrote:

> Dear All,
>
> I have the below working perfectly
>
> Centos 8 X64
> squid-4.11-3
>
> I need to forward the squid access.log to a remote Log Server
> Appreciate if some can help and advise.
>
>
> Thanks and regards
> <http://lists.squid-cache.org/listinfo/squid-users>


Something like:

access_log syslog:local2 squid

Then from syslog, send local2 to a remote log server, no?

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

[Odhiambo Washington]

On Wed, May 26, 2021 at 11:32 AM Matus UHLAR - fantomas 
wrote:

> >> >On 22/05/21 2:06 am, Odhiambo Washington wrote:
> >> >>I installed this on my Windows 10 but gave up when I could not make
> >> >>it to cache anything.
> >>
> >> On 26.05.21 12:57, Amos Jeffries wrote:
> >> >Squid by default uses a memory based cache these days. Unless your
> >> >traffic is non-cacheable you should be seeing some things stored there
> >> >without any configuration.
>
> >On Wed, May 26, 2021 at 10:18 AM Matus UHLAR - fantomas <
> uh...@fantomas.sk>
> >wrote:
> >> The main problem is that most of web content it HTTPS, which means it's
> >> hardly cacheable outside of web browsers.
> >>
> >> with https, proxy only sees stream of encrypted data:
> >> the "s" in https means "secure" so no third party sees your data.
> >>
> >> caching it requires decrypting of the connection, which means doing
> >> man-in-the-mittle attack.  It requires private certififacion authority
> >> installed on squid and in the browser, and for some domains using CAA
> >> browsers will still complain, or you'll have to fake DNS CAA records,
> which
> >> is harder with when using DNSSES, DoT or DoH.
>
> On 26.05.21 11:25, Odhiambo Washington wrote:
> >In the light of the foregoing, what is the standard way of deploying Squid
> >these days?
> >Is the use of the ssl_bump becoming standard or no one needs any caching
> >within Squid these days so that Squid
> >has become a tool for filtering and access control only?
>
> I guess it's the latter.
>
> I personally think in cases of e.g.  public documents where the only
> privacy
> issue is that you know who accesses what content, simpler version of
> security could be enough: confirmation of authenticity (the content was not
> modified). Such content could be cacheable.


Thank you for clarifying this.
So ideally, outbound access control and reverse proxying :)


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

[Odhiambo Washington]

On Wed, May 26, 2021 at 3:58 AM Amos Jeffries  wrote:

> On 22/05/21 2:06 am, Odhiambo Washington wrote:
> > Hello everyone,
> >
> > I installed this on my Windows 10 but gave up when I could not make it
> > to cache anything.
> >
>
> Squid by default uses a memory based cache these days. Unless your
> traffic is non-cacheable you should be seeing some things stored there
> without any configuration.
>
>
> > What is the correct format of the above config on Windows?
> >
> > cache_dir aufs c:\Squid\cachedir 3000 16 256
> >
>
> As far as I know that directory path should be written as:
>
>   /c/Squid/cachedir
>
>
> The '/cygdir' prefix from examples tutorials is part of CygWin
> environment configuration.
>


So I tried that and...


C:\Squid\var\cache\squid> C:\Squid\bin\squid.exe -z
2021/05/26 11:29:43| FATAL: Bungled /etc/squid/squid.conf line 64:
cache_dir aufs /C/Squid/var/cache/squid
2021/05/26 11:29:43| Squid Cache (Version 4.14): Terminated abnormally.
CPU Usage: 0.108 seconds = 0.046 user + 0.062 sys
Maximum Resident Size: 703488 KB
Page faults with physical i/o: 2852



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Caching configuration for Squid on Windows

[Odhiambo Washington]

On Wed, May 26, 2021 at 10:18 AM Matus UHLAR - fantomas 
wrote:

> >On 22/05/21 2:06 am, Odhiambo Washington wrote:
> >>I installed this on my Windows 10 but gave up when I could not make
> >>it to cache anything.
>
> On 26.05.21 12:57, Amos Jeffries wrote:
> >Squid by default uses a memory based cache these days. Unless your
> >traffic is non-cacheable you should be seeing some things stored there
> >without any configuration.
>
> The main problem is that most of web content it HTTPS, which means it's
> hardly cacheable outside of web browsers.
>
> with https, proxy only sees stream of encrypted data:
> the "s" in https means "secure" so no third party sees your data.
>
> caching it requires decrypting of the connection, which means doing
> man-in-the-mittle attack.  It requires private certififacion authority
> installed on squid and in the browser, and for some domains using CAA
> browsers will still complain, or you'll have to fake DNS CAA records, which
> is harder with when using DNSSES, DoT or DoH.


In the light of the foregoing, what is the standard way of deploying Squid
these days?
Is the use of the ssl_bump becoming standard or no one needs any caching
within Squid these days so that Squid
has become a tool for filtering and access control only?


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Caching configuration for Squid on Windows

[Odhiambo Washington]

Hello everyone,

I installed this on my Windows 10 but gave up when I could not make it to
cache anything.

What is the correct format of the above config on Windows?

cache_dir aufs c:\Squid\cachedir 3000 16 256

I created this director, but squid -z would not hear of it!

The given example:

#cache_dir aufs /cygdrive/d/squid/cache 3000 16 256

.. is unix lingo, not Windows and also does not work.

Or is Squid on Windows not supposed to cache?

Or I am just stupid :-)


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for Windows 4.14 is available

[Odhiambo Washington]

On Mon, May 17, 2021 at 12:23 PM Rafael Akchurin <
rafael.akchu...@diladele.com> wrote:

> Hello everyone,
>
>
>
> After years of postponing we were finally able to build and pack the Squid
> 4 for Microsoft Windows.
>
> Sorry it took a lot more time and efforts than anticipated. The already
> existing version 4.15 is also being packed.
>
> I will update once again when it is available.
>
>
>
> The MSI can be downloaded from https://squid.diladele.com/ site.
>
>
>
> While you are there be sure to check out our other projects – Web Safety
> ICAP web filter and Admin UI for Squid (https://www.diladele.com/) and
>
> DNS Safety filter (something like web safety but on DNS level -
> https://dnssafety.diladele.com/).
>
>
>
> Repo for development of Squid for Windows is available at
> https://github.com/diladele/squid-windows.
>
> Please post your question **for MSI problems only** at
> supp...@diladele.com – and for Squid part here.
>
>
I installed this on my Windows 10, but gave up when I could not make it to
cache anything.
cache_dir aufs c:\Squid\cachedir 3000 16 256

I created this director, but squid -z would not hear of it!

The given example:

#cache_dir aufs /cygdrive/d/squid/cache 3000 16 256

.. is unix lingo, not Windows

What is the correct format of the above config on Windows?





-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v "^$|^.*#" :-)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Latest squid-5 compile error

[Odhiambo Washington]

On Wed, 14 Nov 2018 at 17:10, Amos Jeffries  wrote:

> On 15/11/18 12:54 AM, Odhiambo Washington wrote:
> > OS is FreeBSD 11.2:
> > squid-5.0.0-2018-r1205859
> >
> > Making all in eDirectory_userip
> > depbase=`echo ext_edirectory_userip_acl.o | sed
> > 's|[^/]*$|.deps/&|;s|\.o$||'`; clang++ -DHAVE_CONFIG_H
> > -DDEFAULT_CONFIG_FILE=\"/opt/squid-5/etc/squid.conf\"
> > -DDEFAULT_SQUID_DATA_DIR=\"/opt/squid-5/share\"
> > -DDEFAULT_SQUID_CONFIG_DIR=\"/opt/squid-5/etc\"-I../../../..
> > -I../../../../include  -I../../../../lib -I../../../../src
> > -I../../../../include  -I/usr/include  -I/usr/include
> > -I../../../../libltdl -I/usr/include -I/usr/local/include/libxml2
> > -I/usr/local/include -I/usr/local/include/libxml2  -Werror
> > -Qunused-arguments -Wno-deprecated-register  -D_REENTRANT
> > -I/usr/local/include  -I/usr/local/include   -I/usr/local/include
> > -I/usr/local/include -I/usr/local/include/p11-kit-1  -g -O2
> > -march=native -I/usr/local/include -MT ext_edirectory_userip_acl.o -MD
> > -MP -MF $depbase.Tpo -c -o ext_edirectory_userip_acl.o
> > ext_edirectory_userip_acl.cc && mv -f $depbase.Tpo $depbase.Po
> > ext_edirectory_userip_acl.cc:891:31: error: use of undeclared identifier
> > 'AF_INET6'
> > if (dst->ai_family == AF_INET6) {
> >   ^
> > ext_edirectory_userip_acl.cc:893:64: error: member access into
> > incomplete type 'struct sockaddr_in6'
> > const char *ia = reinterpret_cast > *>(sia->sin6_addr.s6_addr);
>
>
> So probably FreeBSD has changed its networking OS headers again in a way
> that breaks the sockaddr_in6 definition. They do it every so often with
> similar results to this appearing out of nowhere.
>
> Can you figure out which one is missing? and/or what has changed with
> the ordering that *BSD require software to use with these headers in 11.2?
>
>
> PS. build issues with the experimental (Squid-5 currently) code should
> be brought up in squid-dev mailing list or bugzilla. Not here.
>
> Amos
> ___
>

Actually, the same thing happened with a squid-4.4 build.
It failed the same way.

The problem is, I do not know how to find out what has changed that's
causing this.

Making all in eDirectory_userip
depbase=`echo ext_edirectory_userip_acl.o | sed
's|[^/]*$|.deps/&|;s|\.o$||'`; clang++ -DHAVE_CONFIG_H
-DDEFAULT_CONFIG_FILE=\"/opt/squid-4/etc/squid.conf\"
-DDEFAULT_SQUID_DATA_DIR=\"/opt/squid-4/share\"
-DDEFAULT_SQUID_CONFIG_DIR=\"/opt/squid-4/etc\"-I../../../..
-I../../../../include  -I../../../../lib -I../../../../src
-I../../../../include  -I/usr/include  -I/usr/include
-I../../../../libltdl -I/usr/include -I/usr/local/include/libxml2
-I/usr/local/include -I/usr/local/include/libxml2  -Werror
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT
-I/usr/local/include  -I/usr/local/include -I/usr/local/include/p11-kit-1
-g -O2 -march=native -I/usr/local/include -MT ext_edirectory_userip_acl.o
-MD -MP -MF $depbase.Tpo -c -o ext_edirectory_userip_acl.o
ext_edirectory_userip_acl.cc && mv -f $depbase.Tpo $depbase.Po
ext_edirectory_userip_acl.cc:891:31: error: use of undeclared identifier
'AF_INET6'
if (dst->ai_family == AF_INET6) {
  ^
ext_edirectory_userip_acl.cc:893:64: error: member access into incomplete
type 'struct sockaddr_in6'
const char *ia = reinterpret_cast(sia->sin6_addr.s6_addr);
   ^
ext_edirectory_userip_acl.cc:892:20: note: forward declaration of
'sockaddr_in6'
struct sockaddr_in6 *sia = reinterpret_cast(dst->ai_addr);
   ^
ext_edirectory_userip_acl.cc:893:66: error: expected ')'
const char *ia = reinterpret_cast(sia->sin6_addr.s6_addr);
 ^
ext_edirectory_userip_acl.cc:893:60: note: to match this '('
const char *ia = reinterpret_cast(sia->sin6_addr.s6_addr);
   ^
ext_edirectory_userip_acl.cc:896:38: error: use of undeclared identifier
'AF_INET'
} else if (dst->ai_family == AF_INET) {
 ^
ext_edirectory_userip_acl.cc:898:66: error: member access into incomplete
type 'struct sockaddr_in'
const char *ia = reinterpret_cast(&(sia->sin_addr));
 ^
ext_edirectory_userip_acl.cc:897:20: note: forward declaration of
'sockaddr_in'
struct sockaddr_in *sia = reinterpret_cast(dst->ai_addr);
   ^
5 errors generated.
*** Error code 1



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Latest squid-5 compile error

[Odhiambo Washington]

OS is FreeBSD 11.2:
squid-5.0.0-2018-r1205859

Making all in eDirectory_userip
depbase=`echo ext_edirectory_userip_acl.o | sed
's|[^/]*$|.deps/&|;s|\.o$||'`; clang++ -DHAVE_CONFIG_H
-DDEFAULT_CONFIG_FILE=\"/opt/squid-5/etc/squid.conf\"
-DDEFAULT_SQUID_DATA_DIR=\"/opt/squid-5/share\"
-DDEFAULT_SQUID_CONFIG_DIR=\"/opt/squid-5/etc\"-I../../../..
-I../../../../include  -I../../../../lib -I../../../../src
-I../../../../include  -I/usr/include  -I/usr/include
-I../../../../libltdl -I/usr/include -I/usr/local/include/libxml2
-I/usr/local/include -I/usr/local/include/libxml2  -Werror
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT
-I/usr/local/include  -I/usr/local/include   -I/usr/local/include
-I/usr/local/include -I/usr/local/include/p11-kit-1  -g -O2 -march=native
-I/usr/local/include -MT ext_edirectory_userip_acl.o -MD -MP -MF
$depbase.Tpo -c -o ext_edirectory_userip_acl.o ext_edirectory_userip_acl.cc
&& mv -f $depbase.Tpo $depbase.Po
ext_edirectory_userip_acl.cc:891:31: error: use of undeclared identifier
'AF_INET6'
if (dst->ai_family == AF_INET6) {
  ^
ext_edirectory_userip_acl.cc:893:64: error: member access into incomplete
type 'struct sockaddr_in6'
const char *ia = reinterpret_cast(sia->sin6_addr.s6_addr);
   ^
ext_edirectory_userip_acl.cc:892:20: note: forward declaration of
'sockaddr_in6'
struct sockaddr_in6 *sia = reinterpret_cast(dst->ai_addr);
   ^
ext_edirectory_userip_acl.cc:893:66: error: expected ')'
const char *ia = reinterpret_cast(sia->sin6_addr.s6_addr);
 ^
ext_edirectory_userip_acl.cc:893:60: note: to match this '('
const char *ia = reinterpret_cast(sia->sin6_addr.s6_addr);
   ^
ext_edirectory_userip_acl.cc:896:38: error: use of undeclared identifier
'AF_INET'
} else if (dst->ai_family == AF_INET) {
 ^
ext_edirectory_userip_acl.cc:898:66: error: member access into incomplete
type 'struct sockaddr_in'
const char *ia = reinterpret_cast(&(sia->sin_addr));
 ^
ext_edirectory_userip_acl.cc:897:20: note: forward declaration of
'sockaddr_in'
struct sockaddr_in *sia = reinterpret_cast(dst->ai_addr);
   ^
5 errors generated.
*** Error code 1

Stop.
make[5]: stopped in
/usr/home/wash/Tools/Squid/5.x/squid-5.0.0-2018-r1205859/src/acl/external/eDirectory_userip
*** Error code 1


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs

[Odhiambo Washington]

;> target prot opt source   destination
> >> ACCEPT tcp  --  ec2-35-154-101-8.ap-south-1.compute.amazonaws.com
> >> anywhere tcp dpt:https
> >> DNAT   tcp  --  anywhere anywhere tcp
> >> dpt:https to:35.154.101.8:3129
> >>
> >> Chain INPUT (policy ACCEPT)
> >> target prot opt source   destination
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target prot opt source   destination
> >>
> >> Chain POSTROUTING (policy ACCEPT)
> >> target prot opt source   destination
> >> MASQUERADE  all  --  anywhere anywhere
> >>
> >>
> >> Once this was done, I tried to hit HTTPS website from Firefox and now
> >> I get connection timeout error. Nothing shows in syslog, access.log or
> >> cache.log. Could you please help me resolve this.
> >>
> >> Thanks,
> >> Michael
> >> ___
> >> squid-users mailing list
> >> squid-users@lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >>
> >
> >
> > Thanks for replying Eliezer. Following are the outputs you asked:
> >
> > 1. iptables-save:
> >
> > # Generated by iptables-save v1.6.0 on Sun Feb 26 06:28:46 2017
> > *filter
> > :INPUT ACCEPT [171:12090]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [106:15187]
> > COMMIT
> > # Completed on Sun Feb 26 06:28:46 2017
> > # Generated by iptables-save v1.6.0 on Sun Feb 26 06:28:46 2017
> > *mangle
> > :PREROUTING ACCEPT [89003:74850371]
> > :INPUT ACCEPT [88973:74849159]
> > :FORWARD ACCEPT [30:1212]
> > :OUTPUT ACCEPT [76710:51478183]
> > :POSTROUTING ACCEPT [76740:51479395]
> > -A PREROUTING -p tcp -m tcp --dport 3129 -j DROP
> > COMMIT
> > # Completed on Sun Feb 26 06:28:46 2017
> > # Generated by iptables-save v1.6.0 on Sun Feb 26 06:28:46 2017
> > *nat
> > :PREROUTING ACCEPT [7766:436942]
> > :INPUT ACCEPT [7766:436942]
> > :OUTPUT ACCEPT [952:102330]
> > :POSTROUTING ACCEPT [0:0]
> > -A PREROUTING -s 35.154.101.8/32 -p tcp -m tcp --dport 443 -j ACCEPT
> > -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination
> > 35.154.101.8:3129
> > -A POSTROUTING -j MASQUERADE
> > COMMIT
> > # Completed on Sun Feb 26 06:28:46 2017
> >
> > 2. Also pasting sudo iptables -L -nv:
> >
> > Chain INPUT (policy ACCEPT 216 packets, 16058 bytes)
> >  pkts bytes target prot opt in out source
> > destination
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target prot opt in out source
> > destination
> >
> > Chain OUTPUT (policy ACCEPT 161 packets, 24629 bytes)
> >  pkts bytes target prot opt in out source
>  destination
> >
> >
> >
> >> And then clear out where is this proxy sittings and the network
> structure.
> >> It's not clear if the squid box is the router or a machine somewhere on
> AWS.
> >
> > [Michael] This proxy is installed on an AWS instance.
> >
> >> If you wish to pass traffic from a local router to a one on AWS you
> will need to create a tunnel like using OpenVPN or a similar solution and
> to use some routing rules to pass the traffic from the local LAN to AWS
> without removing the original destination address.
> >>
> >
> > [Michael] Does this mean, to make ssl-bump work, I will have to setup
> > a VPN server and configure the VPN clients to use this proxy via VPN
> > server?
> >
> >
> > Thanks,
> > Michael.
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
>
> Thanks for replying Eliezer. Your advice is much appreciated.
>
> > The details you attached explained pretty well the cause for the issues
> you have described.
> > What you will need to do in order to make this setup to work can be done
> in more then one way.
> > For a sysadmin the simplest way is to create a VPN or some kind of a
> tunnel between the AWS instance to the local router.
> > I am almost sure that you can use haproxy to do a local tproxy or
> interception that will forward the traffic to the remote squid with the
> PROXY protocol keeping original source and original destination visible to
> the remote squid.
> >
> > The choice will depend on both:
> > - your skills and will to dig some time about couple subjects
> > - The availability of static IP addresses(both local and AWS).
> > - The OS on both sides
>
> [Michael] Actually, my original setup involves a VPN server. I wasn't
> using it because I wanted to setup ssl-bump with simplest possible
> settings. My actual setup involves:
>
> 1. strongSwan IPSec VPN server
> 2. Squid Proxy server
> 3. Clients will be IPSec VPN clients. I can specify the IP address and
> port of HTTPS Proxy server in IPSec VPN client itself.
>
> In the above setup described, will I have to do something extra to
> make ssl-bump work?
>
> Thanks,
> Michael.
>


What is the benefit of ssl-bump in this scenario?


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL_bump and source IP

[Odhiambo Washington]

I am with you on this. Unfortunately, the way a certain subject turns out
not easy for someone in school, so does ssl_bump to me!

On 2 February 2017 at 14:37, FredB <fredbm...@free.fr> wrote:

> Thanks Eliezer
>
> Unfortunately my "lan" is huge, many thousands of people, and MAC
> addresses are not known
> I'm very surprised, I'm alone with this ? Nobody needs to exclude some
> users from SSLBump ?
>
> Fredb
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

[Odhiambo Washington]

So we can't even use the free certs from letsencrypt with Squid??

On 2 February 2017 at 11:35, FredB <fredbm...@free.fr> wrote:

>
> From: http://wiki.squid-cache.org/Features/DynamicSslCert
>
> "In theory, you must either import your root certificate into browsers or
> instruct users on how to do that. Unfortunately, it is apparently a common
> practice among well-known Root CAs to issue subordinate root certificates.
> If you have obtained such a subordinate root certificate from a Root CA
> already trusted by your users, you do not need to import your certificate
> into browsers. However, going down this path may result in removal of the
> well-known Root CA certificate from browsers around the world. Such a
> removal will make your local SslBump-based infrastructure inoperable until
> you import your certificate, but that may only be the beginning of your
> troubles. Will the affected Root CA go after you to recoup their world-wide
> damages? What will your users do when they learn that you have been
> decrypting their traffic without their consent?"
>
> The last sentence is ambiguous the users can known, you can inform that
> you have been decrypting their traffic.
> There is no difference (from user point of view I mean) between a
> well-known Root CAs or a self-signed certificate with a CA injected by a
> local GPO.
>
> But in practice I don't how how you can do that, just hello I want a
> subordinate root certificates ?
>
> FredB
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing cache files

[Odhiambo Washington]

On 19 December 2016 at 16:06, Eliezer Croitoru <elie...@ngtech.co.il> wrote:

> Did you noticed these errors:
> FATAL: The ssl_crtd helpers are crashing too rapidly, need help!
>
> Squid Cache (Version 3.5.23): Terminated abnormally.
> CPU Usage: 63.837 seconds = 28.308 user + 35.529 sys
> Maximum Resident Size: 171488 KB
> Page faults with physical i/o: 154
> 2016/12/18 17:25:05| Set Current Directory to /opt/squid-3.5/var/logs/
> 2016/12/18 17:25:06| Starting Squid Cache version 3.5.23 for
> i386-unknown-freebsd9.3...
> 2016/12/18 17:25:06| Service Name: squid
> 2016/12/18 17:25:06| Process ID 2943
> 2016/12/18 17:25:06| Process Roles: master worker
> 2016/12/18 17:25:06| NOTICE: Could not increase the number of
> filedescriptors
> 2016/12/18 17:25:06| With 32768 file descriptors available
> 2016/12/18 17:25:06| Initializing IP Cache...
> 2016/12/18 17:25:06| DNS Socket created at [::], FD 10
> 2016/12/18 17:25:06| DNS Socket created at 0.0.0.0, FD 11
> 2016/12/18 17:25:06| Adding domain crownkenya.com from /etc/resolv.conf
> 2016/12/18 17:25:06| Adding nameserver 192.168.55.254 from /etc/resolv.conf
> 2016/12/18 17:25:06| helperOpenServers: Starting 5/15 'ssl_crtd' processes
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| helperOpenServers: Starting 5/10 'perl' processes
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:06| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/18 17:25:11| Logfile: opening log stdio:/opt/squid-3.5/var/logs/
> access.log
>
> 
>

I did not see those, funnily.



> And it's good to know you are running FreeBSD 9.3...(32 bit..)
>

Yes, might soon become 10.3 or even 11.


>
> You need to fix the issues with the helpers before anything else since
> these are blockers for squid to operate right.
> The missing file is a side effect which happens at almost the same time.
> I would have started with looking at the lines:
> sslcrtd_program /opt/squid-3.5/libexec/ssl_crtd -s /opt/squid-3.5/ssl_db
> -M 4MB
> store_id_program /usr/local/bin/perl /opt/squid-3.5/scripts/store-id.pl


I have started with disabling the stuff to do with ssl_bump, etc because
it's not practical using it in the environment.



> And see what is causing this operation is not permitted.
> It can be rights or another issue but you must resolve it.
>

I doubt it is rights at all. I checked my /etc/devfs.conf, which is the
only other place I thought could have an issue but it looks fine.



> And before diving hard into StoreID make sure your squid just runs fine
> with ssl bump.
>

I abandoned ssl bump because it wasn't practical in the environment.



> Then jump into StoreID and feel free to share your wishes for this
> service..(caching youtube, Microsoft updates etc..)
>
> Let me know if you need anything.
>
>
Sure. I will.




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing cache files

[Odhiambo Washington]

Hi,

I have added details.txt and also fixed perms on cache.log

On 19 December 2016 at 14:10, Eliezer Croitoru <elie...@ngtech.co.il> wrote:

> The file:
> http://gw.crownkenya.com/~wash/3.5.22/cache.log.txt
>
> isn't accessible.
> Also missing details like OS version and other things.
> It seems like a very simple setup and the first thing to check is
> permissions to the whole directory tree:
> /opt/squid-3.5/var/cache
>
> Please add the output of:
> # ls -la /opt/squid-3.5/var/cache/
>
> Eliezer
>
> 
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On
> Behalf Of Odhiambo Washington
> Sent: Monday, December 19, 2016 10:11 AM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Missing cache files
>
> Hi Eliezer,
>
> I have put the files on this link: http://bit.ly/2h1bzqp
>
>
> On 19 December 2016 at 01:38, Eliezer Croitoru  elie...@ngtech.co.il> wrote:
> Can you give more details on the setup?.. squid.conf.
> And cache.log dumps.
> Files are not usually disappearing but it’s not clear who erased them.
> If you do not have a swap file at /opt/squid-3.5/var/cache/ then you should
> ask yourself how squid has started at all.
>
> Please fill up the missing pieces,
> Eliezer
>
> 
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: mailto:elie...@ngtech.co.il
>
>
> From: squid-users [mailto:mailto:squid-users-boun...@lists.squid-cache.org]
> On
> Behalf Of Odhiambo Washington
> Sent: Saturday, December 17, 2016 12:41 PM
> To: mailto:squid-users@lists.squid-cache.org
> Subject: [squid-users] Missing cache files
>
> Hi,
>
> I keep seeing something that I think is odd. Squid has been exiting on
> signal 6, and I keep seeing this:
>
> root@gw:/usr/local/openssl # tail -f /opt/squid-3.5/var/logs/cache.log
> 2016/12/17 13:38:32| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:38:32|/opt/squid-3.5/var/cache/00/26/264D
> 2016/12/17 13:40:24| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:40:24|/opt/squid-3.5/var/cache/00/3B/3B56
> 2016/12/17 13:42:34| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:42:34|/opt/squid-3.5/var/cache/00/6B/6B0D
> 2016/12/17 13:43:36| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:43:36|/opt/squid-3.5/var/cache/00/00/0050
> 2016/12/17 13:44:25| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:44:25|    /opt/squid-3.5/var/cache/00/AF/AFF1
>
> So, what could be making the files disappear?
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing cache files

[Odhiambo Washington]

True. Sometimes you search, but the clue isn't obvious :-)


On 17 December 2016 at 15:06, Yuri Voinov <yvoi...@gmail.com> wrote:

> Man, this question has been answered a million times. Use the search.
>
> 17.12.2016 16:41, Odhiambo Washington пишет:
>
> Hi,
>
> I keep seeing something that I think is odd. Squid has been exiting on
> signal 6, and I keep seeing this:
>
> root@gw:/usr/local/openssl # tail -f /opt/squid-3.5/var/logs/cache.log
> 2016/12/17 13:38:32| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:38:32|/opt/squid-3.5/var/cache/00/26/264D
> 2016/12/17 13:40:24| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:40:24|/opt/squid-3.5/var/cache/00/3B/3B56
> 2016/12/17 13:42:34| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:42:34|/opt/squid-3.5/var/cache/00/6B/6B0D
> 2016/12/17 13:43:36| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:43:36|/opt/squid-3.5/var/cache/00/00/0050
> 2016/12/17 13:44:25| DiskThreadsDiskFile::openDone: (2) No such file or
> directory
> 2016/12/17 13:44:25|/opt/squid-3.5/var/cache/00/AF/AFF1
>
> So, what could be making the files disappear?
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
>
> ___
> squid-users mailing 
> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>
>
> --
> Cats - delicious. You just do not know how to cook them.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Missing cache files

[Odhiambo Washington]

On 17 December 2016 at 15:17, Garri Djavadyan <gar...@comnet.uz> wrote:

> On 2016-12-17 15:41, Odhiambo Washington wrote:
>
>> Hi,
>>
>> I keep seeing something that I think is odd. Squid has been exiting on
>> signal 6, and I keep seeing this:
>>
>> root@gw:/usr/local/openssl # tail -f /opt/squid-3.5/var/logs/cache.log
>> 2016/12/17 13:38:32| DiskThreadsDiskFile::openDone: (2) No such file
>> or directory
>> 2016/12/17 13:38:32|/opt/squid-3.5/var/cache/00/26/264D
>> 2016/12/17 13:40:24| DiskThreadsDiskFile::openDone: (2) No such file
>> or directory
>> 2016/12/17 13:40:24|/opt/squid-3.5/var/cache/00/3B/3B56
>> 2016/12/17 13:42:34| DiskThreadsDiskFile::openDone: (2) No such file
>> or directory
>> 2016/12/17 13:42:34|/opt/squid-3.5/var/cache/00/6B/6B0D
>> 2016/12/17 13:43:36| DiskThreadsDiskFile::openDone: (2) No such file
>> or directory
>> 2016/12/17 13:43:36|/opt/squid-3.5/var/cache/00/00/0050
>> 2016/12/17 13:44:25| DiskThreadsDiskFile::openDone: (2) No such file
>> or directory
>> 2016/12/17 13:44:25|/opt/squid-3.5/var/cache/00/AF/AFF1
>>
>> So, what could be making the files disappear?
>>
>
>
> Hi,
>
> (Reply from Amos Jeffries from http://bugs.squid-cache.org/sh
> ow_bug.cgi?id=4367#c2)
>
>> This is Squid *detecting* complete absence of disk files. Not causing
>> corruption.
>>
>> Please check if you have multiple Squid instances running and accessing
>> the
>> same cache_dir. That includes multiple workers using the same
>> ufs/aufs/diskd
>> cache_dir configuration line.
>>
>> Also whether swap.state for that cache_dir is being correctly and
>> completely
>> written out to disk on shutdown or restart. Using an outdated swap.state
>> file can also lead to these warnings.
>>
>
> The last paragraph explains your issue. The signal 6 (abort) forces Squid
> worker to terminate immediately (to avoid all required shutdown procedures)
> and leave core dump. You can find a reason for abort in cache.log.
>
>
> Garri
>

Hi Garri,

So, checking, I don't see swap.state being written to disk and there is no
core dump either.
There is no directive in my squid.conf to suppress the two.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Missing cache files

[Odhiambo Washington]

Hi,

I keep seeing something that I think is odd. Squid has been exiting on
signal 6, and I keep seeing this:

root@gw:/usr/local/openssl # tail -f /opt/squid-3.5/var/logs/cache.log
2016/12/17 13:38:32| DiskThreadsDiskFile::openDone: (2) No such file or
directory
2016/12/17 13:38:32|/opt/squid-3.5/var/cache/00/26/264D
2016/12/17 13:40:24| DiskThreadsDiskFile::openDone: (2) No such file or
directory
2016/12/17 13:40:24|/opt/squid-3.5/var/cache/00/3B/3B56
2016/12/17 13:42:34| DiskThreadsDiskFile::openDone: (2) No such file or
directory
2016/12/17 13:42:34|/opt/squid-3.5/var/cache/00/6B/6B0D
2016/12/17 13:43:36| DiskThreadsDiskFile::openDone: (2) No such file or
directory
2016/12/17 13:43:36|/opt/squid-3.5/var/cache/00/00/0050
2016/12/17 13:44:25| DiskThreadsDiskFile::openDone: (2) No such file or
directory
2016/12/17 13:44:25|/opt/squid-3.5/var/cache/00/AF/AFF1

So, what could be making the files disappear?


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL too large??

[Odhiambo Washington]

I did not dig deep into it I couldn't scan the access log for it because I
had no idea what 'too long' meant.
I will ignore it until someone says they're unable to access a website, and
they can give me details of what it is.


On 13 December 2016 at 19:51, Eliezer Croitoru <elie...@ngtech.co.il> wrote:

> I think that the maximum size was 64k and it's way above this.
> It should not be an issue if this is some weird application creating some
> random url which doesn't have meaning.
> But if you know what is creating such a url it's a whole another story.
> Can you reproduce\recreate this url?
>
> Eliezer
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile+WhatsApp: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
>
>
> On Tue, Dec 13, 2016 at 11:08 AM, Odhiambo Washington <odhia...@gmail.com>
> wrote:
>
> Hi,
>
> Saw this on my cache.log (squid-3.5.22, FreeBSD-9.3,):
>
> 2016/12/13 11:47:55| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/13 11:47:55| WARNING: no_suid: setuid(0): (1) Operation not
> permitted
> 2016/12/13 11:47:55| HTCP Disabled.
> 2016/12/13 11:47:55| Finished loading MIME types and icons.
> 2016/12/13 11:47:55| Accepting NAT intercepted HTTP Socket connections at
> local=[::]:13128 remote=[::] FD 39 flags=41
> 2016/12/13 11:47:55| Accepting HTTP Socket connections at local=[::]:13130
> remote=[::] FD 40 flags=9
> 2016/12/13 11:47:55| Accepting NAT intercepted SSL bumped HTTPS Socket
> connections at local=[::]:13129 remote=[::] FD 41 flags=41
> 2016/12/13 11:47:55| Accepting ICP messages on [::]:3130
> 2016/12/13 11:47:55| Sending ICP messages from [::]:3130
> *2016/12/13 11:53:25| urlParse: URL too large (11654 bytes)*
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] URL too large??

[Odhiambo Washington]

Hi,

Saw this on my cache.log (squid-3.5.22, FreeBSD-9.3,):

2016/12/13 11:47:55| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/12/13 11:47:55| WARNING: no_suid: setuid(0): (1) Operation not
permitted
2016/12/13 11:47:55| HTCP Disabled.
2016/12/13 11:47:55| Finished loading MIME types and icons.
2016/12/13 11:47:55| Accepting NAT intercepted HTTP Socket connections at
local=[::]:13128 remote=[::] FD 39 flags=41
2016/12/13 11:47:55| Accepting HTTP Socket connections at local=[::]:13130
remote=[::] FD 40 flags=9
2016/12/13 11:47:55| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=[::]:13129 remote=[::] FD 41 flags=41
2016/12/13 11:47:55| Accepting ICP messages on [::]:3130
2016/12/13 11:47:55| Sending ICP messages from [::]:3130
*2016/12/13 11:53:25| urlParse: URL too large (11654 bytes)*


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

Can I terminate based on time? By just modifying the bits you wrote for me?

On 17:45, Fri, Apr 22, 2016 Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 23/04/2016 12:39 a.m., Odhiambo Washington wrote:
> >
> > So is it possible to achieve such a non-intrusive setup, but without
> > 'terminate'?
>
> You declared the requirement "Serve an error page.".
>
> That is intrusive.
>
> As Alex has said repeatedly:
>   terminate or produce an error. Pick one.
>
> Amos
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

On 22 April 2016 at 13:45, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 22/04/2016 8:23 p.m., Odhiambo Washington wrote:
> >
> > Sure, I am really struggling to understand this. I would like to serve
> > error pages. A complete example of this would really help. I am thinking,
> > based on the two templates you gave and going with the one where squid
> > intrudes, that it could be like below, but to be honest I am not sure so
> > kindly correct me.
> >
> >
> > acl time_wastage_sites_ssl ssl::server_name .facebook.com .youtube.com
> > ssl_bump splice time_wastage_sites_ssl
> > ssl_bump stare all
> > ssl_bump bump all
> > http_access allow time_wastage_sites_ssl privileged-staff
> > http_access allow time_wastage_sites_ssl privileged-clients
> > http_access allow time_wastage_sites_ssl TIMElunch
> > http_access allow time_wastage_sites_ssl TIMEafterhoursAFT
> > http_access allow time_wastage_sites_ssl TIMEafterhoursMORN
> > http_access allow time_wastage_sites_ssl TIMEsatALLDAY
> > http_access allow time_wastage_sites_ssl TIMEsundALLDAY
> > http_access deny  time_wastage_sites_ssl
> >
>
> In a file called "/etc/squid/tws":
> .facebook.com
> .youtube.com
>
>
> squid.conf:
>  acl time_wastage_sites_ssl  ssl::server_name "/etc/squid/tws"
>  acl time_wastage_sites_http dstdomain"/etc/squid/tws"
>
>  acl privileged_traffic any-of \
> privileged-staff privileged-clients \
> TIMElunch TIMEafterhoursAFT TIMEafterhoursMORN \
> TIMEsatALLDAY TIMEsundALLDAY
>
>  http_access allow privileged_traffic
>  http_access deny time_wastage_sites_http
>
>  ssl_bump splice privileged_traffic time_wastage_sites_ssl
>  ssl_bump stare all
>  ssl_bump bump all
>
>
>
> You can probably merge the TIME* ACLs down as well like:
>   # lunch
>   acl okay_times time ...
>   # afterhours PM
>   acl okay_times time ...
>   # afterhours AM
>   acl okay_times time ...
>   # Saturday and Sunday all day
>   acl okay_times time SA
>
> Amos
>
>
Quoting Alex:
"
If you want Squid to not intrude except when terminating prohibited traffic,
then start with this sketch:

>   ssl_bump terminate prohibited_traffic
>   ssl_bump peek all
>   ssl_bump splice all
"

So is it possible to achieve such a non-intrusive setup, but without
'terminate'?



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

On 22 April 2016 at 02:16, Alex Rousskov <rouss...@measurement-factory.com>
wrote:

> On 04/21/2016 03:26 PM, Odhiambo Washington wrote:
> > On 21 April 2016 at 23:14, Alex Rousskov wrote:
> > Logging aside, your latest random configuration is equivalent to
> > [...] not intercepting SSL at all, which brings
> > us back to the old question: What do you want Squid to do?
>
>
> > If I could intercept SSL and do nothing EXCEPT subject the domains to
> > time ACLs, that'd be all.
>
> You are going back to the problem we have already discussed. Please slow
> down and translate your description above into what should happen to
> user connections that match your "time ACLs".
>


*slow down mode engaged*

You have given me these two templates:

(1)
If you want Squid to not intrude except when terminating prohibited traffic,
then start with this sketch:

  ssl_bump terminate prohibited_traffic
  ssl_bump peek all
  ssl_bump splice all

I would have preffered this option, first because it doesn't involve me
installing my CA on all user devices and secondly because of no intrusion.
However I cannot figure out how to deal with this when it comes to ACLs
because '*terminate*' isn't really what I think I want. What I want is as
follows:
(a) squid receives requiest from a particular host for facebook.com. Host
is identified by MAC Address or IP
(b) squid decides (based on ACLs) if host is allowed access to facebook.com
at this time, then allows it
(c) squid throws an error message if host is not allowed access at this
time.

If I could achieve the above, I will be fine. How to craft the configs is
my trouble. I keep fumbling.


(2)
If you want Squid to intrude (where possible) and block prohibited
traffic, then install your CA certificates on all user devices and start
with this sketch:

  ssl_bump splice things_that_are_impossible_to_bump
  ssl_bump stare all
  ssl_bump bump all
  http_access deny prohibited_traffic

Now here, the CA challenge abounds. We have a guest SSID on our WLAN and
this means I have to install the CAs even for guests or redo the network to
be able to accommodate guest users browsing without being subjected to our
internal policies.



>
> * Does "subject the domains to time ACLs" mean "immediately close
> connections that match" those ACLs?
>

No.


>
> * Or does it mean "serve Squid error pages" over connections that match
> those ACLs?
>

Yes.


>
> Once you decide, apply one of the two templates provided (the two
> templates correspond to which of the two questions you answer "yes").
>
>
> > I just want the data passing through squid for me to determine who is
> > allowed to access it and at what time.
>
> Assume Squid has made that access determination you want to make, and
> the user is not allowed. Now what: Close the connection? Or serve an
> error page?
>
>
Serve an error page.

.

>
> > I do have time ACLs, [...]
>
> The specifics of your ACLs are irrelevant at this stage. You can fix
> them later once you get overall SslBump setup working the way you want.
> You can assume that there is just one ACL called "prohibited_traffic" or
> "good_traffic". Now write the rules that determine what happens to
> connections that match one of those two ACLs.
>



> If you want Squid to not intrude except when terminating prohibited
> > traffic, then start with this sketch:
> >
> >   ssl_bump terminate prohibited_traffic
> >   ssl_bump peek all
> >   ssl_bump splice all
> >
> >
> > Lemme see if I understand this. I have a problem wrapping my head around
> > 'terminate' (as a terminology, maybe)
>
> "terminate" means "close the SSL connection(s) immediately". No error
> response is sent by Squid to the user. It does not get much simpler than
> that! The browser will probably show some "secure connection could not
> be negotiated" error to the user with no usable details [because Squid
> sent nothing to the browser in this case].
>
>
That is NOT what I want. I need squid to serve an error page that "Access
is denied at this time.."
I think it's usually something like "access controls prohibit you from
access this page at this time...".


>
> > and 'prohibited_traffic' (also as a terminology).
>
> Just some ACL name. You will define that aggregate ACL later to match
> any traffic you want to prohibit. It will contain a combination of time
> and server name ACLs. Other details are not important until your SslBump
> [and http_access rules] are correct.
>

Okay.


>
> If you do not know how to aggregate ACLs, look for "any-of" and "all-of"
> in squid.c

Re: [squid-users] Extraneous question regarding SSL interception

[Odhiambo Washington]

Yes! That SSL _Bump_ name!

Thanks for explaining the origins.

On 23:53, Thu, Apr 21, 2016 Alex Rousskov 
wrote:

> On 04/21/2016 02:22 PM, Antony Stone wrote:
>
> > Forgive me if this is answered in the documentation somewhere (but please
> > point me at it if so, because I haven't been able to find it), but where
> do the
> > terms "bump", "peek", "splice" and "stare" come from?
>
> "splice" comes from a standard networking technique of "TCP splicing"
> which is exactly what Squid is trying to do when the "splice" action wins.
>
> "bump" comes from a more-or-less standard networking concept of "bump in
> the wire" that describes temporary elevating processing to the next
> protocol level. In Squid's case, we are temporary elevating processing
> from SSL to HTTP level.
>
> "peek" comes from the English verb "to peek" which means "look quickly"
> and has such synonyms as "take a stealthy look", which is exactly what
> Squid is trying to do when the "peek" action wins.
>
> "stare" comes from the English verb "to stare" and was chosen as a kind
> of antonym to "to peek". When Squid stares at the SSL exchanges, it may
> modify things and generally prepare connections for bumping, which is a
> much longer operation compared to peeking.
>
> There is also "terminate" which does what it says.
>
>
> In my biased opinion, the action names are actually pretty accurate and
> descriptive. My only regret is that the feature itself was called SSL
> _Bump_ and not something more action-neutral. Unfortunately, I did not
> predict the necessary for more actions when we started writing bumping
> code.
>
> Alex.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

On 21 April 2016 at 23:14, Alex Rousskov <rouss...@measurement-factory.com>
wrote:

> On 04/21/2016 01:59 PM, Odhiambo Washington wrote:
> > On 21 April 2016 at 22:04, Amos Jeffries wrote:
> >
> >     On 22/04/2016 6:20 a.m., Odhiambo Washington wrote:
> > > I have now changed to *configurations suggested specifically for
> your use
> > > case, on this email thread* :)
>
> > > acl no_ssl_interception ssl::server_name
> > > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > > ssl_bump splice no_ssl_interception
> > > ssl_bump stare all
> > > ssl_bump bump all
>
>
> > No the "stare" being done will prevent splice and you will see
> breakage
> > or unexpected things again.
> > You have to replace 'stare' with 'peek' AND replace 'bump' with
> > 'splice'.
>
>
> > Like below???
>
>
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek all
> > ssl_bump splice all
>
>
> Logging aside, your latest random configuration is equivalent to
>
>   ssl_bump splice all
>
> which means you are better off not intercepting SSL at all, which brings
> us back to the old question: What do you want Squid to do?
>

If I could intercept SSL and do nothing EXCEPT subject the domains to time
ACLs, that'd be all. I do not need any bumping to be precise.
I just want the data passing through squid for me to determine who is
allowed to access it and at what time.

I do have time ACLs, which I use in conjunction with MAC ACLs and certain
domain, like facebook.com. Right now I rely on destdomain to identify the
domains.
With domains using SSL, I cannot use destdomain, right? Let me demonstrate
with config snippets from my squid.conf, perhaps that would explain it
better and maybe I will find a better easier way out that this ssl_bump
monster:-)

acl TIMEweekdaysALLDAY time MTWHF 09:00-17:00
acl TIMEafterhoursMORN time MTWHF 00:00-09:00
acl TIMElunch time MTWHF 12:00-13:59
acl TIMEafterhoursAFT time MTWHF 14:30-23:59
acl TIMEsatMORN time A 00:00-07:00
acl TIMEsatAFT time A 11:00-23:59
acl TIMEsatALLDAY time A 00:00-23:59
acl TIMEsundALLDAY time S 00:00-23:59

# Internet Access Regulation
# Some privileged staff - can browse unrestricted
acl privileged-staff arp "/usr/local/etc/squid/privileged_mac_addresses.txt"

# Sites staff waste all their time on - Social Networks, streaming sites, etc
acl TIMEWASTAGESITES dstdomain "/usr/local/etc/squid/time_wastage_sites.txt"

# TIMEWASTAGESITES
http_access allow TIMEWASTAGESITES privileged-staff
http_access allow TIMEWASTAGESITES TIMElunch
http_access allow TIMEWASTAGESITES TIMEafterhoursAFT
http_access allow TIMEWASTAGESITES TIMEafterhoursMORN
http_access allow TIMEWASTAGESITES TIMEsatALLDAY
http_access allow TIMEWASTAGESITES TIMEsundALLDAY
http_access deny  TIMEWASTAGESITES


Now, the above used to work until facebook.com, youtube.com, and
others switched to HTTPS. After that it wasn't possible for me to
control access to them.

So really, all I want is the ability to intercept SSL and subject it
to those time ACLs for a class of users. Nothing more.



> If you want Squid to not intrude except when terminating prohibited
> traffic, then start with this sketch:
>
>   ssl_bump terminate prohibited_traffic
>   ssl_bump peek all
>   ssl_bump splice all
>

Lemme see if I understand this. I have a problem wrapping my head around
'terminate' (as a terminology, maybe) and 'prohibited_traffic' (also as a
terminology).
So, are you saying that prohibited_traffic here is something like:

acl TIMEWASTAGE_SSL
ssl::server_name "/usr/local/etc/squid/time_wastage_SSL_sites.txt"

And in that file I have
.facebook.com
.youtube.com
...

Then I just apply my usual time ACLs..

http_access allow TIMEWASTAGESITES_SSL privileged_staff
http_access allow TIMEWASTAGESITES_SSL TIMElunch
http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursAFT
http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursMORN
http_access allow TIMEWASTAGESITES_SSL TIMEsatALLDAY
http_access allow TIMEWASTAGESITES_SSL TIMEsundALLDAY
http_access deny  TIMEWASTAGESITES_SSL

That is more like all I want - use *ssl::server_name* instead of *dstdomain.
* The sites are NOT prohibited per se, and 'terminate' kinda scares me. I
need to RTFM about this 'terminate' again and again until I can sing it:)



> If you want Squid to intrude (where possible) and block prohibited
> traffic, then install your CA certificates on all user devices and start
> with this sketch:
>
>   ssl_bump splice things_that_are_impossible_to_bump
>   ssl_bump stare all
>   ssl_bump bump all
>   http_access deny prohibited_traffic
>

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

On 21 April 2016 at 22:04, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 22/04/2016 6:20 a.m., Odhiambo Washington wrote:
> > Hi Alex,
> >
> > I have now changed to *configurations suggested specifically for your use
> > case, on this email thread* :)
> >
> >
> >
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump stare all
> > ssl_bump bump all
> >
> > Now, suppose, as I think in my mind, bumping isn't really what I need,
> can
> > I just comment out 'ssl_bump bump all'  and sit easy or should I switch
> to
> > ssl_bump splice all ??
>
> No the "stare" being done will prevent splice and you will see breakage
> or unexpected things again.
>
> You have to replace 'stare' with 'peek' AND replace 'bump' with 'splice'.
> <http://lists.squid-cache.org/listinfo/squid-users>
>

Like below???


acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump peek all
ssl_bump splice all


Thank you.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

On 21 April 2016 at 16:48, Alex Rousskov <rouss...@measurement-factory.com>
wrote:

> On 04/21/2016 07:18 AM, Odhiambo Washington wrote:
> > Is is expected that  using ssl_bump results into high CPU usage all the
> > time?
>
> Your question is impossible to answer in general: The CPU usage levels
> depend on the amount of Squid traffic, the portion of SSL traffic in the
> overall traffic mix, the portion of step1, step2, and step3 traffic in
> the SSL traffic mix, hardware resources available to Squid, the number
> of Squid workers, and many other factors.
>
> > acl no_ssl_interception ssl::server_name ...
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek step1
> > ssl_bump stare step2
>
> The above config continues to violate the specific advice given to you
> previously:
> *Do not mix "peek" and "stare" unless you have a very specific need for
> doing so.*
>

I have noted that instruction. It was actually an oversight caused by slow
understanding of the terminologies.
Once I have changed to what you advised before, the CPU usage has gone down
considerably:


acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare step2
#ssl_bump bump all
ssl_bump splice all

So basically I should just have two options, I think, no?? Like

ssl_bump stare step2
ssl_bump splice all

If one day, for some reason I want to bump, then I could change to:

acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump stare step2
ssl_bump bump all


Thank you so much Alex.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

I will put the splice explicitly and observe.

Without ssl_bump I never saw such cpu usage with squid.

However, lemme watch and also listen to feedback..


On 21 April 2016 at 16:34, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 22/04/2016 1:18 a.m., Odhiambo Washington wrote:
> > Is is expected that  using ssl_bump results into high CPU usage all the
> > time?
> >
>
> Encryption adds CPU overhead, but how much depends on what your normal
> use was. I dont think any of us have a good rule-of-thumb or educated
> guess yet because Squid code has been changing so much.
>
> If its worrying you, I suggest trying your favourite profiling tools out
> and see if anything useful shows up.
>
>
> > This is squid-3.5.17
> >
> > That is what I am seeing:
> >
> > last pid: 26673;  load averages:  2.24,  2.00,  2.10
> >
> >   up 0+03:47:56  16:08:30
> > 160 processes: 2 running, 157 sleeping, 1 zombie
> > CPU: 86.1% user,  0.0% nice,  7.8% system,  3.3% interrupt,  2.7% idle
> > Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
> > Swap: 5900M Total, 1248K Used, 5899M Free
> >
> >   PID USERNAME   THR PRI NICE   SIZERES STATE   C   TIMEWCPU
> > COMMAND
> > 13309 squid   17  200   305M   264M uwait   0   7:38  80.86%
> > squid
> > 26088 squid1  210 12812K  5352K sbwait  1   0:04   2.49%
> > ssl_crtd
> > 26090 squid1  200 12812K  5272K sbwait  1   0:01   0.88%
> > ssl_crtd
> >
> >
> > My config has:
> >
> >
> >
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek step1
> > ssl_bump stare step2
> > #ssl_bump bump all
> > #ssl_bump splice all
> >
> > I think I read somewhere that 'ssl_bump splice all" is the default
> > behaviour, hence why I have commented it out. All I need is just become a
> > TCP tunnel without decrypting proxied traffic.
>
> I wouldn't rely on the default for things like this. Squid makes a
> *guess* based on what data it has to work with on a per-connection
> basis. There is no extra cost to having it configured, Squid has to
> check the whole set anyway.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

So, what could possibly be wrong with my setup, that squid consumes so much
CPU?

On 21 April 2016 at 16:22, Yuri Voinov <yvoi...@gmail.com> wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> It must not be. My most active setup has 3% CPU all time dirung peak hours.
>
> Typical view:
>
> https://i1.someimage.com/NzM1erI.png
>
>
> 21.04.16 19:18, Odhiambo Washington пишет:
> > Is is expected that  using ssl_bump results into high CPU usage all the
> time?
> >
> > This is squid-3.5.17
> >
> > That is what I am seeing:
> >
> > last pid: 26673;  load averages:  2.24,  2.00,
> 2.10
> up 0+03:47:56  16:08:30
> > 160 processes: 2 running, 157 sleeping, 1 zombie
> > CPU: 86.1% user,  0.0% nice,  7.8% system,  3.3% interrupt,  2.7% idle
> > Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
> > Swap: 5900M Total, 1248K Used, 5899M Free
> >
> >   PID USERNAME   THR PRI NICE   SIZERES STATE   C   TIMEWCPU
> COMMAND
> > 13309 squid   17  200   305M   264M uwait   0   7:38  80.86%
> squid
> > 26088 squid1  210 12812K  5352K sbwait  1   0:04   2.49%
> ssl_crtd
> > 26090 squid1  200 12812K  5272K sbwait  1   0:01   0.88%
> ssl_crtd
> >
> >
> > My config has:
> >
> >
> >
> > acl no_ssl_interception ssl::server_name
> "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek step1
> > ssl_bump stare step2
> > #ssl_bump bump all
> > #ssl_bump splice all
> >
> > I think I read somewhere that 'ssl_bump splice all" is the default
> behaviour, hence why I have commented it out. All I need is just become a
> TCP tunnel without decrypting proxied traffic.
> >
> > Thank you.
> >
> >
> > --
> > Best regards,
> > Odhiambo WASHINGTON,
> > Nairobi,KE
> > +254 7 3200 0004/+254 7 2274 3223
> > "Oh, the cruft."
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXGNQsAAoJENNXIZxhPexGcZUIAL3zFz9UFuQdyfXFBilFQ0Gj
> 8F4HkxuJjNtCUYdb6BEwux9jBOjZpYScr8sRHRBPvIV8O4/2Z3QF7exjEW8Duj/G
> REWO3txPiE4pICD/AbdBuX8O++dvfjj46nz+lVeCH9JjGW0VoMHiyGtwGx1shSfY
> pGX0MguEGEtWp/7hxKAFbRivGuvyQ7Ogj8i9IgMBptMrRu4D3G75UO+9WmaHcpVx
> VAf1revHh+dWFWrO1k+zrWFIIFcwbR5LcrJeBYJ94scgPV3p68LC2ZpqUBZreYCM
> Koo9+Rss+Ix1rTSUkvTaoGOcMdrHJ1oMICHwyqtDMWlbDds5dAnnWXh5faNYPFk=
> =7YlO
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] High CPU Usage with ssl_bump

[Odhiambo Washington]

Is is expected that  using ssl_bump results into high CPU usage all the
time?

This is squid-3.5.17

That is what I am seeing:

last pid: 26673;  load averages:  2.24,  2.00,  2.10

  up 0+03:47:56  16:08:30
160 processes: 2 running, 157 sleeping, 1 zombie
CPU: 86.1% user,  0.0% nice,  7.8% system,  3.3% interrupt,  2.7% idle
Mem: 843M Active, 1942M Inact, 185M Wired, 43M Cache, 89M Buf, 97M Free
Swap: 5900M Total, 1248K Used, 5899M Free

  PID USERNAME   THR PRI NICE   SIZERES STATE   C   TIMEWCPU
COMMAND
13309 squid   17  200   305M   264M uwait   0   7:38  80.86%
squid
26088 squid1  210 12812K  5352K sbwait  1   0:04   2.49%
ssl_crtd
26090 squid1  200 12812K  5272K sbwait  1   0:01   0.88%
ssl_crtd


My config has:



acl no_ssl_interception ssl::server_name
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"
ssl_bump splice no_ssl_interception
ssl_bump peek step1
ssl_bump stare step2
#ssl_bump bump all
#ssl_bump splice all

I think I read somewhere that 'ssl_bump splice all" is the default
behaviour, hence why I have commented it out. All I need is just become a
TCP tunnel without decrypting proxied traffic.

Thank you.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_bump newbie troubles

[Odhiambo Washington]

On 21 April 2016 at 00:11, Alex Rousskov <rouss...@measurement-factory.com>
wrote:

> On 04/20/2016 02:22 PM, Odhiambo Washington wrote:
>
> > All I want is the ability to intercept SSL sites and control access to
> > them using TIME ACLs. That's all.
>
> I will assume that your definition of a "site" is "domain name".
>

Yes.


>
> > So in simple:
> > 1. UserX tries to access facebook.com/youtube.com
> > 2. I intercept transparently https traffic
> > 3. I tell squid "don't allow this user to access facebook.com
> >  at this time, but let them access at some-other-time
> > 4. If time is right, let userX access the site.
>
> > So looks like all I need is a setup of passive monitoring, given my
> > explanation above, right?
>
> The answer depends on what you want Squid to do when access is not
> allowed. If you are OK with terminating the prohibited connection (no
> error messages explaining company policy sent by Squid to your users!),
> then yes:
>
>   ssl_bump terminate restricted_sites
>   ssl_bump peek all
>   ssl_bump splice all
>


What I would like is:

1. that squid is able to 'see' that *userX* is trying to visit
https://www.facebook.com
2. but at that particular time (time ACL) *userX* is not allowed to go to
facebook.com, so squid denies access, throws a default error on their
browser
3. However, *userY* has unrestricted access to anywhere at all times so
squid allows the user to proceed.
The time logic is already built in squid.conf. All that remains is just
intercept https traffic and let the time acls decide whether or not a user
can get there..


So allow me to ask: in *ssl_bump terminate restricted_sites, * I am lost as
to what restricted_sites represent.

If my squid.conf matters, I have it here: http://goo.gl/vA6nrB. All I want
is to restrict/control (using time) access to TIMEWASTAGESITES :-)
I do not need to bump at all.

(My English could be my undoing here :-))

Thanks for your patience in baby-sitting me.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_bump newbie troubles

[Odhiambo Washington]

On 20 April 2016 at 18:38, Alex Rousskov <rouss...@measurement-factory.com>
wrote:

> On 04/20/2016 08:16 AM, Odhiambo Washington wrote:
>
> > I even wonder if this config is correct:
> >
> > acl ssl_bump_broken_sites  dstdomain ...
> > ssl_bump none ssl_bump_broken_sites
> > ssl_bump peek step1
> > ssl_bump stare step2
> > ssl_bump bump all
>
> You did not say what you want Squid to do, so it is difficult to say
> whether the config is correct. However, the following combinations look
> strange to me:
>
> * old "none" and new "peek" actions; use "splice" instead of "none"
> * sometimes contradictory "peek" and "stare" actions; pick one kind
> * sometimes contradictory "peek" and "bump" actions; if you intend to
> bump, use "stare"
>
Also, you may want to use ssl::server_name ACL instead of dstdomain.
> Remember that Squid may have no domain information until it is too late
> to splice. Here is a polished config that may or may not do what you want:
>
>   # Bump aggressively, including discovered-too-late broken_sites:
>   acl ssl_bump_broken_sites ssl::server_name ...
>   ssl_bump splice ssl_bump_broken_sites
>   ssl_bump stare all
>   ssl_bump bump all
>

Hi Alex,

Thank you for looking into and advising about this. I really do not want to
get intrusive on the setup.
All I want is the ability to intercept SSL sites and control access to them
using TIME ACLs. That's all.
Sites should be accessed without any interference apart from determining at
what time they can be
accessed by certain restricted users. Think about restricting facebook.com,
youtube.com, etc which
otherwise I would not have control over in a normal intercept. That's the
only reaon I need this ssl_bump stuff.

So in simple:
1. UserX tries to access facebook.com/youtube.com
2. I intercept transparently https traffic
3. I tell squid "don't allow this user to access facebook.com at this time,
but let them access at some-other-time
4. If time is right, let userX access the site.

I still need to wrap my hear around thise 'stare' and 'peek' and what
happens with them.


> > I had to import my CA to all devices (as a trusted CA) on
> > the network so that they don't get the MITM notification. [...] People
> > don't like intrusive changes.
>
> "ssl_bump bump" implies intrusiveness. You need to decide whether
> bumping connections is important enough to be intrusive. The alternative
> is passive monitoring/splicing that does not require intrusive changes
> but gives you less control. Pick your poison.
>
> Alex.
>


So looks like all I need is a setup of passive monitoring, given my
explanation above, right?
Don't bump, just monitor and restrict access to some users based on time.
Generally I want to
control access to those sites users usually waste time on during work
hours:-)




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ssl_bump newbie troubles

[Odhiambo Washington]

Hi,

I am trying my hands on ssl_bump and it's almost working, but that's
ish-ish.. because I have several problems.

I even wonder if this config is correct:

*acl step1 at_step SslBump1*
*acl step2 at_step SslBump2*
*acl step3 at_step SslBump3*

*acl ssl_bump_broken_sites  dstdomain
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"*
*ssl_bump none ssl_bump_broken_sites*


*acl step1 at_step SslBump1*
*ssl_bump peek step1*
*ssl_bump stare step2*
*ssl_bump bump all*

*sslproxy_capath /etc/ssl/certs*
*sslproxy_cert_error allow all*
*#sslproxy_cert_error deny all*
*sslproxy_flags DONT_VERIFY_PEER*
*sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt*




The following error was encountered while trying to retrieve the URL:
https://org.ke.m-pesa.com/*

*Failed to establish a secure connection to 196.201.214.212*

The system returned:

(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the remote
host does not support secure connections, or the proxy is not satisfied
with the host security credentials.

Your cache administrator is <odhia...@gmail.com>
<%3codhia...@gmail.com%3e?subject=CacheErrorInfo%20-%20ERR_SECURE_CONNECT_FAIL=CacheHost%3A%20gw.crownkenya.com%0D%0AErrPage%3A%20ERR_SECURE_CONNECT_FAIL%0D%0AErr%3A%20(92)%20Protocol%20error%0D%0ATimeStamp%3A%20Wed,%2020%20Apr%202016%2013%3A22%3A02%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.54.63%0D%0AServerIP%3A%20196.201.214.212%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%20196.201.214.212%3A443%0D%0A%0D%0A%0D%0A>
.





I thought I could mitigate that with the:

*acl ssl_bump_broken_sites  dstdomain
"/usr/local/etc/squid/ssl_bump_broken_sites.txt"*
*ssl_bump none ssl_bump_broken_sites*

..but that doesn't do it...

Secondly, I had to import my CA to all devices (as a trusted CA) on the
network so that they don't get the MITM notification. This is a challenge,
because I have to do the same for smart phones too, and that is not easy.
People don't like intrusive changes. For example on Android phone, you have
to set screen security before you can import such a CA, and after you do,
you cannot disable the screen security! Now, that is not something people
want.

Another issue is that we allow guests who come in to the premises to use
our Wi-Fi (on a different SSID). Without them importing the CA, they get
the MITM notification and cannot browse. This is because they get assigned
IPs in the same subnet we use in the office.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Odhiambo Washington]

On 18 April 2016 at 20:14, Nick Rogers <ncrog...@gmail.com> wrote:

>
>
> On Fri, Apr 15, 2016 at 8:45 AM, Odhiambo Washington <odhia...@gmail.com>
> wrote:
>
>> Hello Amos,
>>
>> All noted.
>>
>> Lemme consult with some FreeBSD guys on these .
>>
>
> As a FreeBSD user, here's my two cents.
>
> You should be using the www/squid port.
>
> If the port doesn't compile with the options you wish, open a problem
> report with FreeBSD and/or ask on the FreeBSD ports mailing list. The
> maintainer of the www/squid port is pretty responsive and helpful.
>
> I don't have any issues with www/squid on FreeBSD 10.1-RELEASE.
>
>
That much I know, and love, but this box was running squid-2.7.9 for years
and was in production servicing about 100 users. I wasn't going to do 'make
install' from the port and cause disruption. Plus I came to realize only
later that 3.2.16 was the www/squid.
For the record, I like playing with new software manually, compiling by
hand and testing before deploying. That's why I was struggling with this
'by hand'. Also note that my FreeBSD version was 8.4 (EoL).



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Odhiambo Washington]

Hello Amos,

All noted.

Lemme consult with some FreeBSD guys on these .

On 15 April 2016 at 18:13, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
> >
> > With luck, I have managed to get squid to compile successfully (after
> > upgrading a few components here and there). I used:
>
> Yay!
>
> >
> > I have it running now (redirecting using IPFilter/IPNAT), but once in a
> > while I see this error about NAT:
> >
> 
> > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original
> IPs
> > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
>
> These are the kernel NAT system telling Squid the connection being
> looked up has not record there.
>
> It could be TCP connections being made straight to the intercept port.
> If so you need to update the firewall config to prevent them, even from
> localhost.
>  In Linux we use a mangle table rule, since that is the filter pre-NAT
> that can do it. I'm not sure how FreeBSD would do that. It has to be
> done on packets first arrival pre-NAT. Any filter that is applied after
> the NAT action will get it wrong due to the NAT changes.
>
>
> It could be the NAT systems table of connections filling up and
> overflowing. If so there should be a kernel sysctl somewhere to increase
> that table size.
>
> >
> > In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
> > It's the inception stage so I haven't delved deep into ssl-bump
> > configurations...
> >
>
> HTH
> Amos
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Stuggling with 3.5.16 on FreeBSD-9.3

[Odhiambo Washington]

On 14 April 2016 at 03:56, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 14/04/2016 6:02 a.m., Odhiambo Washington wrote:
> > Hi Amos,
> >
> > I bit the bullet and upgraded my FreeBSD-8.4 -> 9.3.
> >
> > I am struggling to compile squid-3.5.16. I just have to find a way to
> make
> > it compile and run, by all means.
> >
> > So now here is what happens:
> >
> >
> > #!/bin/sh
> > ./configure --prefix=/opt/squid-3.5 \
> > --enable-removal-policies="lru heap" \
> > --disable-epoll \
> > --with-pthreads \
> > --enable-storeio="ufs diskd rock aufs" \
> > --enable-delay-pools \
> > --enable-snmp  \
> > --with-openssl=/usr \
> > --enable-forw-via-db \
> > --enable-cache-digests \
> > --enable-wccpv2 \
> > --enable-follow-x-forwarded-for \
> > --with-large-files \
> > --enable-esi \
> > --enable-kqueue \
> > --enable-icap-client \
> > --enable-kill-parent-hack \
> > --enable-ssl \
> > --enable-ssl-crtd \
> > --enable-url-rewrite-helpers \
> > --enable-xmalloc-statistics \
> > --enable-stacktraces \
> > --enable-zph-qos \
> > --enable-eui \
> > --with-nat-devpf \
> > --enable-pf-transparent \
> > --enable-ipf-transparent \
> > --enable-auth \
> >
> > My config.log output is here: *http://goo.gl/LcV1yN <
> http://goo.gl/LcV1yN>*
> >
> > And this is how the compile fails:Making all in negotiate_auth
> > Making all in kerberos
> > depbase=`echo negotiate_kerberos_auth.o | sed
> > 's|[^/]*$|.deps/&|;s|\.o$||'`; g++ -DHAVE_CONFIG_H-I../../..
> > -I../../../include  -I../../../lib -I../../../src  -I../../../include
> >  -I/usr/include  -I/usr/include  -I../../../libltdl -I. -I/usr/include
> > -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Wall
> > -Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual
> > -Werror -pipe -D_REENTRANT -I/usr/local/include  -g -O2 -march=native
> > -I/usr/local/include -MT negotiate_kerberos_auth.o -MD -MP -MF
> $depbase.Tpo
> > -c -o negotiate_kerberos_auth.o negotiate_kerberos_auth.cc && mv -f
> > $depbase.Tpo $depbase.Po
> > negotiate_kerberos_auth.cc: In function 'int main(int, char* const*)':
> > negotiate_kerberos_auth.cc:754: error:
> > 'gsskrb5_extract_authz_data_from_sec_context' was not declared in this
> scope
> > *** [negotiate_kerberos_auth.o] Error code 1
> >
>
> Strange. Check the Kerberos / krb5 libraries available are up to date.
> Or for now you may need to use one or more of these:
>  --without-mit-kerberos \
>  --without-heimdal-kerbers \
>  --without-gssapi-kerberos
>
>
With luck, I have managed to get squid to compile successfully (after
upgrading a few components here and there). I used:

#!/bin/sh
env LDFLAGS=-L/usr/local/lib CPPFLAGS=-I/usr/local/include CC=clang
CXX=clang++ CPP=clang-cpp ./configure --prefix=/opt/squid-3.5 \
--enable-removal-policies="lru heap" \
--disable-epoll \
--with-pthreads \
--enable-storeio="ufs diskd rock aufs" \
--enable-delay-pools \
--enable-snmp  \
--with-openssl=/usr \
--enable-forw-via-db \
--enable-cache-digests \
--enable-wccpv2 \
--enable-follow-x-forwarded-for \
--with-large-files \
--enable-esi \
--enable-kqueue \
--enable-icap-client \
--enable-kill-parent-hack \
--enable-ssl \
--enable-ssl-crtd \
--enable-url-rewrite-helpers \
--enable-xmalloc-statistics \
--enable-stacktraces \
--enable-zph-qos \
--enable-eui \
--with-nat-devpf \
--enable-pf-transparent \
--enable-ipf-transparent \
--with-nat-devpf \
--without-mit-kerberos \
--without-heimdal-kerbers \
--without-gssapi-kerberos \
--enable-auth





>
> >
> > I am getting closer I think.
> >
> > The initial compile that I had before the upgrade from 8.4 to 9.3 cannot
> > run. Gives a different error:
> >
> > 2016/04/13 14:12:13| Accepting NAT intercepted SSL bumped HTTPS Socket
> > connections at local=192.168.55.254:13129 remote=[::] FD 36 flags=41
> > 2016/04/13 14:12:13| Accepting ICP messages on [::]:3130
> > 2016/04/13 14:12:13| Sending ICP messages from [::]:3130
> > 2016/04/13 14:12:13| ERROR: NAT/TPROXY lookup failed to locate original
> IPs
> >

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

On 9 April 2016 at 06:57, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 9/04/2016 5:37 a.m., Yuri Voinov wrote:
> >
> > Don't think so. I've gave latest 4.0.8 tarball from site. Applied patch
> > - viola! - issue is gone.
> >
> > 08.04.16 23:32, Odhiambo Washington пишет:
> >> Hi Yuri,
> >
> >> I applied the patch against 4.0.8, not 3.5.16. Check my e-mail well
> > well :-)
> >
> >> Could it be that you have a different code base from the tarballs
> > available for everyone?
>
> The patch fixes a regression which only exists in the daily snapshot
> tarballs of 4.0.8 numbered r14625 thru r14632.
>
> The patch itself was applied as r14633.
>
> Amos
>

Noted and downloaded squid-4.0.8-20160408-r14633.tar.bz2

But I am still anxious to be able to run 3.5.16 on FreeBSD-8.4. Please. I
need guidnace and patience.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

Hi Yuri,

I applied the patch against 4.0.8, not 3.5.16. Check my e-mail well well :-)

Could it be that you have a different code base from the tarballs available
for everyone?



On 8 April 2016 at 20:26, Yuri Voinov <yvoi...@gmail.com> wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Note: Codebase for 4.0.x is different with 3.5.x.  So, most patches for
> 4.x.x series can't be applied onto 3.5.x.
>
> 08.04.16 23:23, Odhiambo Washington пишет:
> > Hi Yuri,
> >
> > Sorry to be a thorn in the flesh in this one.
> >
> > Which source code were you applying this patch against?
> >
> > I applied this patch on the released squid-4.0.8.tar.xz and it doesn't
> apply cleanly for starters... Maybe I am doing it wrongly? Just doing patch
> < /path/to/patch
> >
> > wash@mail:~/ILI/Squid/4.x/squid-4.0.8$ patch < ../squid-4-14633.patch
> > Hmm...  Looks like a unified diff to me...
> > The text leading up to this was:
> > --
> > |
> > |revno: 14633
> > |revision-id: squ...@treenet.co.nz-20160408073547-xtjco0mpai4lr920
> > |parent: chtsa...@users.sourceforge.net-20160407163610-yl8zzhc08l1ysv5f
> > |committer: Amos Jeffries <squ...@treenet.co.nz
> <mailto:squ...@treenet.co.nz> <squ...@treenet.co.nz>>
>
> > |branch nick: trunk
> > |timestamp: Fri 2016-04-08 19:35:47 +1200
> > |message:
> > |  Fix shm_open error message after rev.14625
> > |
> > |# Bazaar merge directive format 2 (Bazaar 0.90)
> > |# revision_id: squ...@treenet.co.nz-20160408073547-xtjco0mpai4lr920
> > |# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
> > |# testament_sha1: c1983f6601c29e4d03f936e60ecee221a860f932
> > |# timestamp: 2016-04-08 07:51:00 +
> > |# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
> > |# base_revision_id: chtsa...@users.sourceforge.net-20160407163610-\
> > |#   yl8zzhc08l1ysv5f
> > |#
> > |# Begin patch
> > |=== modified file 'src/ipc/mem/Segment.cc'
> > |--- src/ipc/mem/Segment.cc 2016-04-03 23:41:58 +
> > |+++ src/ipc/mem/Segment.cc 2016-04-08 07:35:47 +
> > --
> > Patching file src/ipc/mem/Segment.cc using Plan A...
> > Hunk #1 failed at 91.
> > Hunk #2 succeeded at 105 (offset -4 lines).
> > Hunk #3 succeeded at 121 (offset -4 lines).
> > Hunk #4 succeeded at 151 (offset -1 lines).
> > 1 out of 4 hunks failed--saving rejects to src/ipc/mem/Segment.cc.rej
> > Hmm...  The next patch looks like a unified diff to me...
> > The text leading up to this was:
> > --
> > |
> > |=== modified file 'src/ipc/mem/Segment.h'
> > |--- src/ipc/mem/Segment.h  2016-03-24 17:02:25 +
> > |+++ src/ipc/mem/Segment.h  2016-04-08 07:35:47 +
> > --
> > Patching file src/ipc/mem/Segment.h using Plan A...
> > Hunk #1 succeeded at 53.
> > Hmm...  Ignoring the trailing garbage.
> > done
> >
> >
> > Then when I compile, the compilation fails as follows (though without
> the patch the compilation succeeds):
> >
> > libtool: compile:  clang++ -DHAVE_CONFIG_H
> -DDEFAULT_STATEDIR=\"/opt/squid-4/var/run/squid\" -I../.. -I../../include
> -I../../lib -I../../src -I../../include -I/usr/include -I/usr/include
> -I../../libltdl -I/usr/include -I/usr/local/include/libxml2
> -I/usr/local/include/libxml2 -Werror -Qunused-arguments
> -Wno-deprecated-register -D_REENTRANT -g -O2 -march=native -std=c++11
> -I/usr/local/include -MT mem/Pages.lo -MD -MP -MF mem/.deps/Pages.Tpo -c
> mem/Pages.cc  -fPIC -DPIC -o mem/.libs/Pages.o
> > libtool: compile:  clang++ -DHAVE_CONFIG_H
> -DDEFAULT_STATEDIR=\"/opt/squid-4/var/run/squid\" -I../.. -I../../include
> -I../../lib -I../../src -I../../include -I/usr/include -I/usr/include
> -I../../libltdl -I/usr/include -I/usr/local/include/libxml2
> -I/usr/local/include/libxml2 -Werror -Qunused-arguments
> -Wno-deprecated-register -D_REENTRANT -g -O2 -march=native -std=c++11
> -I/usr/local/include -MT mem/Pages.lo -MD -MP -MF mem/.deps/Pages.Tpo -c
> mem/Pages.cc -o mem/Pages.o >/dev/null 2>&1
> > depbase=`echo mem/PageStack.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;
> /bin/sh ../../libtool  --tag=CXX--mode=compile clang++ -DHAVE_CONFIG_H
> -DDEFAULT_STATEDIR=\"/opt/squid-4/var/run/squid\"-I../..
> -I../../include  -I../../lib -I../../src  -I../../include  -I/usr/include
> -I/usr/include  -I../../libltdl -I/usr/incl

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

geStack.Tpo -c mem/PageStack.cc -o mem/PageStack.o >/dev/null
2>&1
depbase=`echo mem/Segment.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`; /bin/sh
../../libtool  --tag=CXX--mode=compile clang++ -DHAVE_CONFIG_H
-DDEFAULT_STATEDIR=\"/opt/squid-4/var/run/squid\"-I../..
-I../../include  -I../../lib -I../../src  -I../../include  -I/usr/include
 -I/usr/include  -I../../libltdl -I/usr/include
-I/usr/local/include/libxml2  -I/usr/local/include/libxml2  -Werror
-Qunused-arguments -Wno-deprecated-register  -D_REENTRANT -g -O2
-march=native -std=c++11 -I/usr/local/include -MT mem/Segment.lo -MD -MP
-MF $depbase.Tpo -c -o mem/Segment.lo mem/Segment.cc && mv -f $depbase.Tpo
$depbase.Plo
libtool: compile:  clang++ -DHAVE_CONFIG_H
-DDEFAULT_STATEDIR=\"/opt/squid-4/var/run/squid\" -I../.. -I../../include
-I../../lib -I../../src -I../../include -I/usr/include -I/usr/include
-I../../libltdl -I/usr/include -I/usr/local/include/libxml2
-I/usr/local/include/libxml2 -Werror -Qunused-arguments
-Wno-deprecated-register -D_REENTRANT -g -O2 -march=native -std=c++11
-I/usr/local/include -MT mem/Segment.lo -MD -MP -MF mem/.deps/Segment.Tpo
-c mem/Segment.cc  -fPIC -DPIC -o mem/.libs/Segment.o
mem/Segment.cc:96:22: error: too few arguments to function call, single
argument 'err' was not specified
if (!createFresh() && errno == EEXIST) {
 ~~~ ^
../../src/ipc/mem/Segment.h:56:5: note: 'createFresh' declared here
bool createFresh(int );
^
mem/Segment.cc:98:21: error: too few arguments to function call, single
argument 'err' was not specified
createFresh();
~~~ ^
../../src/ipc/mem/Segment.h:56:5: note: 'createFresh' declared here
bool createFresh(int );
^
mem/Segment.cc:108:9: error: use of undeclared identifier 'xerrno'
xerrno = errno;
^
mem/Segment.cc:110:66: error: use of undeclared identifier 'xerrno'
debugs(54, 5, "ftruncate " << theName << ": " << xstrerr(xerrno));
 ^
../../src/Debug.h:107:21: note: expanded from macro 'debugs'
_dbo << CONTENT; \
^
mem/Segment.cc:112:45: error: use of undeclared identifier 'xerrno'
   theName.termedBuf(), xstrerr(xerrno));
^
5 errors generated.
*** Error code 1

Stop.
make[3]: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.8/src/ipc
*** Error code 1

Stop.
make[2]: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.8/src
*** Error code 1

Stop.
make[1]: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.8/src
*** Error code 1

Stop.
make: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.8


Okay, I know I am being a bug here myself since I am focused on 3.5 now
more than 4.x but I also like giving the little feedback I can from these
FreeBSD servers I have:-)





On 8 April 2016 at 17:19, Yuri Voinov <yvoi...@gmail.com> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Seems fixed.
>
> http://bugs.squid-cache.org/show_bug.cgi?id=4486#c2
>
> 08.04.16 18:05, Amos Jeffries пишет:
> > On 8/04/2016 10:28 p.m., Odhiambo Washington wrote:
> >> Hello Yuri,
> >>
> >> Thanks, but this patch is for squid-4.0.8, right??
> >>
> >
> > Yes the patch in that bug report is specific to the latest 4.0 snapshot,
> > which Yuri is running.
> >
> > As Alex mentioned the errno usage in Squid was a bit wrong. The latest
> > 4.0 have a patch to fix that, which is causing Yuri's problem. Your 3.5
> > issue may or may not be related. But we wont know until after Yuri
> > applies that patch and checks the results.
> >
> > Amos
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXB74GAAoJENNXIZxhPexGwkwH/ipdtdS23EuZHIQHWEN7DeSM
> aJ+b1lhRb+052wbL1vx8uyvhwGf++QVZcvFTGcxwFN0yQ1EaN1b1tE6IYlosG8IC
> 1rCOkARyZnyLK0MZKqvajrv4RZMR9CAvcRspv7DftQwS/2/h2uhnakc2PZYKBSUO
> eF+hkxjUq2bSySY0sQ6tMTCr/U5x9IKzpg21VEE2tnn2S1HujnAEQ/C7pyi1ws7U
> SXyqQBOVr25wxQq3AZMg5Sk6uZ7pSF02soCaIon7SeBdx6K+eWTngg9/t1Rn5zit
> EGSrVLdEHsVFID/y5PsDMylpy4TwL+m0VCWSPbwYDGM+rp3tikfU/XAorFMR79M=
> =mVL9
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

On 8 April 2016 at 17:59, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 9/04/2016 2:38 a.m., Odhiambo Washington wrote:
> > Now that Yuri has reported success, shall I wait for something for
> 3.5.16??
>
> No that means his problem was unrelated to yours.
>

Alright.


>
> The 3.5.16 code in this area was correctly using errno. So the message
> it was giving you was correct for your issue.
>

:-)


>
> > Could it be that I am the onlt one trying 3.5.16 on this old version of
> > FreeBSD? I am saying that because it is running well on FreeBSD-10.3
> since
> > two days ago.
>
>
> Possibly yes. Or a compiler / stdlib related issue. 10 uses clang and
> 8.x use an old GCC IIRC.
>

How do I get round to fixing it then??


>
> >
> > There is another e-mail I sent about 4.0.8 failing to compile
> successfully
> > on FreeBSD 10.3. Still waiting for response on that too.
>
> If you mean the list query "compiling 4.0.8 on FreeBSD-10.1" I replied
> to yesterday.
>
>
I hadn't seen the reply. Lemme follow that advise.


> >
> > I'd like to 'transparently intercept' https traffic (facebook, youtube
> and
> > a few other sites which users love so much) and subject those to
> time-based
> > ACLs. I have been looking around the cookbooks/howtos and I cannot
> pinpoint
> > which one is the definitive one to follow. Is it this one:
> > http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> >
>
> Thats the best one we have in the wiki at the moment.
>


Hopefully I get the 3.5.16 running, because 4.0.x doesnt compile on
FreeBSD-8.4 as follows:

[wash@gw ~/Tools/Squid/4.x/squid-4.0.8]$ ../build-4.sh
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... cfgaux/install-sh -c -d
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether UID '1001' is supported by ustar format... yes
checking whether GID '0' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking whether to enable maintainer-specific portions of Makefiles... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking build system type... i386-unknown-freebsd8.4
checking host system type... i386-unknown-freebsd8.4
configure: CPU arch native optimization enabled: auto
checking whether compiler accepts -march=native... yes
checking simplified host os... freebsd (version 8.4)
checking whether g++ supports C++11 features by default... no
checking whether g++ supports C++11 features with -std=c++11... no
checking whether g++ supports C++11 features with -std=c++0x... no
*configure: error: *** A compiler with support for C++11 language features
is required.*
[wash@gw ~/Tools/Squid/4.x/squid-4.0.8]$ uname -a
FreeBSD gw.cVWWV.com 8.4-STABLE FreeBSD 8.4-STABLE #15: Sun May 17 14:28:17
EAT 2015 r...@gw.vwwv.com:/usr/obj/usr/src/sys/GW  i386







-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

Now that Yuri has reported success, shall I wait for something for 3.5.16??
Could it be that I am the onlt one trying 3.5.16 on this old version of
FreeBSD? I am saying that because it is running well on FreeBSD-10.3 since
two days ago.

There is another e-mail I sent about 4.0.8 failing to compile successfully
on FreeBSD 10.3. Still waiting for response on that too.

I'd like to 'transparently intercept' https traffic (facebook, youtube and
a few other sites which users love so much) and subject those to time-based
ACLs. I have been looking around the cookbooks/howtos and I cannot pinpoint
which one is the definitive one to follow. Is it this one:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit



On 8 April 2016 at 15:05, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 8/04/2016 10:28 p.m., Odhiambo Washington wrote:
> > Hello Yuri,
> >
> > Thanks, but this patch is for squid-4.0.8, right??
> >
>
> Yes the patch in that bug report is specific to the latest 4.0 snapshot,
> which Yuri is running.
>
> As Alex mentioned the errno usage in Squid was a bit wrong. The latest
> 4.0 have a patch to fix that, which is causing Yuri's problem. Your 3.5
> issue may or may not be related. But we wont know until after Yuri
> applies that patch and checks the results.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

Hello Yuri,

Thanks, but this patch is for squid-4.0.8, right??


If applied to 3.5.16, the compilation fails as follows:


depbase=`echo mem/Segment.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;
/bin/bash ../../libtool  --tag=CXX--mode=compile g++ -DHAVE_CONFIG_H
-DDEFAULT_STATEDIR=\"/opt/squid-3.5/var/run/squid\"-I../..
-I../../include  -I../../lib -I../../src  -I../../include  -I/usr/include
 -I/usr/include  -I../../libltdl -I/usr/include
-I/usr/local/include/libxml2  -I/usr/local/include/libxml2 -Wall
-Wpointer-arith -Wwrite-strings -Wcomments -Wshadow -Woverloaded-virtual
-Werror -pipe -D_REENTRANT -I/usr/local/include  -g -O2 -march=native
-I/usr/local/include -MT mem/Segment.lo -MD -MP -MF $depbase.Tpo -c -o
mem/Segment.lo mem/Segment.cc && mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  g++ -DHAVE_CONFIG_H
-DDEFAULT_STATEDIR=\"/opt/squid-3.5/var/run/squid\" -I../.. -I../../include
-I../../lib -I../../src -I../../include -I/usr/include -I/usr/include
-I../../libltdl -I/usr/include -I/usr/local/include/libxml2
-I/usr/local/include/libxml2 -Wall -Wpointer-arith -Wwrite-strings
-Wcomments -Wshadow -Woverloaded-virtual -Werror -pipe -D_REENTRANT
-I/usr/local/include -g -O2 -march=native -I/usr/local/include -MT
mem/Segment.lo -MD -MP -MF mem/.deps/Segment.Tpo -c mem/Segment.cc  -fPIC
-DPIC -o mem/.libs/Segment.o
mem/Segment.cc: In member function 'void Ipc::Mem::Segment::create(off_t)':
mem/Segment.cc:95: error: no matching function for call to
'Ipc::Mem::Segment::createFresh()'
../../src/ipc/mem/Segment.h:57: note: candidates are: bool
Ipc::Mem::Segment::createFresh(int&)
mem/Segment.cc:97: error: no matching function for call to
'Ipc::Mem::Segment::createFresh()'
../../src/ipc/mem/Segment.h:57: note: candidates are: bool
Ipc::Mem::Segment::createFresh(int&)
mem/Segment.cc:107: error: 'xerrno' was not declared in this scope
*** Error code 1

Stop in /usr/home/wash/Tools/Squid/3.5/squid-3.5.16/src/ipc.
*** Error code 1

Stop in /usr/home/wash/Tools/Squid/3.5/squid-3.5.16/src.
*** Error code 1

Stop in /usr/home/wash/Tools/Squid/3.5/squid-3.5.16/src.
*** Error code 1

Stop in /usr/home/wash/Tools/Squid/3.5/squid-3.5.16.



On 7 April 2016 at 22:15, Yuri Voinov <yvoi...@gmail.com> wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> http://bugs.squid-cache.org/show_bug.cgi?id=4486
>
> 07.04.16 20:16, Amos Jeffries пишет:
> > On 7/04/2016 3:16 a.m., Odhiambo Washington wrote:
> >> I am getting the following error in cache.log:
> >>
> >> Squid Cache (Version 3.5.16): Terminated abnormally.
> >> CPU Usage: 0.082 seconds = 0.052 user + 0.030 sys
> >> Maximum Resident Size: 54992 KB
> >> Page faults with physical i/o: 0
> >> FATAL: Ipc::Mem::Segment::create failed to
> >> shm_open(/opt/squid-3.5/var/run/squid/cf__metadata.shm): (17) File
> exists
> >>
> >>
> >> However, that file doesn't exist.
> >>
> >
> > This can happen if you have a startup script the runs 'squid -z' or
> > similar just prior to starting the main proxy, and not waiting
> > sufficiently long for the -z run to finish.
> >
> > Amos
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXBrHTAAoJENNXIZxhPexGyn8IALAK0K2WLF3NfRX/fszUr/X/
> 6syPQWbGXUkw/ktauWB4HqegDEoDHMdRI5+EDUKNS8eFdfMgC8HY0EOVMowsw2RL
> 6hyKSwWzmVV0p+OzC77dzeAPC2MqlLa5kb8yCTHC1ZDtQv5ZJmgaHsMixzTHCCfj
> fAme3vRG/HCJnQ4BbdybTz1XhYduB8aF91cRTQtQyGCYhkuRKYdVWpxDn1t2/+3D
> lQrqymKFS34C5eqcm1HiaIoXLdiPUUcmLyY8QjXfaAQbrRR6yKLa613pjU6XFYP+
> Aj7WthR4zHJgGPx65QLyEyHvyzAdgYCbjhRnyT7K4yonFvrEBC4a3DV6tePEzZg=
> =+50D
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

On 7 April 2016 at 19:35, Alex Rousskov <rouss...@measurement-factory.com>
wrote:

> On 04/07/2016 08:21 AM, Odhiambo Washington wrote:
>
> > On 7 April 2016 at 17:16, Amos Jeffries wrote:
> >
> > On 7/04/2016 3:16 a.m., Odhiambo Washington wrote:
> > > I am getting the following error in cache.log:
> > >
> > > Squid Cache (Version 3.5.16): Terminated abnormally.
> > > FATAL: Ipc::Mem::Segment::create failed to
> > > shm_open(/opt/squid-3.5/var/run/squid/cf__metadata.shm): (17) File
> exists
> > >
> > > However, that file doesn't exist.
>
> > This can happen if you have a startup script the runs 'squid -z' or
> > similar just prior to starting the main proxy, and not waiting
> > sufficiently long for the -z run to finish.
>
>
> > I am gonna check this out again tonight although I doubt if that is the
> > cause.
> >
> > I run squid using daemontools, invoked as:
> >
> > exec setuidgid root /opt/squid-3.5/sbin/squid -f
> > /opt/squid-3.5/etc/squid.conf -N
> >
> > /opt/squid-3.5/var/run/squid/ is actually empty when I get this error.
>
>
> I see two possibilities:
>
> 1. The file was there at the time the error was triggered but was not
> there at the time you checked the directory. This would mean that
> something is starting a second Squid while the first Squid has not
> removed the shared memory segment file (yet). Amos mentioned one such
> common scenario (not waiting for background squid-z) but there are
> others, possibly including handling of Squid crashes. Do you see any
> other errors, assertions, or FATAL messages in your cache.log?
>
> 2. Squid code that is trying to open the shared segment is broken or,
> more likely, not compatible with your FreeBSD environment. For example,
> it tries to exclusively create a shared segment using the wrong name.
>
> If you can reproduce this, I recommend starting Squid via strace (or
> equivalent) to see the system calls that Squid is making when calling
> shm_open() and the exact call parameters. This can confirm or eliminate
> #2 as the suspect.
>
>
> HTH,
>
> Alex.
>

All I get from running strace -ff -vvv -o /tmp/squid-strace.txt
/opt/squid-3.5/sbin/squid -f /opt/squid-3.5/etc/squid.conf:
..
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
pread: Device busy
PIOCRUN: Input/output error
trouble opening proc file



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] compiling 4.0.8 on FreeBSD-10.1

[Odhiambo Washington]

/include -I../libltdl -I/usr/include
-I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror
-Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2
-march=native -std=c++11 -I/usr/local/include -MT debug.lo -MD -MP -MF
.deps/debug.Tpo -c debug.cc -o debug.o >/dev/null 2>&1
depbase=`echo eui64_aton.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`; /bin/sh
../libtool  --tag=CC--mode=compile gcc -DHAVE_CONFIG_H-I..
-I../include  -I../lib -I../src  -I../include  -I/usr/include
 -I/usr/include  -I../libltdl -I/usr/include -I/usr/local/include/libxml2
 -Werror -Qunused-arguments  -D_REENTRANT -g -O2 -I/usr/local/include -MT
eui64_aton.lo -MD -MP -MF $depbase.Tpo -c -o eui64_aton.lo eui64_aton.c &&
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
-I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
-I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2
-I/usr/local/include -MT eui64_aton.lo -MD -MP -MF .deps/eui64_aton.Tpo -c
eui64_aton.c  -fPIC -DPIC -o .libs/eui64_aton.o
gcc: error: unrecognized command line option '-Qunused-arguments'
*** Error code 1

Stop.
make[1]: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.8/compat
*** Error code 1

Stop.
make: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.8


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Error starting 3.5.16 on FreeBSD-8.4

[Odhiambo Washington]

I am getting the following error in cache.log:

Squid Cache (Version 3.5.16): Terminated abnormally.
CPU Usage: 0.082 seconds = 0.052 user + 0.030 sys
Maximum Resident Size: 54992 KB
Page faults with physical i/o: 0
FATAL: Ipc::Mem::Segment::create failed to
shm_open(/opt/squid-3.5/var/run/squid/cf__metadata.shm): (17) File exists


However, that file doesn't exist.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-4.0.4 on FreeBSD

[Odhiambo Washington]

[root@mail /usr/home/wash/ILI/Squid/4.x/squid-4.0.4]# make
Making all in compat
depbase=`echo eui64_aton.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`; /bin/sh
../libtool  --tag=CC--mode=compile gcc -DHAVE_CONFIG_H-I..
-I../include  -I../lib -I../src  -I../include  -I/usr/include
 -I/usr/include  -I../libltdl -I/usr/include -I/usr/local/include/libxml2
 -Werror -Qunused-arguments  -D_REENTRANT  -MT eui64_aton.lo -MD -MP -MF
$depbase.Tpo -c -o eui64_aton.lo eui64_aton.c && mv -f $depbase.Tpo
$depbase.Plo
libtool: compile:  gcc -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
-I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
-I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -MT
eui64_aton.lo -MD -MP -MF .deps/eui64_aton.Tpo -c eui64_aton.c  -fPIC -DPIC
-o .libs/eui64_aton.o
gcc: error: unrecognized command line option '-Qunused-arguments'
*** Error code 1

Stop.
make[1]: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.4/compat
*** Error code 1

Stop.
make: stopped in /usr/home/wash/ILI/Squid/4.x/squid-4.0.4



On 13 January 2016 at 18:28, Kinkie <gkin...@gmail.com> wrote:

> Hi,
>I see that there is no -I/usr/local/include option to the compiler.
>
> Add that as a CPPLAGS when calling configure
> (e.g.
> CPPFLAGS=-I/usr/local/include ./configure
> )
> this should fix the build for you.
>
>
> On Wed, Jan 13, 2016 at 4:25 PM, Odhiambo Washington <odhia...@gmail.com>
> wrote:
> > I am trying to compile on FreeBSD 10.1-RELEASE-amd64
> >
> >
> > 
> > /bin/sh ../libtool  --tag=CC   --mode=compile clang -DHAVE_CONFIG_H
>  -I..
> > -I../include -I../lib -I../src -I../include  -I/usr/include
> -I/usr/include
> > -I../libltdl -I/usr/include -I/usr/local/include/libxml2  -Werror
> > -Qunused-arguments  -D_REENTRANT  -MT md5.lo -MD -MP -MF $depbase.Tpo -c
> -o
> > md5.lo md5.c &&\
> > mv -f $depbase.Tpo $depbase.Plo
> > libtool: compile:  clang -DHAVE_CONFIG_H -I.. -I../include -I../lib
> -I../src
> > -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include
> > -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -MT
> > md5.lo -MD -MP -MF .deps/md5.Tpo -c md5.c  -fPIC -DPIC -o .libs/md5.o
> > In file included from md5.c:41:
> > ../include/md5.h:13:10: fatal error: 'nettle/md5.h' file not found
> > #include 
> >  ^
> > 1 error generated.
> > Makefile:956: recipe for target 'md5.lo' failed
> > gmake[2]: *** [md5.lo] Error 1
> > gmake[2]: Leaving directory
> '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
> > Makefile:1001: recipe for target 'all-recursive' failed
> > gmake[1]: *** [all-recursive] Error 1
> > gmake[1]: Leaving directory
> '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
> > Makefile:579: recipe for target 'all-recursive' failed
> > gmake: *** [all-recursive] Error 1
> >
> > 
> >
> >
> >
> > But the file is there ...
> >
> >
> > wash@mail:~/ILI/Squid/4.x/squid-4.0.4$ ls -al
> > /usr/local/include/nettle/md5.h
> > -rw-r--r--  1 root  wheel  2023 Jan  7  2015
> /usr/local/include/nettle/md5.h
> >
> >
> > --
> > Best regards,
> > Odhiambo WASHINGTON,
> > Nairobi,KE
> > +254 7 3200 0004/+254 7 2274 3223
> > "Oh, the cruft."
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
>
> --
> Francesco
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid-4.0.4 on FreeBSD

[Odhiambo Washington]

I am trying to compile on FreeBSD 10.1-RELEASE-amd64



/bin/sh ../libtool  --tag=CC   --mode=compile clang -DHAVE_CONFIG_H   -I..
-I../include -I../lib -I../src -I../include  -I/usr/include  -I/usr/include
 -I../libltdl -I/usr/include -I/usr/local/include/libxml2  -Werror
-Qunused-arguments  -D_REENTRANT  -MT md5.lo -MD -MP -MF $depbase.Tpo -c -o
md5.lo md5.c &&\
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  clang -DHAVE_CONFIG_H -I.. -I../include -I../lib
-I../src -I../include -I/usr/include -I/usr/include -I../libltdl
-I/usr/include -I/usr/local/include/libxml2 -Werror -Qunused-arguments
-D_REENTRANT -MT md5.lo -MD -MP -MF .deps/md5.Tpo -c md5.c  -fPIC -DPIC -o
.libs/md5.o
In file included from md5.c:41:
../include/md5.h:13:10: fatal error: 'nettle/md5.h' file not found
#include 
 ^
1 error generated.
Makefile:956: recipe for target 'md5.lo' failed
gmake[2]: *** [md5.lo] Error 1
gmake[2]: Leaving directory '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
Makefile:1001: recipe for target 'all-recursive' failed
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory '/usr/home/wash/ILI/Squid/4.x/squid-4.0.4/lib'
Makefile:579: recipe for target 'all-recursive' failed
gmake: *** [all-recursive] Error 1





But the file is there ...


wash@mail:~/ILI/Squid/4.x/squid-4.0.4$ ls -al
/usr/local/include/nettle/md5.h
-rw-r--r--  1 root  wheel  2023 Jan  7  2015 /usr/local/include/nettle/md5.h


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-3.5.2 and FreeBSD 10.1

[Odhiambo Washington]

On 20 February 2015 at 13:57, Amos Jeffries squ...@treenet.co.nz wrote:

 On 20/02/2015 10:09 p.m., Odhiambo Washington wrote:
  On 20 February 2015 at 04:15, Amos Jeffries squ...@treenet.co.nz
 wrote:
 
  On 20/02/2015 5:15 a.m., Odhiambo Washington wrote:
  On 19 February 2015 at 15:12, Odhiambo Washington odhia...@gmail.com
  wrote:
 
  Hi Amos,
 
  I did see that thread. However, the discussion was still continuing
  then.
 
 
  I will apply it to my server and see.
 
  Reporting back today!
 
 
 
  On 19 February 2015 at 14:07, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  On 19/02/2015 10:49 p.m., Odhiambo Washington wrote:
  I have been hoping that 3.5.2 would possibly help address my
 problems
  with
  ACLs, but alas!
 
  Ah, I thought you saw this announcement made just after your last
  message in Jan:
 
  
 
 
 http://lists.squid-cache.org/pipermail/squid-users/2015-January/001745.html
 
 
  Its sounds very much like what your last few threads have been
  describing as happening. Signal handling issues will affect all the
  squid -k operations.
 
  Amos
 
 
 
  I have compiled a custom kernel after applying this patch mentioned in
  that
  thread.
 
  Er. There were two patches mentioned as being applied in the FreeBSD
  mail and bug reports.
 
 
  wash@mail:~$ uname -a
  FreeBSD mail.ili.or.ug 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #4: Thu
  Feb
  19 16:55:56 EAT 2015 r...@mail.ili.or.ug:/usr/obj/usr/src/sys
  /BEASTIE-10.x  amd64
 
 
  However, my issues still persist.
 
  root@mail:/opt # /opt/squid-3.5.2/sbin/squid -k reconfigure
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
 
 
  Would this then suggest there is a problem with my squid.conf
  http://pastebin.com/wwwcnHnF ?
 
  Or the FreeBSD problem isn't quite solved?
 
 
  Could you re-state what the problem is?
 
  Now your pastebin is expired all we have on record about this problems
  is the sentence: it's crashing with errors as seen from DEAD URL
 
 
 
  Generally, Squid seems to partially ignore my time-based ACLS as seen in
  the squid.conf
 

 Oh. I thought you were talking about crashes still since you keep
 posting that -k reconfigure output (its odd, but only in that it should
 not be that visible).



  It would block one site but allow the others. I expect a standard
 blocking
  within the specied time.
 
  I have not been able to figure out why.
 
  For instance, my ACL for TIMEWASTAGESITED contains .facebook.com, .
 gmail.com
  and .youtube.com as dstdomains.
 
  I find that youtube.com is blocked while facebook.com is not blocked.
 Both
  should be blocked at this time (11:58)
 
  root@mail:/opt/squid-3.5.2/etc # tail -f
 /usr/local/squid/logs/access.log |
  grep DENIED
  1424422669.545456 192.168.2.2 TCP_DENIED/403 4345 GET
  http://youtube.com/ - HIER_NONE/- text/html
  1424422671.910  1 192.168.2.2 TCP_DENIED/403 4291 GET
  http://youtube.com/favicon.ico - HIER_NONE/- text/html
 
  root@mail:/opt/squid-3.5.2/etc # tail -f
 /usr/local/squid/logs/access.log |
  grep 192.168.2.2
  1424422669.545456 192.168.2.2 TCP_DENIED/403 4345 GET
  http://youtube.com/ - HIER_NONE/- text/html
  1424422671.910  1 192.168.2.2 TCP_DENIED/403 4291 GET
  http://youtube.com/favicon.ico - HIER_NONE/- text/html
  1424422710.537863 192.168.2.2 TCP_MISS/400 372 POST
  http://bench.utorrent.com/e?i=36 - ORIGINAL_DST/54.221.228.66 text/html
  1424422710.578903 192.168.2.2 TCP_MISS/400 372 POST
  http://bench.utorrent.com/e?i=36 - ORIGINAL_DST/54.197.243.221 text/html
  1424422755.202   1239 192.168.2.2 TCP_MISS/200 280 POST
  http://bench.utorrent.com/e?i=20 - ORIGINAL_DST/54.243.183.178 text/html
  1424422756.602846 192.168.2.2 TCP_MISS/200 1016 GET
  http://cdn.ap.bittorrent.com/control/feature/tags/ut.json -
 ORIGINAL_DST/
  54.230.128.
  193 application/json
  1424422895.279593 192.168.2.2 TCP_MISS/404 1792 GET
  http://www.gstatic.com/chrome/profile_avatars/NothingToDownload -
  ORIGINAL_DST/196.0
  .3.114 text/html
 
 
  The odd part:
 
  While facebook.com and gmail.com are accessible, nothing

Re: [squid-users] Squid-3.5.2 and FreeBSD 10.1

[Odhiambo Washington]

On 20 February 2015 at 04:15, Amos Jeffries squ...@treenet.co.nz wrote:

 On 20/02/2015 5:15 a.m., Odhiambo Washington wrote:
  On 19 February 2015 at 15:12, Odhiambo Washington odhia...@gmail.com
  wrote:
 
  Hi Amos,
 
  I did see that thread. However, the discussion was still continuing
 then.
 
 
  I will apply it to my server and see.
 
  Reporting back today!
 
 
 
  On 19 February 2015 at 14:07, Amos Jeffries squ...@treenet.co.nz
 wrote:
 
  On 19/02/2015 10:49 p.m., Odhiambo Washington wrote:
  I have been hoping that 3.5.2 would possibly help address my problems
  with
  ACLs, but alas!
 
  Ah, I thought you saw this announcement made just after your last
  message in Jan:
 
  
 
 http://lists.squid-cache.org/pipermail/squid-users/2015-January/001745.html
 
 
  Its sounds very much like what your last few threads have been
  describing as happening. Signal handling issues will affect all the
  squid -k operations.
 
  Amos
 
 
 
  I have compiled a custom kernel after applying this patch mentioned in
 that
  thread.

 Er. There were two patches mentioned as being applied in the FreeBSD
 mail and bug reports.

 
  wash@mail:~$ uname -a
  FreeBSD mail.ili.or.ug 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #4: Thu
 Feb
  19 16:55:56 EAT 2015 r...@mail.ili.or.ug:/usr/obj/usr/src/sys
  /BEASTIE-10.x  amd64
 
 
  However, my issues still persist.
 
  root@mail:/opt # /opt/squid-3.5.2/sbin/squid -k reconfigure
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
  2015/02/19 19:10:53.639| Acl.cc(380) ~ACL: freeing ACL
 
 
  Would this then suggest there is a problem with my squid.conf
  http://pastebin.com/wwwcnHnF ?
 
  Or the FreeBSD problem isn't quite solved?
 

 Could you re-state what the problem is?

 Now your pastebin is expired all we have on record about this problems
 is the sentence: it's crashing with errors as seen from DEAD URL



Generally, Squid seems to partially ignore my time-based ACLS as seen in
the squid.conf

It would block one site but allow the others. I expect a standard blocking
within the specied time.

I have not been able to figure out why.

For instance, my ACL for TIMEWASTAGESITED contains .facebook.com, .gmail.com
and .youtube.com as dstdomains.

I find that youtube.com is blocked while facebook.com is not blocked. Both
should be blocked at this time (11:58)

root@mail:/opt/squid-3.5.2/etc # tail -f /usr/local/squid/logs/access.log |
grep DENIED
1424422669.545456 192.168.2.2 TCP_DENIED/403 4345 GET
http://youtube.com/ - HIER_NONE/- text/html
1424422671.910  1 192.168.2.2 TCP_DENIED/403 4291 GET
http://youtube.com/favicon.ico - HIER_NONE/- text/html

root@mail:/opt/squid-3.5.2/etc # tail -f /usr/local/squid/logs/access.log |
grep 192.168.2.2
1424422669.545456 192.168.2.2 TCP_DENIED/403 4345 GET
http://youtube.com/ - HIER_NONE/- text/html
1424422671.910  1 192.168.2.2 TCP_DENIED/403 4291 GET
http://youtube.com/favicon.ico - HIER_NONE/- text/html
1424422710.537863 192.168.2.2 TCP_MISS/400 372 POST
http://bench.utorrent.com/e?i=36 - ORIGINAL_DST/54.221.228.66 text/html
1424422710.578903 192.168.2.2 TCP_MISS/400 372 POST
http://bench.utorrent.com/e?i=36 - ORIGINAL_DST/54.197.243.221 text/html
1424422755.202   1239 192.168.2.2 TCP_MISS/200 280 POST
http://bench.utorrent.com/e?i=20 - ORIGINAL_DST/54.243.183.178 text/html
1424422756.602846 192.168.2.2 TCP_MISS/200 1016 GET
http://cdn.ap.bittorrent.com/control/feature/tags/ut.json - ORIGINAL_DST/
54.230.128.
193 application/json
1424422895.279593 192.168.2.2 TCP_MISS/404 1792 GET
http://www.gstatic.com/chrome/profile_avatars/NothingToDownload -
ORIGINAL_DST/196.0
.3.114 text/html


The odd part:

While facebook.com and gmail.com are accessible, nothing appears at all in
the access.log and cache.log (debug mode) about them yet this is an
intercept proxy. The sites just load. No log enties:(

I am willing to give access to both the Squid Server and the test machine
if someone can figure this out for me.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler

Re: [squid-users] Squid-3.5.2 and FreeBSD 10.1

[Odhiambo Washington]

When I configure the browser to manually use proxy, the pages fail to load
and here is what I get:

root@mail:/opt/squid-3.5.2/etc # tail -f /usr/local/squid/logs/access.log |
grep 192.168.2.2
1424434499.542   1411 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.542111 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.542361 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.542592 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.543   1025 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.553  1 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.553  1 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.553  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.555  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.560  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434499.658  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434501.789459 192.168.2.2 TAG_NONE/409 4309 CONNECT
mail.google.com:443 - HIER_NONE/- text/html
1424434502.053  0 192.168.2.2 TAG_NONE/409 4309 CONNECT
mail.google.com:443 - HIER_NONE/- text/html
1424434507.086  0 192.168.2.2 TAG_NONE/409 4309 CONNECT
mail.google.com:443 - HIER_NONE/- text/html
1424434537.127  0 192.168.2.2 TAG_NONE/409 4309 CONNECT
mail.google.com:443 - HIER_NONE/- text/html
1424434538.527  2 192.168.2.254 TCP_MISS/403 4246 GET
http://www.gstatic.com/generate_204 - HIER_NONE/- text/html
1424434538.527   1401 192.168.2.2 TCP_MISS/403 4339 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/192.168.2.254 text/html
1424434541.027  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434541.166  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434541.325  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434541.465  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434541.791  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434542.091  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434542.185  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434542.297  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434542.490  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434542.680  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434542.845  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434543.036  0 192.168.2.2 TAG_NONE/409 4306 CONNECT
www.google.com:443 - HIER_NONE/- text/html
1424434543.258205 192.168.2.2 TAG_NONE/409 4300 CONNECT facebook.com:443
- HIER_NONE/- text/html
1424434543.324  0 192.168.2.2 TAG_NONE/409 4300 CONNECT facebook.com:443
- HIER_NONE/- text/html
1424434544.384  0 192.168.2.2 TAG_NONE/409 4300 CONNECT facebook.com:443
- HIER_NONE/- text/html
1424434544.596  0 192.168.2.2 TAG_NONE/409 4300 CONNECT facebook.com:443
- HIER_NONE/- text/html
1424434549.609  0 192.168.2.2 TAG_NONE/409 4300 CONNECT facebook.com:443
- HIER_NONE/- text/html



On 20 February 2015 at 15:05, Amos Jeffries squ...@treenet.co.nz wrote:

 On 21/02/2015 12:35 a.m., Odhiambo Washington wrote:
  On 20 February 2015 at 13:57, Amos Jeffries squ...@treenet.co.nz
 wrote:
 
  On 20/02/2015 10:09 p.m., Odhiambo Washington wrote:
  On 20 February 2015 at 04:15, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  On 20/02/2015 5:15 a.m., Odhiambo Washington wrote:
  On 19 February 2015 at 15:12, Odhiambo Washington 
 odhia...@gmail.com
  wrote:
 
  Hi Amos,
 
  I did see that thread. However, the discussion was still continuing
  then.
 
 
  I will apply it to my server and see.
 
  Reporting back today!
 
 
 
  On 19 February 2015 at 14:07, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  On 19/02/2015 10:49 p.m., Odhiambo Washington wrote:
  I have been hoping that 3.5.2 would possibly help address my
  problems
  with
  ACLs, but alas!
 
  Ah, I thought you saw this announcement made just after your last
  message in Jan:
 
  
 
 
 
 http://lists.squid-cache.org/pipermail/squid-users/2015-January/001745.html
 
 
  Its sounds very much like what your last few threads have been
  describing as happening. Signal handling issues will affect all the
  squid -k operations.
 
  Amos
 
 
 
  I have compiled a custom kernel

Re: [squid-users] Squid-3.5.2 and FreeBSD 10.1

[Odhiambo Washington]

On 20 February 2015 at 17:29, Eliezer Croitoru elie...@ngtech.co.il wrote:

 On 19/02/2015 11:49, Odhiambo Washington wrote:

 I have been hoping that 3.5.2 would possibly help address my problems with
 ACLs, but alas!


 Sorry for hijacking the thread but the wiki freebsd buildfarm node install
 page:
 http://wiki.squid-cache.org/BuildFarm/FreeBsdInstall

 Doesn't include any information regarding FBSD 10.
 Any directions? I assume that the wiki applies to 10.1 also?


I haven't used jenkins, but in 10.x, `pkg install ...` is what is
recommended.
From that wiki, go with the instructions for 9+ as they apply to 10 and
above.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid-3.5.2 and FreeBSD 10.1

[Odhiambo Washington]

I have been hoping that 3.5.2 would possibly help address my problems with
ACLs, but alas!

root@mail:~wash/ILI/Squid/3.5/squid-3.5.2 # /opt/squid-3.5.1/sbin/squid -v
Squid Cache: Version 3.5.2
Service Name: squid
configure options:  '--prefix=/opt/squid-3.5.1'
'--enable-removal-policies=lru heap' '--disable-epoll' '--enable-auth'
'--enable-auth-basic=
DB NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session
unix_group file_userip' '--enable-auth-negotiate=kerberos' '--with-pthread
s' '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
'--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db' '--enable-cach
e-digests' '--enable-wccpv2' '--enable-follow-x-forwarded-for'
'--with-large-files' '--enable-large-cache-files' '--enable-esi'
'--enable-kq
ueue' '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
'--enable-leakfinder' '--enable-ssl-crtd' '--enable-url-rewrite-help
ers' '--enable-xmalloc-statistics' '--enable-stacktraces'
'--enable-zph-qos' '--enable-eui' '--with-nat-devpf'
'--enable-pf-transparent' 'CC=clang' 'CXX=clang++' --enable-ltdl-convenience


root@mail:~wash/ILI/Squid/3.5/squid-3.5.2 # /opt/squid-3.5.1/sbin/squid -k
reconfigure
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL
2015/02/19 12:45:32.653| Acl.cc(380) ~ACL: freeing ACL


Is anyone running this version of FreeBSD and NOT seeing the problem I
have? Maybe it's a FreeBSD-10.1 specific bug and not Squid's.

I'd really love to get help with this, as it leads to Squid intermittently
(though more often) just ignoring my ACLs.



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid-3.5.2 and FreeBSD 10.1

[Odhiambo Washington]

Hi Amos,

I did see that thread. However, the discussion was still continuing then.


I will apply it to my server and see.

Reporting back today!



On 19 February 2015 at 14:07, Amos Jeffries squ...@treenet.co.nz wrote:

 On 19/02/2015 10:49 p.m., Odhiambo Washington wrote:
  I have been hoping that 3.5.2 would possibly help address my problems
 with
  ACLs, but alas!

 Ah, I thought you saw this announcement made just after your last
 message in Jan:

 
 http://lists.squid-cache.org/pipermail/squid-users/2015-January/001745.html
 

 Its sounds very much like what your last few threads have been
 describing as happening. Signal handling issues will affect all the
 squid -k operations.

 Amos

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 16:29, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 2:13 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 15:47, Yuri Voinov yvoi...@gmail.com
  wrote:
 
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  Once more. You CANNOT have neither web-server nor other service
  with listening port 80 on the same host as transparent Squid
  proxy. This is one and only reason you have looping.
 
  Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
  redirects 80 port to proxy. My web server on the same host
  listens only 8080, 8088 and  ports. No one service except NAT
  is using 80 port.
 
  And finally I have no looping 4 years.
 
  Obvious, is it?
 
 
  Not so obvious.
 
  I have a several servers with Apache listening on 80,443 which
  don't have this problem! I can give you access to one of them to
  see for yourself if you need to believe.
 
  Anyway, this still doesn't help me. After changing my apache to
  port 8080 and firing up squid-3.5.1, I get access denied for all
  requests: http://pastebin.com/1fMSE1U9
 


 Aha, here is the heart of problem:

 2015/01/23 15:59:34.455| client_side.cc(2320) parseHttpRequest: HTTP
 Client local=127.0.0.1:13128 remote=192.168.2.165:54234 FD 14 flags=33


 The local= value shows what the machine NAT system told Squid the
 original destination IP of the client connection was.

 Resulting in the to_localhost ACL denying the client access through
 the proxy.


So the simple solution would be to change what in my squid.conf -
http://pastebin.com/L16cDmRp



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 16:40, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:07, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
 
  Once more. You CANNOT have neither web-server nor other
  service with listening port 80 on the same host as transparent
  Squid proxy. This is one and only reason you have looping.
 
 
  That is not correct. It can be done, but depends on how the
  firewall operates and what ruleset is used.
 
  One has to intercept traffic transiting the machine, but ignore
  traffic destined *to* or *from* the local machines running
  processes.
 
  Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
  redirects 80 port to proxy. My web server on the same host
  listens only 8080, 8088 and  ports. No one service except
  NAT is using 80 port.
 
  And finally I have no looping 4 years.
 
  Obvious, is it?
 
 
  Maybe there was, maybe there wasn't.
 
  Squid-2.7 ignored a lot of NAT related errors and even silently
  did some Very Bad Things(tm) - none of which Squid-3.2+ will
  allow to happen anymore.
 
 
  Odhiambo: I suspect it might be related to your use of rdr
  firewall rules. In OpenBSD PF at least rdr rules do not work
  properly and divert-to rules needs to be used instead (divert-to
  can be used for either TPROXY or NAT Squid listening ports on
  BSD).
 
 
 
  I am thinking Squid-3.2+ is evil :-)
 
  Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And my
  IPFilter rules are here: http://pastebin.com/JQ77X01H
 
  I need to figure out why squid is DENYing all access ..
 

 Can you update me on what the squid -v output is from the Squid build
 you are having issues with pleae?

 Amos


root@mail:/usr/src # /opt/squid35/sbin/squid -v
Squid Cache: Version 3.5.1-20150120-r13736
Service Name: squid
configure options:  '--prefix=/opt/squid35' '--enable-removal-policies=lru
heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB NCSA PAM
PAM POP3 SSPI' '--enable-external-acl-helpers=session unix_group
file_userip' '--enable-auth-negotiate=kerberos' '--with-pthreads'
'--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
'--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
'--enable-cache-digests' '--enable-wccpv2'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
'--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
'--enable-leakfinder' '--enable-ssl-crtd' '--enable-url-rewrite-helpers'
'--enable-xmalloc-statistics' '--enable-stacktraces' '--enable-zph-qos'
'--enable-eui' '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
--enable-ltdl-convenience


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

:26:48| CBDATA memory leak. cbdata=0x804ab8458 CommCalls.cc:21
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8094c8058
store_client.cc:154
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8049e9498
store_client.cc:337
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x804b1d718
clientStream.cc:235
2015/01/23 13:26:48| CBDATA memory leak. cbdata=0x8048b2558 Checklist.cc:320

I am running squid like:
/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf -N

I do not see any coredumps with this scenario even when I run with -NCd1

For the time being I have opted to run squid with cache_log set to
/dev/null. Not elegant at all.

So my questions:

Is anyone else here successfully running squid (3.4.10 or 3.5.x) in
intercept mode on FreeBSD 10.x using either PF or IPFilter?

I'd really love to compare notes. Maybe that will help clear my current
brain-lock!

Technically, I have reached my /etc on this one.

My squid.conf is available at http://pastebin.com/L16cDmRp





-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 15:13, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Did you have any service can listen port 80 on your host? I.e. web-server?


Yes. There is a webserver on the same host, listening on both 80 and 443.




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 14:57, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 redirection loop can only occurs when reqwiter or NAT misconfigured.

 On early Squid versions to avoid loops was used:

 # Rewriter cycle workaround
 url_rewrite_access deny localhost

 rule.

 Somewhere in your configuration occurs redirector looping.

 But I can't see URL rewriter in your config. This is looped configuration?



Hi Yuri,

That is the squid.conf that is causing the looping with squid-3.5.1.
With squid-3.4.10 it is causing the errors I posted ..

My PF firewall rules are simple. Available at
http://41.190.203.157/~wash/pf.conf.txt. with the main rule for
interception being:

rdr on $int_if proto tcp from $int_network to any port 80 - $int_addr
port 13128



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 15:47, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Once more. You CANNOT have neither web-server nor other service with
 listening port 80 on the same host as transparent Squid proxy. This is one
 and only reason you have looping.

 Look. On my transparent 3.4.11 (which was early 2.7) IPFilter redirects 80
 port to proxy. My web server on the same host listens only 8080, 8088 and
  ports. No one service except NAT is using 80 port.

 And finally I have no looping 4 years.

 Obvious, is it?


Not so obvious.

I have a several servers with Apache listening on 80,443 which don't have
this problem!
I can give you access to one of them to see for yourself if you need to
believe.

Anyway, this still doesn't help me. After changing my apache to port 8080
and firing up squid-3.5.1, I get access denied for all requests:
http://pastebin.com/1fMSE1U9




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 16:07, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
 
  Once more. You CANNOT have neither web-server nor other service
  with listening port 80 on the same host as transparent Squid proxy.
  This is one and only reason you have looping.
 

 That is not correct. It can be done, but depends on how the firewall
 operates and what ruleset is used.

 One has to intercept traffic transiting the machine, but ignore
 traffic destined *to* or *from* the local machines running processes.

  Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
  redirects 80 port to proxy. My web server on the same host listens
  only 8080, 8088 and  ports. No one service except NAT is using
  80 port.
 
  And finally I have no looping 4 years.
 
  Obvious, is it?
 

 Maybe there was, maybe there wasn't.

 Squid-2.7 ignored a lot of NAT related errors and even silently did
 some Very Bad Things(tm) - none of which Squid-3.2+ will allow to
 happen anymore.


 Odhiambo:
 I suspect it might be related to your use of rdr firewall rules. In
 OpenBSD PF at least rdr rules do not work properly and divert-to rules
 needs to be used instead (divert-to can be used for either TPROXY or
 NAT Squid listening ports on BSD).



I am thinking Squid-3.2+ is evil :-)

Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
And my IPFilter rules are here: http://pastebin.com/JQ77X01H

I need to figure out why squid is DENYing all access ..


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 16:53, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:40, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:07, Amos Jeffries
  squ...@treenet.co.nz wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
 
  Once more. You CANNOT have neither web-server nor other
  service with listening port 80 on the same host as
  transparent Squid proxy. This is one and only reason you
  have looping.
 
 
  That is not correct. It can be done, but depends on how the
  firewall operates and what ruleset is used.
 
  One has to intercept traffic transiting the machine, but
  ignore traffic destined *to* or *from* the local machines
  running processes.
 
  Look. On my transparent 3.4.11 (which was early 2.7)
  IPFilter redirects 80 port to proxy. My web server on the
  same host listens only 8080, 8088 and  ports. No one
  service except NAT is using 80 port.
 
  And finally I have no looping 4 years.
 
  Obvious, is it?
 
 
  Maybe there was, maybe there wasn't.
 
  Squid-2.7 ignored a lot of NAT related errors and even
  silently did some Very Bad Things(tm) - none of which
  Squid-3.2+ will allow to happen anymore.
 
 
  Odhiambo: I suspect it might be related to your use of rdr
  firewall rules. In OpenBSD PF at least rdr rules do not work
  properly and divert-to rules needs to be used instead
  (divert-to can be used for either TPROXY or NAT Squid
  listening ports on BSD).
 
 
 
  I am thinking Squid-3.2+ is evil :-)
 
  Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And
  my IPFilter rules are here: http://pastebin.com/JQ77X01H
 
  I need to figure out why squid is DENYing all access ..
 
 
  Can you update me on what the squid -v output is from the Squid
  build you are having issues with pleae?
 
  Amos
 
 
  root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
  Version 3.5.1-20150120-r13736 Service Name: squid configure
  options:  '--prefix=/opt/squid35' '--enable-removal-policies=lru
  heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB
  NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session
  unix_group file_userip' '--enable-auth-negotiate=kerberos'
  '--with-pthreads' '--enable-storeio=ufs diskd rock aufs'
  '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr'
  '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2'
  '--enable-follow-x-forwarded-for' '--with-large-files'
  '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
  '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
  '--enable-leakfinder' '--enable-ssl-crtd'
  '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
  '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
  '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
  --enable-ltdl-convenience
 

 Okay. Can you explicitly add --disable-ipf-transparent
 - --disable-ipfw-transparent and see if that helps.

 Also in squid.conf adding debugs_options ALL,1 89,9  will show just
 the NAT lookup results where things are going wrong.


So, before I recompile, we can look at the debug output:

2015/01/23 17:07:45| storeLateRelease: released 0 objects
2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58632
2015/01/23 17:07:46.959| Intercept.cc(293) PfInterception: address NAT
divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58632 FD 14 flag
s=33
2015/01/23 17:07:49.179| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.254:39850
2015/01/23 17:07:49.179| Intercept.cc(293) PfInterception: address NAT
divert-to: local=192.168.2.254:13128 remote=192.168.2.254:39850 FD 18 flag
s=33
2015/01/23 17:07:49.179| WARNING: Forwarding loop detected for:
GET
/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho
se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT
Range: bytes=3436183-3841157
User-Agent: Microsoft BITS/7.5
Host: cache.pack.google.com
Via: 1.1 aardvark (squid)
X-Forwarded-For: 192.168.2.115
Cache-Control: max-age=259200
Connection: keep-alive


2015/01/23 17:07:49.260| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58634
2015/01/23 17:07:49.260| Intercept.cc(293) PfInterception: address NAT
divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58634 FD 14 flag
s=33
2015/01/23 17:07:49.260| WARNING: Forwarding loop detected for:
GET
/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 18:42, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 4:29 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 17:33, Amos Jeffries squ...@treenet.co.nz
  wrote:

 snip


  And the good news is that squid-3.5.1 is now allowing client PCs to
  browse. Thank you for that.
 

 Horray!


THANK YOU once again:)



  I still have issues to raise (though my small brain is now so
  saturated):
 
 
  Here is what I use:
 
  ./configure --prefix=/opt/squid35 \ --enable-removal-policies=lru
  heap \ --disable-epoll \ --enable-auth \ --enable-auth-basic=DB
  NCSA PAM PAM POP3 SSPI \ --enable-external-acl-helpers=session
  unix_group file_userip \ --enable-auth-negotiate=kerberos \
  --with-pthreads \ --enable-storeio=ufs diskd rock aufs \
  --enable-delay-pools \ --enable-snmp  \ --with-openssl=/usr \
  --enable-forw-via-db \ --enable-cache-digests \ --enable-wccpv2 \
  --enable-follow-x-forwarded-for \ --with-large-files \
  --enable-large-cache-files \ --enable-esi \ --enable-kqueue \
  --enable-icap-client \ --enable-kill-parent-hack \ --enable-ssl \
  --enable-leakfinder \ --enable-ssl-crtd \
  --enable-url-rewrite-helpers \ --enable-xmalloc-statistics \
  --enable-stacktraces \ --enable-zph-qos \ --enable-eui \
  --with-nat-devpf \ --enable-pf-transparent \
  --enable-ipf-transparent
 
 
  It seems I have to remove --enable-ipf-transparent otherwise the
  build fails. I was thinking I could have both of
  --enable-ipf-transparent and --enable-ipf-transparent so that I can
  be able to use either PF or IPFilter - whichever I want.
 
 
  Are those two mutually exclusive?

 Thats a maybe. The original design was to enable that, but doing so
 may repeat the issue you just resolved. From what I can tell those two
 firewalls should be okay together on FreeBSD at this point.

  When I have the two, the build fails with:
 
  root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake Making
  all in compat gmake[1]: Entering directory
  '/usr/home/wash/squid-3.5.1-20150120-r13736/compat' depbase=`echo
  assert.lo | sed 's|[^/]*$|.deps/|;s|\.lo$||'`;\ /bin/sh ../libtool
  --tag=CXX   --mode=compile clang++ -DHAVE_CONFIG_H -I..
  -I../include -I../lib -I../src -I../include  -I/usr/include
  -I/usr/include  -I../libltdl -I/usr/include
  -I/usr/local/include/libxml2 -I/usr/local/include/libxml2  -Werror
  -Qunused-arguments  -D_REENTRANT -g -O2  -march=native
  -I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o
  assert.lo assert.cc \ mv -f $depbase.Tpo $depbase.Plo libtool:
  compile:  clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib
  -I../src -I../include -I/usr/include -I/usr/include -I../libltdl
  -I/usr/include -I/usr/local/include/libxml2
  -I/usr/local/include/libxml2 -Werror -Qunused-arguments
  -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT
  assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc  -fPIC -DPIC -o
  .libs/assert.o In file included from assert.cc:9: In file included
  from ../include/squid.h:43: ../compat/compat.h:49:57: error:
  expected value in expression #if IPF_TRANSPARENT 
  USE_SOLARIS_IPFILTER_MINOR_T_HACK ^

 Seems to be a bug in the autoconf detections. You can workaround it
 for now by adding this to your option list:

  CXXFLAGS=-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0

 (or if you unluckily hit build errors mentioning minor_t re-definition
 try setting it to =1).


I could be getting it all wrong, but there is where I end:



root@mail:/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736 # env

cut
CC=clang
CXX=clang++
CXXFLAGS=-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0
/cut

root@mail:/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736 # gmake
Making all in compat
gmake[1]: Entering directory
'/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736/compat'
depbase=`echo assert.lo | sed 's|[^/]*$|.deps/|;s|\.lo$||'`;\
/bin/sh ../libtool  --tag=CXX   --mode=compile clang++ -DHAVE_CONFIG_H
-I.. -I../include -I../lib -I../src -I../include  -I/usr/include
 -I/usr/include  -I../libltdl -I/usr/include -I/usr/local/include/libxml2
 -I/usr/local/include/libxml2  -Werror -Qunused-arguments  -D_REENTRANT
-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 -march=native -I/usr/local/include
-MT assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc \
mv -f $depbase.Tpo $depbase.Plo
libtool: compile:  clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib
-I../src -I../include -I/usr/include -I/usr/include -I../libltdl
-I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2
-Werror -Qunused-arguments -D_REENTRANT
-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 -march=native -I/usr/local/include
-MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc  -fPIC -DPIC -o
.libs/assert.o
In file included from assert.cc:9:
In file included from ../include/squid.h:12:
../include/autoconf.h:1431:9: error: 'USE_SOLARIS_IPFILTER_MINOR_T_HACK'
macro redefined [-Werror]
#define

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 17:33, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:53, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:40, Amos Jeffries
  squ...@treenet.co.nz wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:07, Amos Jeffries
  squ...@treenet.co.nz wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
 
  Once more. You CANNOT have neither web-server nor
  other service with listening port 80 on the same host
  as transparent Squid proxy. This is one and only reason
  you have looping.
 
 
  That is not correct. It can be done, but depends on how
  the firewall operates and what ruleset is used.
 
  One has to intercept traffic transiting the machine, but
  ignore traffic destined *to* or *from* the local
  machines running processes.
 
  Look. On my transparent 3.4.11 (which was early 2.7)
  IPFilter redirects 80 port to proxy. My web server on
  the same host listens only 8080, 8088 and  ports.
  No one service except NAT is using 80 port.
 
  And finally I have no looping 4 years.
 
  Obvious, is it?
 
 
  Maybe there was, maybe there wasn't.
 
  Squid-2.7 ignored a lot of NAT related errors and even
  silently did some Very Bad Things(tm) - none of which
  Squid-3.2+ will allow to happen anymore.
 
 
  Odhiambo: I suspect it might be related to your use of
  rdr firewall rules. In OpenBSD PF at least rdr rules do
  not work properly and divert-to rules needs to be used
  instead (divert-to can be used for either TPROXY or NAT
  Squid listening ports on BSD).
 
 
 
  I am thinking Squid-3.2+ is evil :-)
 
  Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
  And my IPFilter rules are here:
  http://pastebin.com/JQ77X01H
 
  I need to figure out why squid is DENYing all access ..
 
 
  Can you update me on what the squid -v output is from the
  Squid build you are having issues with pleae?
 
  Amos
 
 
  root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
  Version 3.5.1-20150120-r13736 Service Name: squid configure
  options:  '--prefix=/opt/squid35'
  '--enable-removal-policies=lru heap' '--disable-epoll'
  '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'
  '--enable-external-acl-helpers=session unix_group file_userip'
  '--enable-auth-negotiate=kerberos' '--with-pthreads'
  '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
  '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
  '--enable-cache-digests' '--enable-wccpv2'
  '--enable-follow-x-forwarded-for' '--with-large-files'
  '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
  '--enable-icap-client' '--enable-kill-parent-hack'
  '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd'
  '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
  '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
  '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
  --enable-ltdl-convenience
 
 
  Okay. Can you explicitly add --disable-ipf-transparent -
  --disable-ipfw-transparent and see if that helps.
 
  Also in squid.conf adding debugs_options ALL,1 89,9  will show
  just the NAT lookup results where things are going wrong.
 
 
  So, before I recompile, we can look at the debug output:
 
  2015/01/23 17:07:45| storeLateRelease: released 0 objects
  2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:
  me/client= 192.168.2.254:13128, destination/me=
  192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293)
  PfInterception: address NAT divert-to: local=192.168.2.254:13128
  remote=192.168.2.115:58632 FD 14 flag s=33


 Arggg..   Add --with-nat-devpf to your build options in FreeBSD.

 http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4

 Amos



Done that and now, debug shows:

2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58541
2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address NAT:
local=190.93.244.112:80 remote=192.168.2.2:58541 FD 35 flags=33
2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58542
2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address NAT:
local=190.93.244.112:80 remote=192.168.2.2:58542 FD 37 flags=33
2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58543
2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address NAT:
local=190.93.244.112:80 remote=192.168.2.2:58543 FD 39 flags=33
2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN:
me/client

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 18:29, Odhiambo Washington odhia...@gmail.com wrote:



 On 23 January 2015 at 17:33, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:53, Amos Jeffries squ...@treenet.co.nz
  wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:40, Amos Jeffries
  squ...@treenet.co.nz wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
  On 23 January 2015 at 16:07, Amos Jeffries
  squ...@treenet.co.nz wrote:
 
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
 
  On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
 
  Once more. You CANNOT have neither web-server nor
  other service with listening port 80 on the same host
  as transparent Squid proxy. This is one and only reason
  you have looping.
 
 
  That is not correct. It can be done, but depends on how
  the firewall operates and what ruleset is used.
 
  One has to intercept traffic transiting the machine, but
  ignore traffic destined *to* or *from* the local
  machines running processes.
 
  Look. On my transparent 3.4.11 (which was early 2.7)
  IPFilter redirects 80 port to proxy. My web server on
  the same host listens only 8080, 8088 and  ports.
  No one service except NAT is using 80 port.
 
  And finally I have no looping 4 years.
 
  Obvious, is it?
 
 
  Maybe there was, maybe there wasn't.
 
  Squid-2.7 ignored a lot of NAT related errors and even
  silently did some Very Bad Things(tm) - none of which
  Squid-3.2+ will allow to happen anymore.
 
 
  Odhiambo: I suspect it might be related to your use of
  rdr firewall rules. In OpenBSD PF at least rdr rules do
  not work properly and divert-to rules needs to be used
  instead (divert-to can be used for either TPROXY or NAT
  Squid listening ports on BSD).
 
 
 
  I am thinking Squid-3.2+ is evil :-)
 
  Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
  And my IPFilter rules are here:
  http://pastebin.com/JQ77X01H
 
  I need to figure out why squid is DENYing all access ..
 
 
  Can you update me on what the squid -v output is from the
  Squid build you are having issues with pleae?
 
  Amos
 
 
  root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
  Version 3.5.1-20150120-r13736 Service Name: squid configure
  options:  '--prefix=/opt/squid35'
  '--enable-removal-policies=lru heap' '--disable-epoll'
  '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'
  '--enable-external-acl-helpers=session unix_group file_userip'
  '--enable-auth-negotiate=kerberos' '--with-pthreads'
  '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
  '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
  '--enable-cache-digests' '--enable-wccpv2'
  '--enable-follow-x-forwarded-for' '--with-large-files'
  '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
  '--enable-icap-client' '--enable-kill-parent-hack'
  '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd'
  '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
  '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
  '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
  --enable-ltdl-convenience
 
 
  Okay. Can you explicitly add --disable-ipf-transparent -
  --disable-ipfw-transparent and see if that helps.
 
  Also in squid.conf adding debugs_options ALL,1 89,9  will show
  just the NAT lookup results where things are going wrong.
 
 
  So, before I recompile, we can look at the debug output:
 
  2015/01/23 17:07:45| storeLateRelease: released 0 objects
  2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:
  me/client= 192.168.2.254:13128, destination/me=
  192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293)
  PfInterception: address NAT divert-to: local=192.168.2.254:13128
  remote=192.168.2.115:58632 FD 14 flag s=33


 Arggg..   Add --with-nat-devpf to your build options in FreeBSD.

 http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4

 Amos



 Done that and now, debug shows:

 2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN:
 me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58541
 2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address NAT:
 local=190.93.244.112:80 remote=192.168.2.2:58541 FD 35 flags=33
 2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN:
 me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58542
 2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address NAT:
 local=190.93.244.112:80 remote=192.168.2.2:58542 FD 37 flags=33
 2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN:
 me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58543
 2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address NAT:
 local=190.93.244.112:80 remote=192.168.2.2:58543 FD 39

Re: [squid-users] Squid versions and FreeBSD-10.1 headache

[Odhiambo Washington]

On 23 January 2015 at 15:17, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Here is it.

 There is your loop reason.


root@mail:/usr/src # svn
Type 'svn help' for usage.
root@mail:/usr/src # sockstat -l | grep 80
www  httpd  55941 3  tcp6   *:80  *:*
www  httpd  55941 4  tcp4   *:80  *:*
www  httpd  55941 5  tcp6   *:8080*:*
www  httpd  55941 6  tcp4   *:8080*:*
www  httpd  69148 3  tcp6   *:80  *:*
www  httpd  69148 4  tcp4   *:80  *:*
www  httpd  69148 5  tcp6   *:8080*:*
www  httpd  69148 6  tcp4   *:8080*:*
www  httpd  69145 3  tcp6   *:80  *:*
www  httpd  69145 4  tcp4   *:80  *:*
www  httpd  69145 5  tcp6   *:8080*:*
www  httpd  69145 6  tcp4   *:8080*:*
www  httpd  69142 3  tcp6   *:80  *:*
www  httpd  69142 4  tcp4   *:80  *:*
www  httpd  69142 5  tcp6   *:8080*:*
www  httpd  69142 6  tcp4   *:8080*:*
www  httpd  11049 3  tcp6   *:80  *:*
www  httpd  11049 4  tcp4   *:80  *:*
www  httpd  11049 5  tcp6   *:8080*:*
www  httpd  11049 6  tcp4   *:8080*:*
www  httpd  11044 3  tcp6   *:80  *:*
www  httpd  11044 4  tcp4   *:80  *:*
www  httpd  11044 5  tcp6   *:8080*:*
www  httpd  11044 6  tcp4   *:8080*:*
www  httpd  993   3  tcp6   *:80  *:*
www  httpd  993   4  tcp4   *:80  *:*
www  httpd  993   5  tcp6   *:8080*:*
www  httpd  993   6  tcp4   *:8080*:*
www  httpd  991   3  tcp6   *:80  *:*
www  httpd  991   4  tcp4   *:80  *:*
www  httpd  991   5  tcp6   *:8080*:*
www  httpd  991   6  tcp4   *:8080*:*
www  httpd  990   3  tcp6   *:80  *:*
www  httpd  990   4  tcp4   *:80  *:*
www  httpd  990   5  tcp6   *:8080*:*
www  httpd  990   6  tcp4   *:8080*:*
www  httpd  989   3  tcp6   *:80  *:*
www  httpd  989   4  tcp4   *:80  *:*
www  httpd  989   5  tcp6   *:8080*:*
www  httpd  989   6  tcp4   *:8080*:*
root httpd  912   3  tcp6   *:80  *:*
root httpd  912   4  tcp4   *:80  *:*
root httpd  912   5  tcp6   *:8080*:*
root httpd  912   6  tcp4   *:8080*:*
root@mail:/usr/src # /usr/local/etc/rc.d/apache24 stop
Stopping apache24.
Waiting for PIDS: 912.
root@mail:/usr/src # sockstat -l | grep 80
root@mail:/usr/src #

Here is an attempt to address the problem based on your observation:

1. I killed the httpd so that there is nothing listening on port 80.
2. Started squid-3.5.1 and cache log was clean. However access is DENIED to
all requests so no one can browse!

Seems we're headed somewhere.
However, I have other servers running squid-2.7.9 and there is a webserver
on the same machine (gateway) and they play along nicely!







-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.11 crashing on FreeBSD 10 (64-bit)

[Odhiambo Washington]

On 20 January 2015 at 15:17, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I have just fixed a few clang detected build errors and 3.5 is now
 building cleanly here on FreeBSD 10 with the default Clang.

 Please try to build the latest 3.5 snapshot (which will be labeled
 r13735 or higher). It should build fine with either the system default
 clang compiler or your GCC 4.9 install, but not with the system
 default GCC 4.4.


I will check on that.
However, I earlier today managed to compile 3.5.0.4 using clang. The
problem I have been facing now is about 'forwarding loop detected' over and
over... checking on my PF rules hasn't yielded anything.
And I am now wondering why 3.4.11 wasn't seeing these forwarding loops..



  (gdb) bt #0  0x000803a30469 in swapcontext () from
  /lib/libthr.so.3 #1  0x000803a30062 in sigaction () from
  /lib/libthr.so.3 #2  signal handler called #3  0x000803d6b04a
  in kevent () from /lib/libc.so.7 #4  0x0086335c in
  Comm::DoSelect (msec=981) at ModKqueue.cc:264


 Looks like a bug in the system threading library. Though why Squid is
 triggering it is unknown. Maybe related to the two GCC versions with
 different libc perhapse?


I only have one gcc version on my system -gcc49



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.4.11 crashing on FreeBSD 10 (64-bit)

[Odhiambo Washington]

Yuri,

You need a sane MuA.

What you have makes life quite difficult for me reading your responses. And
I read from gmail web UI.

Just to answer you..


On 20 January 2015 at 21:28, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


 20.01.2015 23:11, Odhiambo Washington пишет:
 
 
  On 20 January 2015 at 16:16, Odhiambo Washington odhia...@gmail.com
 mailto:odhia...@gmail.com odhia...@gmail.com wrote:
 
 
 
  On 20 January 2015 at 15:17, Amos Jeffries squ...@treenet.co.nz
 mailto:squ...@treenet.co.nz squ...@treenet.co.nz wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  I have just fixed a few clang detected build errors and 3.5 is
 now
  building cleanly here on FreeBSD 10 with the default Clang.
 
  Please try to build the latest 3.5 snapshot (which will be
 labeled
  r13735 or higher). It should build fine with either the system
 default
  clang compiler or your GCC 4.9 install, but not with the system
  default GCC 4.4.
 
 
  I will check on that.
  However, I earlier today managed to compile 3.5.0.4 using clang. The
 problem I have been facing now is about 'forwarding loop detected' over and
 over... checking on my PF rules hasn't yielded anything.
  And I am now wondering why 3.4.11 wasn't seeing these forwarding
 loops..
 May be, It has another configuration? I.e - has not redirectors, or
 web-server on another port, or another NAT settings?






 
 
 
 
   (gdb) bt #0  0x000803a30469 in swapcontext () from
   /lib/libthr.so.3 #1  0x000803a30062 in sigaction () from
   /lib/libthr.so.3 #2  signal handler called #3
 0x000803d6b04a
   in kevent () from /lib/libc.so.7 #4  0x0086335c in
   Comm::DoSelect (msec=981) at ModKqueue.cc:264
 
 
  Looks like a bug in the system threading library. Though why
 Squid is
  triggering it is unknown. Maybe related to the two GCC versions
 with
  different libc perhapse?
 
 
  I only have one gcc version on my system -gcc49
 
 
 
  root@mail:/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736 #
 /opt/squid35/sbin/squid -v
  Squid Cache: Version 3.5.1-20150120-r13736
  Service Name: squid
  configure options:  '--prefix=/opt/squid35'
 '--enable-removal-policies=lru heap' '--disable-epoll' '--enable-auth'
 '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'
 '--enable-external-acl-helpers=session unix_group file_userip'
 '--enable-auth-negotiate=kerberos' '--with-pthreads' '--enable-storeio=ufs
 diskd rock aufs' '--enable-delay-pools' '--enable-snmp'
 '--with-openssl=/usr' '--enable-forw-via-db' '--enable-cache-digests'
 '--enable-wccpv2' '--enable-follow-x-forwarded-for' '--with-large-files'
 '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
 '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
 '--enable-leakfinder' '--enable-ssl-crtd' '--enable-url-rewrite-helpers'
 '--enable-xmalloc-statistics' '--enable-stacktraces' '--enable-zph-qos'
 '--enable-eui' '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
 --enable-ltdl-convenience
 
 
  1. I see these in cache.log
 
 
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| WARNING: no_suid: setuid(0): (1) Operation not
 permitted
  2015/01/20 20:00:18| Logfile: opening log
 stdio:/usr/local/squid/logs/access.log
 
 
  But then I have no joy because of 2015/01/20 20:03:55| WARNING:
 Forwarding loop detected for:..
 Forwarding loop is squid.conf issue, not squid itself. More often you
 using one port for proxying and web-server on proxy at the same time.
 Either NAT or squid/web server/redirector(s) program configuration.


None of those. I read the HOWTO very well. I use Squid+IPFilter on several
FreeBSD servers already. My configs are fine. I run squid on 13128 which is
different than what I run

Re: [squid-users] [squid-announce] Squid 3.5.1 is available

[Odhiambo Washington]

I removed that MSNT from my configure options but I still get the error.

To be honest, I don't know what to do next.



On 19 January 2015 at 05:22, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 19/01/2015 10:03 a.m., Odhiambo Washington wrote:
  When compiling, I get the following error:
 
  configure: error: Basic auth helper MSNT ... not found
 

 - From the release announcement:
 
  * Basic authentication MSNT helper changes
 ...

 Further details can be found in the release notes
 

 In particular
 http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.8

 In short: the helper called MSNT is renamed and deprecated.


  I have removed MSNT from my configure parameters, but still not
  go...

 You need to wipe the build directory and re-run ./configure from a
 clean location after changing the helper parameter(s).

 Amos
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)

 iQEcBAEBAgAGBQJUvGqCAAoJELJo5wb/XPRjrQAH/20LD7e1UjdkmGDo+pbVqZwH
 GIJRkPIAXuCjebRvtIcDl7s5NmVxS3iqMg4bfvn3RPH3/aUScjFIjsiDrhV5HEuh
 hDFkRzhG6ud8MBU3SNMtG7FljaRD9U4H4cNgOEmEpNbmIm7vOcHY9csoNXSBdYcS
 0GXJugCz1yNVkuXtFnnOTMaFa0r5zuqRSgCCFA3CzcCDgcTSuQo/CF69JrgC6fg7
 zeJDQMVjIkwVNGNbY3hgFgkNrGJyTSxwbFSPYKLwzrZKpBh//LzIvOydAPT3p4F7
 Hi25TmtbAkbZNkR/EfCJKIWcBShMNgObHU9GXxvzjvsTwmdAiUiAgTDwtJ8p4ZI=
 =gZmB
 -END PGP SIGNATURE-
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.4.11 crashing on FreeBSD 10 (64-bit)

[Odhiambo Washington]

I have installed squid on FreeBSD and it's crashing with errors as seen
from http://pastebin.com/yC6YZ7Bg.

My squid.conf is seen at http://pastebin.com/hJpPXJ0K

I am using the Squid in a tranparent proxy mode with PF firewall.

Squid is installed from FreeBSD ports:

root@mail:/usr/local/etc/squid # squid -v
Squid Cache: Version 3.4.11
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexe
cdir=/usr/local/libexec/squid' '--localstatedir=/var'
'--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run
/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--enable-auth'
'--enable-build-info' '--enable-loadable-modules'
'--enable-removal-policies=
lru heap' '--disable-epoll' '--disable-linux-netfilter'
'--disable-linux-tproxy' '--disable-translation' '--disable-arch-native'
'--enable-eui' '
--enable-cache-digests' '--enable-delay-pools' '--disable-ecap'
'--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp'
'--enable-icap-
client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6'
'--enable-kqueue' '--with-large-files' '--enable-http-violations'
'--enable-snmp
' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces'
'--disable-ipf-transparent' '--disable-ipfw-transparent'
'--enable-pf-transparent' '
--with-nat-devpf' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2'
'--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS fa
ke getpwnam NIS' '--enable-auth-digest=file'
'--enable-external-acl-helpers=file_userip time_quota unix_group
SQL_session' '--enable-auth-negotia
te=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs
aufs diskd' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads
DiskDaemon' '--enable-log-daemon-helpers=file'
'--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file'
'--with-openssl=/usr'
'--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/local'
'--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-por
tbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=clang'
'CFLAGS=-pipe -march=native  -I/usr/include -g -fstack-protector -fno-strict
-aliasing' 'LDFLAGS= -pthread -Wl,-rpath,/usr/lib:/usr/local/lib -L/usr/lib
-fstack-protector' 'LIBS=' 'CPPFLAGS=' 'CXX=clang++' 'CXXFLAGS=-pipe
-march=native -I/usr/include -g -fstack-protector -fno-strict-aliasing
 -Wno-unused-private-field' 'CPP=clang-cpp' --enable-ltdl-convenience


I appreciate any pointers.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [squid-announce] Squid 3.5.1 is available

[Odhiambo Washington]

When compiling, I get the following error:

configure: error: Basic auth helper MSNT ... not found

I have removed MSNT from my configure parameters, but still not go...

On 18 January 2015 at 13:59, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 18/01/2015 4:48 p.m., Dan Charlesworth wrote:
  Yeah. I definitely don't have my head around the new peek and
  splice directives and would appreciate some examples.
 
  On Sun, Jan 18, 2015 at 12:59 PM, Jason Haar wrote:
 
  On 17/01/15 21:11, Amos Jeffries wrote:
  The Squid HTTP Proxy team is very pleased to announce the
  availability of the Squid-3.5.1 release!
 
  ... * SSL peek-n-splice
  Hi there Could the documentation for peek-n-splice include an
  example showing how to use it? The current
  http://www.squid-cache.org/Doc/config/ssl_bump/ still really
  refers to the 3.4 method (eg the examples don't include any
  mention of SslBump1,SslBump2,etc) I think most people wanting to
  use it would want to know how to make squid figure out if the
  newly proposed session is talking to a HTTPS server, then to
  bump that and splice anything else. So having the usage example
  reflecting that makes sense

 Some basic examples are detailed in the section titled Examples on
 http://wiki.squid-cache.org/Features/SslPeekAndSplice

 They will not work if you cut-n-paste without understanding what needs
 to be done to make them work. But then, this is a dangerous feature to
 be using so cut-n-paste config is not a great idea.

 Amos

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.22 (MingW32)

 iQEcBAEBAgAGBQJUu5IjAAoJELJo5wb/XPRjgZAH/09jA1n1h9PJtpAB4bKJybmp
 cCNql5b1sqAACc1fhiOEbLiAKMeOyYof4kZDmeub0O+Zat6RdMFQderlGNP7U/bh
 7STF60TODLqSZsddgYsWLgtTa4DKOPlGVP9NEh9dX4A75RKaCLFSEgzvKiMm0JhQ
 cGRJokHrbmEga2apqa/LkwinD6Spo5sEuM9qf6Hlgt2dJ2ukeIXF7UdBvE3vurEe
 ChBd1/PMunARhGlfXbdUY2Nd488E6+gKeVaZfdS/T09BBMqMu790g944ocPFt6gL
 LTtApvY3UeVGJYYl5egFq3a9jK9/8iE88hvIGTsPsEjJK1EzCIPIkORQo42q2bg=
 =VhOA
 -END PGP SIGNATURE-
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.0.1 beta is available

[Odhiambo Washington]

+1

Confusions galore. I was wondering what's going on.

On 22 October 2014 11:45, Eliezer Croitoru elie...@ngtech.co.il wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 10/21/2014 08:08 AM, Amos Jeffries wrote:
  The Squid Software Foundation is very pleased to announce the
  availability of the Squid-3.5.0.1 beta release!

 I am not sure about what file is this release is in?
 Can you refer to a specific bzr revision?
 I have seen this file:

 http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.0.0-20141009-r13638.tar.gz

 Which I am almost sure is the relevant one but the naming is pretty
 not consistent.

 Also in the versions page at:
 http://www.squid-cache.org/Versions/

 I do not see any version at the beta section.

 (I want to build a new RPM...)

 Eliezer
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1

 iQEbBAEBAgAGBQJUR/tCAAoJENxnfXtQ8ZQUmVYH+PiFklhVkjX//npDApcPz1gq
 MWisaeonEKCpbDRajJQf7DqlixNQRa0IgPorxqXrB8vHCBibb73Yh3xUGM/pFOLM
 CA+i6Hfye7mTkdlHN4y/Y4hPkPTsD8FiliTs0vS0ebrbzCzaAaTyw1I7QFB+KldA
 uA30hY8NuLyxeJsTcmy3TUvOrxecmtRbK2XRhuWeY38jWz8EH3xGGdGbsYvX3Sup
 3oBP7pVcV2w1g9OjscsgHxUo4qSregVu6BQ4Myj5T9BmzlJii5OWDwUliTthXLma
 nUN5PtfI63R9uYm5TYbwc8JidPYaX4Q6KcZ2iMbIx7/7hxC81Gl1kakxMaMCGg==
 =bqpi
 -END PGP SIGNATURE-
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
I can't hear you -- I'm using the scrambler.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users