Re: [squid-users] Squid Peek and splice

[Reet Vyas]

I have installed squid as my router and below are my iptable rules

 675 39972 DNAT   tcp  --  eth1   *   0.0.0.0/00.0.0.0/0
   tcp dpt:80 to:192.168.0.200:3127
0 0 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 redir ports 3127
0 0 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:443 redir ports 3129
 2022  120K DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0tcp dpt:443 to:192.168.0.200:3129

Chain INPUT (policy ACCEPT 7028 packets, 770K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 2317 packets, 146K bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 2317 packets, 146K bytes)
 pkts bytes target prot opt in out source
destination
 5923  688K MASQUERADE  all  --  *  eth0192.168.0.0/24
0.0.0.0/0


On Tue, May 17, 2016 at 4:21 PM, admin <ad...@tisiz72.ru> wrote:

> I have the same config, but in my logs domain names
>
>
>
>
>
>
> Reet Vyas писал 2016-05-17 15:48:
>
> Here is my txt file, as of now its working but I am getting secure
> connection failed, I want to know if we can customize error message like
> Access Denied .
>
> In logs I am not getting  full URL PFA logs for same. What I have to
> change  in peek and splice  ssl bump to get full URL ?
>
> Logs:
>
> 3481340.025  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 -
> HIER_NONE/- -
> 1463481340.037  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443
> - HIER_NONE/- -
> 1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT
> 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
> 1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
> 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
> 1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
> 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
> 1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT
> 74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 -
> 1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT
> 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
> 1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
> 216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 -
> 1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
> 216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 -
> 1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT
> 74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 -
> 1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
> 74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 -
> 1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT
> 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
> 1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT
> 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
> 1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT
> 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
> 1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT
> 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
> 1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT
> 216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 -
> 1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT
> 74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 -
> 1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT
> 216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
> 1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT
> 162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 -
> 1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT
> 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
> 1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT
> 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
> 1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
> 216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 -
> 1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT
> 74.125.130.94:443 - ORIGINAL_DST/7

Re: [squid-users] Squid Peek and splice

[Reet Vyas]

Here is my txt file, as of now its working but I am getting secure
connection failed, I want to know if we can customize error message like
Access Denied .

In logs I am not getting  full URL PFA logs for same. What I have to change
 in peek and splice  ssl bump to get full URL ?

Logs:

3481340.025  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 -
HIER_NONE/- -
1463481340.037  0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443
- HIER_NONE/- -
1463481352.675  98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT
74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT
74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT
74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 -
1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT
74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 -
1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 -
1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 -
1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT
74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 -
1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT
74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 -
1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481421.196  59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT
74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 -
1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481470.715  59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481470.729  58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481482.663  62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT
216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 -
1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT
74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 -
1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481542.096   5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT
162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 -
1463481546.586  59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT
216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 -
1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT
216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 -
1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT
74.125.130.94:443 - ORIGINAL_DST/74.125.130.94 -
1463481614.460 70 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT
216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 -
1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT
74.125.200.189:443 - ORIGINAL_DST/74.125.200.189 -
1463481753.303 303648 192.168.0.11 TCP_TUNNEL/200 2801 CONNECT
216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 -
1463481759.694 240237 192.168.0.11 TCP_TUNNEL/200 829 CONNECT
216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 -
1463481761.126 261752 192.168.0.11 TCP_TUNNEL/200 205262 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481762.066 269470 192.168.0.11 TCP_TUNNEL/200 177618 CONNECT
216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 -
1463481762.241 276758 192.168.0.11 TCP_TUNNEL/200 1451680 CONNECT
216.58.199.165:443 - ORIGINAL_DST/216.58.199.16





On Tue, May 17, 2016 at 3:33 PM, Reet Vyas <reet.vya...@gmail.com> wrote:

> Here is my txt file, as of now its working but I am getting secure
> connection failed, I want to know if we can customize error message like
> Access Denied .
>
> In logs I am not getting  full URL PFA logs for same. What I have to
> change  in peek and splice  ssl bump to get full URL ?
>
> On Tue, May 17, 2016 at 3:21 PM, admin <ad...@tisiz72.ru> wrote:
>
>>
>>
>> get your blocked_https.txt
>>
>>
>>
>>
>> Reet Vyas писал 2016-05-17 14:47:
>>
>> Hi
>>
>> Below is my 

Re: [squid-users] Squid Peek and splice

[Reet Vyas]

Hi

Below is my squid configuration

Squid : 3.5.13
OS ubuntu 14.04


http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt
key=/etc/squid/ssl_certs/squid.key
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 16 startup=1 idle=1
sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
ssl_unclean_shutdown on

I want to block facebook.com so I have added url in .txt file.

Its not blocking anything.

Please let me know what I have to change in this configuration

I getting below logs in squid


1463478160.585551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478160.585550 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478161.147562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478161.147561 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478163.982553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478163.982552 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478163.994565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478163.994564 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443
- HIER_NONE/- -
1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT
geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 -


1463478194.373 61 192.168.0.66 TCP_MISS/204 233 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 -
1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443
- HIER_NONE/- -
1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT
translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 -
1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443
- HIER_NONE/- -
1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT
clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443
- HIER_NONE/- -
1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT
graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 -
1463478224.432 33 192.168.0.66 TCP_MISS/204 233 GET
http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 -
1463478231.727555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478231.727555 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478232.311572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443
- HIER_NONE/- -
1463478232.311571 192.168.0.66 TAG_NONE/503 0 CONNECT
freevideodownloader.co:443 - HIER_NONE/- -
1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443
- HIER_NONE/- -
1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT
0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 -
1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443
- HIER_NONE/- -
1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT
clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443
- HIER_NONE/- -
1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT
geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 -
1463478327.555 41 192.168.0.66 TCP_MISS/200 2323 GET
http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data
- ORIGINAL_DST/216.58.220.3 text/html


On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:

> On 13/05/2016 5:58 p.m., Reet Vyas wrote:
> > Hi Amos/Yuri,
> >
> > Currently my squid is configured with ssl bump, now I want to use peek
> and
> > splice. I read in some forum that we don't need to install certificate on
> > client's machine.
> >
>
> Splice does not require it. But what you want to do with Squid may
> prevent splice being used. So "it depends" ...
>
>
> > As I have already asked before in mailing list to install SSL certificate
> > on Android devices, which is not working.
> >
> > So my question is If I want to use peek and splice for example I want
> https
> > filtering for
>
>  ... on how you define "filter".
>
> > proxy websites

[squid-users] Squid Peek and splice

[Reet Vyas]

Hi Amos/Yuri,

Currently my squid is configured with ssl bump, now I want to use peek and
splice. I read in some forum that we don't need to install certificate on
client's machine.

As I have already asked before in mailing list to install SSL certificate
on Android devices, which is not working.

So my question is If I want to use peek and splice for example I want https
filtering for  proxy websites  and I dont want ssl for bank websites and
facebook youtube and gmail. how will it work? Do i need to install SSL
certifcate on client or not, I am bit confused with peek and splice thing.

Please let me know is that possible to configure squid 3.5.19 in such a way
so that it will bump  only proxy websites not FB youtube etc.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL certifcate on android device not working

[Reet Vyas]

Thank You so much for link will try today and will post results

On Sat, May 7, 2016 at 8:43 AM, Amos Jeffries  wrote:

> On 7/05/2016 2:43 a.m., Yuri Voinov wrote:
> > Raf, this is not about pinning. This is about CA store in mobile devices.
> >
>
> Pinning at its core is just hard-coded entries in those stores or the app.
>
> A pinned cert can be considered like the CA equivalent of having a
> non-editable /etc/hosts file entry for DNS. Lookups happen but dont go
> past the hard-coded entry unless the app bypasses it specially.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL certifcate on android device not working

[Reet Vyas]

Same certificate is working with iphone and I can access using ssl bump.
Why not android device?

On Fri, May 6, 2016 at 7:31 PM, Rafael Akchurin <
rafael.akchu...@diladele.com> wrote:

> Not possible, see SSL certificate pinning in wikipedia, or at
> http://docs.diladele.com/faq/squid/dropbox.html
>
>
> Best regards,
> Rafael
>
> Op 6 mei 2016 om 14:27 heeft Reet Vyas <reet.vya...@gmail.com> het
> volgende geschreven:
>
> Please let me know if this possible or not?
>
> On Fri, May 6, 2016 at 6:51 PM, Yuri Voinov <yvoi...@gmail.com> wrote:
>
>> Android sucks and must die, yes :)
>>
>>
>> 06.05.16 19:11, Alex Crow пишет:
>>
>> On 06/05/16 14:09, Reet Vyas wrote:
>>>
>>>> Hi
>>>>
>>>> I have squid ssl bump working but when I added squid.crt  to my android
>>>> , it not working but working with Iphone cause they have certificate
>>>> installer app , I dont know exact issue cause my apps are on working . I
>>>> have installed squid.crt on mobile browsers ,internet is working but not
>>>> any app like youtube, instagram etc
>>>>
>>>> Please let know what issue with certificate installation on Android
>>>> devices
>>>>
>>>>
>>> I think the problem is simply that CA cert management on Android simply
>>> sucks. That is my experience, YMMV.
>>>
>>> :-)
>>>
>>> Alex
>>>
>>> --
>>> This message is intended only for the addressee and may contain
>>> confidential information. Unless you are that person, you may not
>>> disclose its contents or use it in any way and are requested to delete
>>> the message along with any attachments and notify us immediately.
>>> This email is not intended to, nor should it be taken to, constitute
>>> advice.
>>> The information provided is correct to our knowledge & belief and must
>>> not
>>> be used as a substitute for obtaining tax, regulatory, investment, legal
>>> or
>>> any other appropriate advice.
>>>
>>> "Transact" is operated by Integrated Financial Arrangements Ltd.
>>> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
>>> 5300.
>>> (Registered office: as above; Registered in England and Wales under
>>> number: 3727592). Authorised and regulated by the Financial Conduct
>>> Authority (entered on the Financial Services Register; no. 190856).
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL certifcate on android device not working

[Reet Vyas]

Please let me know if this possible or not?

On Fri, May 6, 2016 at 6:51 PM, Yuri Voinov <yvoi...@gmail.com> wrote:

> Android sucks and must die, yes :)
>
>
> 06.05.16 19:11, Alex Crow пишет:
>
> On 06/05/16 14:09, Reet Vyas wrote:
>>
>>> Hi
>>>
>>> I have squid ssl bump working but when I added squid.crt  to my android
>>> , it not working but working with Iphone cause they have certificate
>>> installer app , I dont know exact issue cause my apps are on working . I
>>> have installed squid.crt on mobile browsers ,internet is working but not
>>> any app like youtube, instagram etc
>>>
>>> Please let know what issue with certificate installation on Android
>>> devices
>>>
>>>
>> I think the problem is simply that CA cert management on Android simply
>> sucks. That is my experience, YMMV.
>>
>> :-)
>>
>> Alex
>>
>> --
>> This message is intended only for the addressee and may contain
>> confidential information. Unless you are that person, you may not
>> disclose its contents or use it in any way and are requested to delete
>> the message along with any attachments and notify us immediately.
>> This email is not intended to, nor should it be taken to, constitute
>> advice.
>> The information provided is correct to our knowledge & belief and must not
>> be used as a substitute for obtaining tax, regulatory, investment, legal
>> or
>> any other appropriate advice.
>>
>> "Transact" is operated by Integrated Financial Arrangements Ltd.
>> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
>> 5300.
>> (Registered office: as above; Registered in England and Wales under
>> number: 3727592). Authorised and regulated by the Financial Conduct
>> Authority (entered on the Financial Services Register; no. 190856).
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL certifcate on android device not working

[Reet Vyas]

Hi

I have squid ssl bump working but when I added squid.crt  to my android ,
it not working but working with Iphone cause they have certificate
installer app , I dont know exact issue cause my apps are on working . I
have installed squid.crt on mobile browsers ,internet is working but not
any app like youtube, instagram etc

Please let know what issue with certificate installation on Android devices
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Block VPN access like hola.org ,ultrasurf

[Reet Vyas]

Thanks so much for detailed explanation, will try cisco thing and will
check if it gets working

On Sat, Apr 30, 2016 at 3:34 AM, Yuri Voinov <yvoi...@gmail.com> wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> AFAIK,
>
> every proxy admin faced with excessively smart users who want to bypass a
> proxy. If you think that this is not true in your case - it means you not
> know yet. While you suffer prince Hamlet's ethical dilemma - "To bump or
> not to bump - that is a serious matter", your smart-ass users will
> shamelessly use every possible tools and methods to step over you and wipe
> they feet on the your proxy.
>
> I am deeply sorry for you, but to solve this problem by means of a Squid
> is not possible. It is necessary to take into account the existence of Tor,
> VPN, URL shorteners, Google Translate (Yea, it also uses for bypassing
> proxy!), SOCKS, http/https anonymizers etc. This is not easy and not
> simple. This battle occurs every day.
>
> I deliberately do not mention really advanced techniques of hiding one
> type of traffic inside the other and another hacker's tools. VPN is a
> strong, but not the last tool to ignore the proxy server if it does not
> exist at all. And you can be sure your users will not miss them.
>
> And in the fight against shield and sword sword usually wins.
>
> Only a proxy in this issue is not worth little or nothing. Only trained
> administrator with experienced network administrator and two pairs bodied
> brain can more or less hinder the  life of these smart-ass users.
>
> This day-by-day battle is significant part of IT security, which is not
> product, but process.
>
> Hard luck,
>  Yuri
>
> 29.04.16 22:07, Yuri Voinov пишет:
> >
> > The another option is using advanced DPI with database. Like China
> government uses.
> >
> > Squid itself can't.
> >
> > 29.04.16 16:33, Reet Vyas пишет:
> > > Hi,
> >
> >
> >
> >   > I have working trasparent squid , Some users are using proxy
> >   vpn in moziilla as addon and bypassing my squid, Please tell me
> >   how to block all hola.org <http://hola.org> <http://hola.org> vpn
> and ulrta
> >   surf, I have already blocked websites,but seems not working.
> >
> >
> >
> >   > Please let me know how to block these vpn access.
> >
> >
> >
> >
> >
> >
> >
> >   > ___
> >
> >   > squid-users mailing list
> >
> >   > squid-users@lists.squid-cache.org
> >
> >   > http://lists.squid-cache.org/listinfo/squid-users
> >
> >
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXI9qIAAoJENNXIZxhPexGISAH/ivV0JV6zUhN5C85GubgI3or
> EZJgL706JL+Q6CasmYF/88gau/j7EwYW+mtJ9EzdMGVo5lGkQW3Y/y6SjAmCdtI3
> J4eJMGIqi8mQRzfx55HGEv2cXHsYh3hxcBcBay4YHM9NFcXW/xMqsnwrkICULI6b
> mu91LERDiH5iBn9cT1qquKoTV8rg5E1eb6ZATA8r6VYRoZutzHN5/v4eww1ogxmc
> cE+DVzEcK5VJYFtfUHEyOCO785Xu1TSCctmmvzjrv2SpBQcgxJJ6pSrDrk+Qw614
> g50IJz26t0zqlrC/Z+LU0SeAgW7iboPID5yA/3bxWLSnupex3W93lwlPSJu48Pg=
> =V6pf
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Block VPN access like hola.org ,ultrasurf

[Reet Vyas]

Hi,

I have working trasparent squid , Some users are using proxy vpn in
moziilla as addon and bypassing my squid, Please tell me how to block all
hola.org vpn and ulrta surf, I have already blocked websites,but seems not
working.

Please let me know how to block these vpn access.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Assign multiple IP Address to squid

[Reet Vyas]

Hi all

Thanks for reply.  I have this squid setup and I am using squid as my
router and my requirement is like  I have one local webserver and I want to
access it from home and I want to  nat external ip to internal ip so that I
can access my local machine from outside network.  My ISP gave 10 external
ip and one i am using with squid and rest 9 are unused so I tried to create
alias on external inferface and gave one public ip to it and nat that
external ip to localip , but I cant access machine( with webserver) using
external ip, its shows access denied

On Tue, Dec 29, 2015 at 5:35 PM, Reet Vyas <reet.vya...@gmail.com> wrote:

> Hi
>
> I have working squid3.5.4 configuration with ssl bump, I am using this
> squid machine as router and have external IP to it and have a leased line
> connection but with leased line I have 10 extra IP address and I want to
> NAT those external ip to local ip on same network, like we do in our
> router, so that I can assign those IP ip my machines having webservers.
>
> Please suggest me way to configure it.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Assign multiple IP Address to squid

[Reet Vyas]

Hi

I have working squid3.5.4 configuration with ssl bump, I am using this
squid machine as router and have external IP to it and have a leased line
connection but with leased line I have 10 extra IP address and I want to
NAT those external ip to local ip on same network, like we do in our
router, so that I can assign those IP ip my machines having webservers.

Please suggest me way to configure it.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squidaio_queue_request: WARNING - Queue congestion

[Reet Vyas]

HI

I am getting this error in my squid,

Squid Version : 3.5.3,

Can anyone help me out with this cause browsing is slow when I get this in
cache.log file.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

 source
destination
76873 4457K DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 to:192.168.0.200:3129
   26  1184 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 redir ports 3129
0 0 DNAT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:443 to:192.168.0.200:3130

Chain INPUT (policy ACCEPT 9321 packets, 543K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 1426 packets, 85560 bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 1426 packets, 85560 bytes)
 pkts bytes target prot opt in out source
destination
81432   14M MASQUERADE  all  --  *  eth0192.168.0.0/24
0.0.0.0/0

On Fri, Jun 5, 2015 at 1:43 PM, Reet Vyas reet.vya...@gmail.com wrote:

 Hi

 Thanks for reply. I am trying to cache youtube using this wiki
 http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube but I
 cant cache youtube.

 I want to cache facebook and youtube. SSl certificate installation that I
 have to do . Please suggest some links.

 On Thu, Jun 4, 2015 at 6:48 PM, Amos Jeffries squ...@treenet.co.nz
 wrote:

 On 5/06/2015 12:55 a.m., Reet Vyas wrote:
  Thank you everyone for helping me to setup squid , Now its working but
 in
  access.logs  I only see tcp_miss if m using same website. I mean squid
 is
  not caching

 You will get MISS a fair bit more with intercepted traffic than with
 normal proxied traffic. Particularly on certain major CDN who play
 tricks with DNS.

 The reasons and some workarounds to need to be doing are explained in
 http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

 Amos

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.3 with SSL not working

[Reet Vyas]

Hi
 Below is my squid file , I have configured squid 3.5.3 with ssl, but I
cant filter https traffic and also in access log I cant see https in access
logs.


#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 116.72.152.37 192.168.0.0/24 # Sesuaikan dengan ip
client/local

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
# storeid *test*
acl urlrewrite dstdomain .fbcdn.net .akamaihd.net
acl speedtest url_regex -i speedtest\/.*\.(jpg|txt)\?.*
acl reverbnation url_regex -i reverbnation.*audio_player.*ec_stream_song.*$
acl utmgif url_regex -i utm.gif.*
acl playstoreandroid url_regex -i
c.android.clients.google.com.market.GetBinary.GetBinary.*
acl idyoutube url_regex -i
youtube.*(ptracking|stream_204|player_204).*(v\=|docid\=|video_id\=).*$
acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
acl CONNECT method CONNECT
acl getmethod method GET
acl loop_302 http_status 302
acl step1 at_step SslBump1
acl youtube dstdomain .youtube.com
acl blocksites dstdomain /etc/squid/restricted-sites.squid
# TAG: QUERY
#
-
acl QUERY urlpath_regex -i
(hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)
acl QUERY urlpath_regex -i
(patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)
acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)
cache deny QUERY
cache deny youtube

#
acl dontstore url_regex
^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*
acl dontstore url_regex redbot\.org \.php
acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*
acl dontstore url_regex \.(aspx|php)\?
acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png
acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?
acl dontstore url_regex
redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*

acl store_yt_id url_regex -i
youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\v|content_v)\=([^\\s]*).*$
acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$
acl store_id_list_yt url_regex
^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*

acl store-id_list urlpath_regex -i dl\.sourceforge\.net
acl store-id_list urlpath_regex -i \.ytimg\.com
acl store-id_list urlpath_regex -i \.(akamaihd|fbcdn)\.net
acl store_id_list urlpath_regex -i
[a-zA-Z]{2}[0-9]*\.4shared\.com\/download\/

acl store_id_list_url url_regex
^http:\/\/[0-9]\.bp\.blogspot\.com.*\.(jpeg|jpg|png|gif|ico)
acl store_id_list_url url_regex
^http[s]?:\/\/.*\.twimg\.com\/(.*)\.(gif|jpeg|jpg|png|js|css)
acl store_id_list_url url_regex
^http[s]?:\/\/(media|static)\.licdn\.com\/.*\.(png|jpg|gif|woff)
acl store_id_list_url url_regex ^https:\/\/fb(static|cdn)\-.*\-
a.akamaihd.net\/(.*)\.(gif|jpeg|jpg|png|js|css|mp4)
acl store_id_list_url url_regex
^http:\/\/.*\.ak\.fbcdn\.net\/.*\.(gif|jpg|png|js|mp4)

# pass requests
url_rewrite_program /etc/squid/phpredir.php
url_rewrite_access allow youtube

request_header_access Range deny store_id_list_yt
range_offset_limit 10 KB store_id_list_yt


###
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
###
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blocksites
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

###
# squid ssl_bump option
###
always_direct allow all
ssl_bump 

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi

Thanks for reply. I am trying to cache youtube using this wiki
http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube but I
cant cache youtube.

I want to cache facebook and youtube. SSl certificate installation that I
have to do . Please suggest some links.

On Thu, Jun 4, 2015 at 6:48 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 On 5/06/2015 12:55 a.m., Reet Vyas wrote:
  Thank you everyone for helping me to setup squid , Now its working but in
  access.logs  I only see tcp_miss if m using same website. I mean squid is
  not caching

 You will get MISS a fair bit more with intercepted traffic than with
 normal proxied traffic. Particularly on certain major CDN who play
 tricks with DNS.

 The reasons and some workarounds to need to be doing are explained in
 http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

 Amos

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi,

I changed the iptables still no luck :( but I am using squid 3.3 only can I
didn't understand why you have configured 3129 ,3130 and 3128 port?

On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen k...@vsen.dk wrote:

 Your client needs to use your squid server as default gateway.

 And then you need the iptables rules I wrote about to direct traffic into
 squid for certain ports.

 Reet Vyas wrote on 06/03/2015 08:50 AM:

 Hi

 Thanks for reply. As of now we don't have router I have directly
 connected my machine to internet and other to LAN and I have configured
 client machine ubuntu to test squid which is in switch where other users
 are connected using gateway of router 192.168.0.1.

 I read your valuable suggestions, but I still confused with IPtables and
 squid 3.3 setting ,transparent and intercept options .

 root@squid:/home/squid#   ip addr show
 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN
 group default
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 http://127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP group default qlen 1000
  link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
  inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
 valid_lft forever preferred_lft forever
  inet6 fe80::21e:67ff:fecf:5974/64 scope link
 valid_lft forever preferred_lft forever
 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP group default qlen 1000
  link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
  inet 192.168.0.200/24 http://192.168.0.200/24 brd 192.168.0.255
 scope global eth1
 valid_lft forever preferred_lft forever
  inet6 fe80::21e:67ff:fecf:5975/64 scope link
 valid_lft forever preferred_lft forever

 root@squid:/home/squid#  ip -4 route show
 default via 116.72.152.1 dev eth0
 116.72.152.0/22 http://116.72.152.0/22 dev eth0  proto kernel  scope
 link  src 116.72.152.37
 192.168.0.0/24 http://192.168.0.0/24 dev eth1  proto kernel  scope
 link  src 192.168.0.200





 To use transparent/intercept what I have to set in my config file
 http_port 3128 intercept or transparent

 and Iptables rules , I have tried this rules

 http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

 But not working

 Can you please tell me the firewall rules and let me know why my
 firewall rules are not working.

 On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk
 mailto:k...@vsen.dk wrote:

 Amos Jeffries wrote on 06/02/2015 04:34 PM:

 On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:

 I have this in my squid server for it to work:


 The key words there are ... *in my Squid server*

 indeed :)


 NOTE to Klavs:
 loading the multiport kernel module seems overkill for a
 single-port
 match.

 it's puppets firewall module.. haven't had enough time to fix that
 module :)


 FYI: DONT_VERIFY_PEER, always_direct allow all, and
 slproxy_cert_error allow all have not been good ideas since 3.2.
 dont-verify actually inhibits the Mimic functions which give
 server-first bumping most of its usefulness.

 Thank you for those tips.

 --
 Regards,
 Klavs Klavsen, GSEC - k...@vsen.dk mailto:k...@vsen.dk -
 http://www.vsen.dk - Tlf. 61281200

 Those who do not understand Unix are condemned to reinvent it,
 poorly.
--Henry Spencer

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 mailto:squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users




 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users



 --
 Regards,
 Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200

 Those who do not understand Unix are condemned to reinvent it, poorly.
   --Henry Spencer

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi

I got it half working My chat is working I can search google, but I cant
browse websites ,

My configuration now

acl mynet src 116.72.152.37 192.168.0.0/16# RFC1918 possible internal
network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3129
http_port 3128 intercept

cache_dir ufs /usr/local/cache 1 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600   90% 43200
refresh_pattern .020%4320



Iptables:

root@squid:/home/squid# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 77928 packets, 4272K bytes)
 pkts bytes target prot opt in out source
destination
  290 17312 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 to:192.168.0.200:3128
0 0 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 75943 packets, 4074K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
  847 56477 MASQUERADE  all  --  *  eth0192.168.0.0/24
0.0.0.0/0

On Thu, Jun 4, 2015 at 12:13 PM, Reet Vyas reet.vya...@gmail.com wrote:

 Hi,

 I changed the iptables still no luck :( but I am using squid 3.3 only can
 I didn't understand why you have configured 3129 ,3130 and 3128 port?

 On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen k...@vsen.dk wrote:

 Your client needs to use your squid server as default gateway.

 And then you need the iptables rules I wrote about to direct traffic into
 squid for certain ports.

 Reet Vyas wrote on 06/03/2015 08:50 AM:

 Hi

 Thanks for reply. As of now we don't have router I have directly
 connected my machine to internet and other to LAN and I have configured
 client machine ubuntu to test squid which is in switch where other users
 are connected using gateway of router 192.168.0.1.

 I read your valuable suggestions, but I still confused with IPtables and
 squid 3.3 setting ,transparent and intercept options .

 root@squid:/home/squid#   ip addr show
 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN
 group default
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 http://127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP group default qlen 1000
  link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
  inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
 valid_lft forever preferred_lft forever
  inet6 fe80::21e:67ff:fecf:5974/64 scope link
 valid_lft forever preferred_lft forever
 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP group default qlen 1000
  link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
  inet 192.168.0.200/24 http://192.168.0.200/24 brd 192.168.0.255
 scope global eth1
 valid_lft forever preferred_lft forever
  inet6 fe80::21e:67ff:fecf:5975/64 scope link
 valid_lft forever preferred_lft forever

 root@squid:/home/squid#  ip -4 route show
 default via 116.72.152.1 dev eth0
 116.72.152.0/22 http://116.72.152.0/22 dev eth0  proto kernel  scope
 link  src 116.72.152.37
 192.168.0.0/24 http://192.168.0.0/24 dev eth1  proto kernel  scope
 link  src 192.168.0.200





 To use transparent/intercept what I have to set in my config file
 http_port 3128 intercept or transparent

 and Iptables rules , I have tried this rules

 http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

 But not working

 Can you please tell me the firewall rules and let me know why my
 firewall rules are not working.

 On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk
 mailto:k...@vsen.dk wrote:

 Amos Jeffries wrote on 06/02/2015 04:34 PM:

 On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:

 I have this in my

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Thank you everyone for helping me to setup squid , Now its working but in
access.logs  I only see tcp_miss if m using same website. I mean squid is
not caching

Logs

43 192.168.0.198 TCP_MISS/200 384461 GET
http://www.horlicksquad.com/images/tc-pic.png - HIER_DIRECT/52.74.133.61
image/png
1433422076.988309 192.168.0.198 TCP_MISS/200 38007 GET
http://www.horlicksquad.com/about-us - HIER_DIRECT/52.74.133.61 text/html
1433422077.188224 192.168.0.198 TCP_MISS/200 17622 GET
http://www.horlicksquad.com/images/panel05.png - HIER_DIRECT/52.74.133.61
image/png
1433422077.226140 192.168.0.198 TCP_MISS/200 13840 GET
http://www.horlicksquad.com/images/au-bg.png - HIER_DIRECT/52.74.133.61
image/png
1433422077.261208 192.168.0.198 TCP_MISS/200 60858 GET
http://www.horlicksquad.com/images/sonny-horlicks-abtus.png - HIER_DIRECT/
52.74.133.61 image/png

How to check cache is working or not. I want to cache videos images css

On Thu, Jun 4, 2015 at 3:37 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 On 4/06/2015 6:43 p.m., Reet Vyas wrote:
  Hi,
 
  I changed the iptables still no luck :( but I am using squid 3.3 only
 can I
  didn't understand why you have configured 3129 ,3130 and 3128 port?

 Because due to historic (browser war politics) reasons there are three
 different protocol message syntax in HTTP/1.x - depending whether the
 traffic is on port 80 (HTTP origin), 443 (HTTPS origin), or 3128 (HTTP
 proxy).


 * Normal forward/explicit proxy traffic occurs on port 3128. Squid needs
 this port regardless of whether your main traffic use is on another port
 type, because some proxy responses will have URLs generated for embeded
 content to be fetched from the proxy itself.

 * NAT intercepted port 80 traffic needs to be delivered to a different
 proxy http_port with the intercept flag. The tutorials use 3129 to
 make it clear its not to be 3128, but it SHOULD be something random you
 make up that you can also have the firewall blocking connections
 directly to it by clients.

 * NAT intercepted port 443 traffic needs https_port directive (note the
 's') which means another port number separate from the port 80 one.


 Amos

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi

Thanks for reply. As of now we don't have router I have directly connected
my machine to internet and other to LAN and I have configured client
machine ubuntu to test squid which is in switch where other users are
connected using gateway of router 192.168.0.1.

I read your valuable suggestions, but I still confused with IPtables and
squid 3.3 setting ,transparent and intercept options .

root@squid:/home/squid#   ip addr show
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group
default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
   valid_lft forever preferred_lft forever
inet6 fe80::21e:67ff:fecf:5974/64 scope link
   valid_lft forever preferred_lft forever
3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1
   valid_lft forever preferred_lft forever
inet6 fe80::21e:67ff:fecf:5975/64 scope link
   valid_lft forever preferred_lft forever

root@squid:/home/squid#  ip -4 route show
default via 116.72.152.1 dev eth0
116.72.152.0/22 dev eth0  proto kernel  scope link  src 116.72.152.37
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.200





To use transparent/intercept what I have to set in my config file http_port
3128 intercept or transparent

and Iptables rules , I have tried this rules

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

But not working

Can you please tell me the firewall rules and let me know why my firewall
rules are not working.

On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk wrote:

 Amos Jeffries wrote on 06/02/2015 04:34 PM:

 On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:

 I have this in my squid server for it to work:


 The key words there are ... *in my Squid server*

  indeed :)


 NOTE to Klavs:
loading the multiport kernel module seems overkill for a single-port
 match.

  it's puppets firewall module.. haven't had enough time to fix that
 module :)


 FYI: DONT_VERIFY_PEER, always_direct allow all, and
 slproxy_cert_error allow all have not been good ideas since 3.2.
 dont-verify actually inhibits the Mimic functions which give
 server-first bumping most of its usefulness.

  Thank you for those tips.

 --
 Regards,
 Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200

 Those who do not understand Unix are condemned to reinvent it, poorly.
   --Henry Spencer

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Transparent Squid Proxy Server

[Reet Vyas]

I am trying to configure transparent squid proxy on ubuntu 14.04 Server and
squid 3.3 version I am using

My Lan and Wan settings

eth0  Link encap:Ethernet  HWaddr 00:1e:67:cf:59:74
  inet addr:116.72.*.*  Bcast:116.72.155.255  Mask:255.255.252.0
  inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
  TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:22219047 (22.2 MB)  TX bytes:17390502 (17.3 MB)
  Interrupt:16 Memory:d0a0-d0a2

eth1  Link encap:Ethernet  HWaddr 00:1e:67:cf:59:75
  inet addr:192.168.0.200  Bcast:192.168.0.255  Mask:255.255.255.0
  inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
  TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:10764615 (10.7 MB)  TX bytes:7151763 (7.1 MB)
  Interrupt:17 Memory:d090-d092

my squid.conf file

acl mynet src 116.72.152.37 192.168.0.0/16# RFC1918 possible internal
network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3128
cache_dir ufs /usr/local/cache 1 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600   90% 43200
refresh_pattern .020%4320


but when I use 192.168.0.200 in my client machine as gateway ... internet
is not working and I cant see logs in access.log

But when I use this IP in my browser it is working and showing logs but
with my tplink router  gateway i.e 192.168.0.1.

IPTable rules :
num  target prot opt source   destination
1DNAT   tcp  --  anywhere anywhere tcp
dpt:http to:192.168.0.200:3128
2REDIRECT   tcp  --  anywhere anywhere tcp
dpt:http redir ports 3128

Chain INPUT (policy ACCEPT)
num  target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
num  target prot opt source   destination


Please tell me what I am missing in IPtables and squid3 configuration . I
tried both transparent as well as intercept option but I think I have issue
with iptables or may be configuration issue.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid cache youtube and other websites

[Reet Vyas]

Hi Yuri,

Thanks for nice info. As I mentioned I have only tplink TL-R470T router and
machine with configuration of

Cent OS 6
HDD 1 TB
RAM 32 GB

So Is this possible with above router or do I have to change my router for
same. I can do this using IPtables only


On Mon, May 25, 2015 at 4:57 PM, Yuri Voinov yvoi...@gmail.com wrote:

  Look, Ma. ;) I'm a LumberJack :))

 http://i.imgur.com/NGn6Ao4.png
 http://i.imgur.com/Uz0zXut.png

 Note, that Youtube now uses QUIC protocol (especially in Chrome), which
 cannot be processed by Squid ever.

 To cache Youtube, you must solve two tasks:
 1. Completely force clients use HTTP/HTTPS for YT.

 http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

 2. Configure and tune _correct_ SSL Bump.
 3. Configure and refine Store ID feature.

 All of this above is know-how partially or completely. ;)

 WBR, Yuri

 25.05.15 12:51, d...@getbusi.com пишет:

  Firstly, I think the biggest roadblocks you’re going to hit with caching
 YouTube are:

  1) It’s all encrypted now (thanks Google). Squid can’t cache what it
 can’t see inside an SSL tunnel.

  2) They have a pretty intense CDN which you’ll need a StoreID helper to
 deal with.

  There are people on this list that know way more about it than me
 though, so I’ll let them explain how they do it.




  On Mon, May 25, 2015 at 4:48 PM, Reet Vyas reet.vya...@gmail.com wrote:

 Hi

  I want to use squid to cache youtube videos, ours is media agency and
 lots of bandwidth issue we are facing , so I came with solution to cache
 youtube.

  I want to know the few things as I am new to squid and networking .

  I have tplink router and 8 broadband connc and two leased line
 connection so I cant make squid as router so i want to setup squid in such
 a way i want to use gateway my router IP only and want all request coming
 on port 80 to go through squid.

  Is this possible?? I am just assuming it can be done done using iptables
 but if squid server is router and I dont to use squid as router cause of so
 many ISP lines.

  Can you please suggest how to achieve this?

  Please give some ideas to implement this




 ___
 squid-users mailing 
 listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users



 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid cache youtube and other websites

[Reet Vyas]

Hi

I want to use squid to cache youtube videos, ours is media agency and lots
of bandwidth issue we are facing , so I came with solution to cache youtube.

I want to know the few things as I am new to squid and networking .

I have tplink router and 8 broadband connc and two leased line connection
so I cant make squid as router so i want to setup squid in such a way i
want to use gateway my router IP only and want all request coming on port
80 to go through squid.

Is this possible?? I am just assuming it can be done done using iptables
but if squid server is router and I dont to use squid as router cause of so
many ISP lines.

Can you please suggest how to achieve this?

Please give some ideas to implement this
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid cache youtube and other websites

[Reet Vyas]

Hi

Thanks Dan for info. I searched google about LUSCA and scripts available
but I don't think it is working now.



On Mon, May 25, 2015 at 12:21 PM, d...@getbusi.com wrote:

 Firstly, I think the biggest roadblocks you’re going to hit with caching
 YouTube are:

 1) It’s all encrypted now (thanks Google). Squid can’t cache what it can’t
 see inside an SSL tunnel.

 2) They have a pretty intense CDN which you’ll need a StoreID helper to
 deal with.

 There are people on this list that know way more about it than me though,
 so I’ll let them explain how they do it.




 On Mon, May 25, 2015 at 4:48 PM, Reet Vyas reet.vya...@gmail.com wrote:

Hi

 I want to use squid to cache youtube videos, ours is media agency and
 lots of bandwidth issue we are facing , so I came with solution to cache
 youtube.

 I want to know the few things as I am new to squid and networking .

 I have tplink router and 8 broadband connc and two leased line connection
 so I cant make squid as router so i want to setup squid in such a way i
 want to use gateway my router IP only and want all request coming on port
 80 to go through squid.

 Is this possible?? I am just assuming it can be done done using iptables
 but if squid server is router and I dont to use squid as router cause of so
 many ISP lines.

 Can you please suggest how to achieve this?

 Please give some ideas to implement this



 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users