Re: [squid-users] Squid Peek and splice
I have installed squid as my router and below are my iptable rules 675 39972 DNAT tcp -- eth1 * 0.0.0.0/00.0.0.0/0 tcp dpt:80 to:192.168.0.200:3127 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 redir ports 3127 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 redir ports 3129 2022 120K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 to:192.168.0.200:3129 Chain INPUT (policy ACCEPT 7028 packets, 770K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2317 packets, 146K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2317 packets, 146K bytes) pkts bytes target prot opt in out source destination 5923 688K MASQUERADE all -- * eth0192.168.0.0/24 0.0.0.0/0 On Tue, May 17, 2016 at 4:21 PM, admin <ad...@tisiz72.ru> wrote: > I have the same config, but in my logs domain names > > > > > > > Reet Vyas писал 2016-05-17 15:48: > > Here is my txt file, as of now its working but I am getting secure > connection failed, I want to know if we can customize error message like > Access Denied . > > In logs I am not getting full URL PFA logs for same. What I have to > change in peek and splice ssl bump to get full URL ? > > Logs: > > 3481340.025 0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 - > HIER_NONE/- - > 1463481340.037 0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 > - HIER_NONE/- - > 1463481352.675 98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT > 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 - > 1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT > 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 - > 1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT > 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 - > 1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT > 74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 - > 1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT > 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 - > 1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT > 216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 - > 1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT > 216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 - > 1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT > 74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 - > 1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT > 74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 - > 1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT > 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - > 1463481421.196 59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT > 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - > 1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT > 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - > 1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT > 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 - > 1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT > 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 - > 1463481470.715 59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT > 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 - > 1463481470.729 58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT > 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 - > 1463481482.663 62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT > 216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 - > 1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT > 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - > 1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT > 74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 - > 1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT > 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - > 1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT > 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - > 1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT > 216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 - > 1463481542.096 5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT > 162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 - > 1463481546.586 59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT > 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - > 1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT > 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - > 1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT > 216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 - > 1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT > 74.125.130.94:443 - ORIGINAL_DST/7
Re: [squid-users] Squid Peek and splice
Here is my txt file, as of now its working but I am getting secure connection failed, I want to know if we can customize error message like Access Denied . In logs I am not getting full URL PFA logs for same. What I have to change in peek and splice ssl bump to get full URL ? Logs: 3481340.025 0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 - HIER_NONE/- - 1463481340.037 0 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.220:443 - HIER_NONE/- - 1463481352.675 98653 192.168.0.11 TCP_TUNNEL/200 4567 CONNECT 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 - 1463481403.492 240049 192.168.0.188 TCP_TUNNEL/200 244 CONNECT 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 - 1463481403.519 240205 192.168.0.188 TCP_TUNNEL/200 244 CONNECT 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 - 1463481411.577 240235 192.168.0.66 TCP_TUNNEL/200 1832 CONNECT 74.125.68.239:443 - ORIGINAL_DST/74.125.68.239 - 1463481411.688 240430 192.168.0.66 TCP_TUNNEL/200 766 CONNECT 74.125.68.100:443 - ORIGINAL_DST/74.125.68.100 - 1463481411.940 240038 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 216.58.199.141:443 - ORIGINAL_DST/216.58.199.141 - 1463481415.391 240029 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 216.58.220.5:443 - ORIGINAL_DST/216.58.220.5 - 1463481418.469 240252 192.168.0.66 TCP_TUNNEL/200 518 CONNECT 74.125.68.132:443 - ORIGINAL_DST/74.125.68.132 - 1463481419.003 240197 192.168.0.66 TCP_TUNNEL/200 502 CONNECT 74.125.200.138:443 - ORIGINAL_DST/74.125.200.138 - 1463481421.151 240041 192.168.0.66 TCP_TUNNEL/200 143096 CONNECT 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - 1463481421.196 59328 192.168.0.11 TCP_TUNNEL/200 786 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463481421.758 240647 192.168.0.66 TCP_TUNNEL/200 464 CONNECT 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - 1463481445.844 282774 192.168.0.188 TCP_TUNNEL/200 1423 CONNECT 74.125.130.189:443 - ORIGINAL_DST/74.125.130.189 - 1463481446.091 282893 192.168.0.188 TCP_TUNNEL/200 2418 CONNECT 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 - 1463481470.715 59069 192.168.0.11 TCP_TUNNEL/200 1395 CONNECT 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 - 1463481470.729 58778 192.168.0.11 TCP_TUNNEL/200 7609 CONNECT 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 - 1463481482.663 62472 192.168.0.11 TCP_TUNNEL/200 3000 CONNECT 216.58.199.165:443 - ORIGINAL_DST/216.58.199.165 - 1463481505.775 334542 192.168.0.66 TCP_TUNNEL/200 59071 CONNECT 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - 1463481512.946 240206 192.168.0.66 TCP_TUNNEL/200 470 CONNECT 74.125.130.101:443 - ORIGINAL_DST/74.125.130.101 - 1463481513.057 240084 192.168.0.66 TCP_TUNNEL/200 886 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463481513.574 240132 192.168.0.66 TCP_TUNNEL/200 1116 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463481514.156 240036 192.168.0.66 TCP_TUNNEL/200 454 CONNECT 216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 - 1463481542.096 5675 192.168.0.11 TCP_TUNNEL/200 686 CONNECT 162.213.33.48:443 - ORIGINAL_DST/162.213.33.48 - 1463481546.586 59549 192.168.0.11 TCP_TUNNEL/200 493 CONNECT 216.58.199.131:443 - ORIGINAL_DST/216.58.199.131 - 1463481569.729 398494 192.168.0.66 TCP_TUNNEL/200 2523 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463481574.930 240032 192.168.0.66 TCP_TUNNEL/200 464 CONNECT 216.58.220.3:443 - ORIGINAL_DST/216.58.220.3 - 1463481578.959 240248 192.168.0.66 TCP_TUNNEL/200 1220 CONNECT 74.125.130.94:443 - ORIGINAL_DST/74.125.130.94 - 1463481614.460 70 192.168.0.66 TCP_TUNNEL/200 13976 CONNECT 216.58.199.133:443 - ORIGINAL_DST/216.58.199.133 - 1463481631.174 460024 192.168.0.66 TCP_TUNNEL/200 5641 CONNECT 74.125.200.189:443 - ORIGINAL_DST/74.125.200.189 - 1463481753.303 303648 192.168.0.11 TCP_TUNNEL/200 2801 CONNECT 216.58.199.142:443 - ORIGINAL_DST/216.58.199.142 - 1463481759.694 240237 192.168.0.11 TCP_TUNNEL/200 829 CONNECT 216.58.199.206:443 - ORIGINAL_DST/216.58.199.206 - 1463481761.126 261752 192.168.0.11 TCP_TUNNEL/200 205262 CONNECT 216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 - 1463481762.066 269470 192.168.0.11 TCP_TUNNEL/200 177618 CONNECT 216.58.199.129:443 - ORIGINAL_DST/216.58.199.129 - 1463481762.241 276758 192.168.0.11 TCP_TUNNEL/200 1451680 CONNECT 216.58.199.165:443 - ORIGINAL_DST/216.58.199.16 On Tue, May 17, 2016 at 3:33 PM, Reet Vyas <reet.vya...@gmail.com> wrote: > Here is my txt file, as of now its working but I am getting secure > connection failed, I want to know if we can customize error message like > Access Denied . > > In logs I am not getting full URL PFA logs for same. What I have to > change in peek and splice ssl bump to get full URL ? > > On Tue, May 17, 2016 at 3:21 PM, admin <ad...@tisiz72.ru> wrote: > >> >> >> get your blocked_https.txt >> >> >> >> >> Reet Vyas писал 2016-05-17 14:47: >> >> Hi >> >> Below is my
Re: [squid-users] Squid Peek and splice
Hi Below is my squid configuration Squid : 3.5.13 OS ubuntu 14.04 http_port 3128 http_port 3127 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER acl blocked ssl::server_name "/etc/squid/blocked_https.txt" acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump terminate blocked ssl_bump splice all sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB sslcrtd_children 16 startup=1 idle=1 sslproxy_capath /etc/ssl/certs sslproxy_cert_error allow all ssl_unclean_shutdown on I want to block facebook.com so I have added url in .txt file. Its not blocking anything. Please let me know what I have to change in this configuration I getting below logs in squid 1463478160.585551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478160.585550 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478161.147562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478161.147561 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478163.982553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478163.982552 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478163.994565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478163.994564 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443 - HIER_NONE/- - 1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 - 1463478194.373 61 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 - 1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443 - HIER_NONE/- - 1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 - 1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 - HIER_NONE/- - 1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 - 1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443 - HIER_NONE/- - 1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 - 1463478224.432 33 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 - 1463478231.727555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478231.727555 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478232.311572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- - 1463478232.311571 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- - 1463478246.369 13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443 - HIER_NONE/- - 1463478246.369 13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT 0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 - 1463478246.369 13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 - HIER_NONE/- - 1463478246.369 13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 - 1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443 - HIER_NONE/- - 1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 - 1463478327.555 41 192.168.0.66 TCP_MISS/200 2323 GET http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data - ORIGINAL_DST/216.58.220.3 text/html On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 13/05/2016 5:58 p.m., Reet Vyas wrote: > > Hi Amos/Yuri, > > > > Currently my squid is configured with ssl bump, now I want to use peek > and > > splice. I read in some forum that we don't need to install certificate on > > client's machine. > > > > Splice does not require it. But what you want to do with Squid may > prevent splice being used. So "it depends" ... > > > > As I have already asked before in mailing list to install SSL certificate > > on Android devices, which is not working. > > > > So my question is If I want to use peek and splice for example I want > https > > filtering for > > ... on how you define "filter". > > > proxy websites
[squid-users] Squid Peek and splice
Hi Amos/Yuri, Currently my squid is configured with ssl bump, now I want to use peek and splice. I read in some forum that we don't need to install certificate on client's machine. As I have already asked before in mailing list to install SSL certificate on Android devices, which is not working. So my question is If I want to use peek and splice for example I want https filtering for proxy websites and I dont want ssl for bank websites and facebook youtube and gmail. how will it work? Do i need to install SSL certifcate on client or not, I am bit confused with peek and splice thing. Please let me know is that possible to configure squid 3.5.19 in such a way so that it will bump only proxy websites not FB youtube etc. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL certifcate on android device not working
Thank You so much for link will try today and will post results On Sat, May 7, 2016 at 8:43 AM, Amos Jeffrieswrote: > On 7/05/2016 2:43 a.m., Yuri Voinov wrote: > > Raf, this is not about pinning. This is about CA store in mobile devices. > > > > Pinning at its core is just hard-coded entries in those stores or the app. > > A pinned cert can be considered like the CA equivalent of having a > non-editable /etc/hosts file entry for DNS. Lookups happen but dont go > past the hard-coded entry unless the app bypasses it specially. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL certifcate on android device not working
Same certificate is working with iphone and I can access using ssl bump. Why not android device? On Fri, May 6, 2016 at 7:31 PM, Rafael Akchurin < rafael.akchu...@diladele.com> wrote: > Not possible, see SSL certificate pinning in wikipedia, or at > http://docs.diladele.com/faq/squid/dropbox.html > > > Best regards, > Rafael > > Op 6 mei 2016 om 14:27 heeft Reet Vyas <reet.vya...@gmail.com> het > volgende geschreven: > > Please let me know if this possible or not? > > On Fri, May 6, 2016 at 6:51 PM, Yuri Voinov <yvoi...@gmail.com> wrote: > >> Android sucks and must die, yes :) >> >> >> 06.05.16 19:11, Alex Crow пишет: >> >> On 06/05/16 14:09, Reet Vyas wrote: >>> >>>> Hi >>>> >>>> I have squid ssl bump working but when I added squid.crt to my android >>>> , it not working but working with Iphone cause they have certificate >>>> installer app , I dont know exact issue cause my apps are on working . I >>>> have installed squid.crt on mobile browsers ,internet is working but not >>>> any app like youtube, instagram etc >>>> >>>> Please let know what issue with certificate installation on Android >>>> devices >>>> >>>> >>> I think the problem is simply that CA cert management on Android simply >>> sucks. That is my experience, YMMV. >>> >>> :-) >>> >>> Alex >>> >>> -- >>> This message is intended only for the addressee and may contain >>> confidential information. Unless you are that person, you may not >>> disclose its contents or use it in any way and are requested to delete >>> the message along with any attachments and notify us immediately. >>> This email is not intended to, nor should it be taken to, constitute >>> advice. >>> The information provided is correct to our knowledge & belief and must >>> not >>> be used as a substitute for obtaining tax, regulatory, investment, legal >>> or >>> any other appropriate advice. >>> >>> "Transact" is operated by Integrated Financial Arrangements Ltd. >>> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 >>> 5300. >>> (Registered office: as above; Registered in England and Wales under >>> number: 3727592). Authorised and regulated by the Financial Conduct >>> Authority (entered on the Financial Services Register; no. 190856). >>> ___ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL certifcate on android device not working
Please let me know if this possible or not? On Fri, May 6, 2016 at 6:51 PM, Yuri Voinov <yvoi...@gmail.com> wrote: > Android sucks and must die, yes :) > > > 06.05.16 19:11, Alex Crow пишет: > > On 06/05/16 14:09, Reet Vyas wrote: >> >>> Hi >>> >>> I have squid ssl bump working but when I added squid.crt to my android >>> , it not working but working with Iphone cause they have certificate >>> installer app , I dont know exact issue cause my apps are on working . I >>> have installed squid.crt on mobile browsers ,internet is working but not >>> any app like youtube, instagram etc >>> >>> Please let know what issue with certificate installation on Android >>> devices >>> >>> >> I think the problem is simply that CA cert management on Android simply >> sucks. That is my experience, YMMV. >> >> :-) >> >> Alex >> >> -- >> This message is intended only for the addressee and may contain >> confidential information. Unless you are that person, you may not >> disclose its contents or use it in any way and are requested to delete >> the message along with any attachments and notify us immediately. >> This email is not intended to, nor should it be taken to, constitute >> advice. >> The information provided is correct to our knowledge & belief and must not >> be used as a substitute for obtaining tax, regulatory, investment, legal >> or >> any other appropriate advice. >> >> "Transact" is operated by Integrated Financial Arrangements Ltd. >> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 >> 5300. >> (Registered office: as above; Registered in England and Wales under >> number: 3727592). Authorised and regulated by the Financial Conduct >> Authority (entered on the Financial Services Register; no. 190856). >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL certifcate on android device not working
Hi I have squid ssl bump working but when I added squid.crt to my android , it not working but working with Iphone cause they have certificate installer app , I dont know exact issue cause my apps are on working . I have installed squid.crt on mobile browsers ,internet is working but not any app like youtube, instagram etc Please let know what issue with certificate installation on Android devices ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Block VPN access like hola.org ,ultrasurf
Thanks so much for detailed explanation, will try cisco thing and will check if it gets working On Sat, Apr 30, 2016 at 3:34 AM, Yuri Voinov <yvoi...@gmail.com> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > AFAIK, > > every proxy admin faced with excessively smart users who want to bypass a > proxy. If you think that this is not true in your case - it means you not > know yet. While you suffer prince Hamlet's ethical dilemma - "To bump or > not to bump - that is a serious matter", your smart-ass users will > shamelessly use every possible tools and methods to step over you and wipe > they feet on the your proxy. > > I am deeply sorry for you, but to solve this problem by means of a Squid > is not possible. It is necessary to take into account the existence of Tor, > VPN, URL shorteners, Google Translate (Yea, it also uses for bypassing > proxy!), SOCKS, http/https anonymizers etc. This is not easy and not > simple. This battle occurs every day. > > I deliberately do not mention really advanced techniques of hiding one > type of traffic inside the other and another hacker's tools. VPN is a > strong, but not the last tool to ignore the proxy server if it does not > exist at all. And you can be sure your users will not miss them. > > And in the fight against shield and sword sword usually wins. > > Only a proxy in this issue is not worth little or nothing. Only trained > administrator with experienced network administrator and two pairs bodied > brain can more or less hinder the life of these smart-ass users. > > This day-by-day battle is significant part of IT security, which is not > product, but process. > > Hard luck, > Yuri > > 29.04.16 22:07, Yuri Voinov пишет: > > > > The another option is using advanced DPI with database. Like China > government uses. > > > > Squid itself can't. > > > > 29.04.16 16:33, Reet Vyas пишет: > > > Hi, > > > > > > > > > I have working trasparent squid , Some users are using proxy > > vpn in moziilla as addon and bypassing my squid, Please tell me > > how to block all hola.org <http://hola.org> <http://hola.org> vpn > and ulrta > > surf, I have already blocked websites,but seems not working. > > > > > > > > > Please let me know how to block these vpn access. > > > > > > > > > > > > > > > > > ___ > > > > > squid-users mailing list > > > > > squid-users@lists.squid-cache.org > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJXI9qIAAoJENNXIZxhPexGISAH/ivV0JV6zUhN5C85GubgI3or > EZJgL706JL+Q6CasmYF/88gau/j7EwYW+mtJ9EzdMGVo5lGkQW3Y/y6SjAmCdtI3 > J4eJMGIqi8mQRzfx55HGEv2cXHsYh3hxcBcBay4YHM9NFcXW/xMqsnwrkICULI6b > mu91LERDiH5iBn9cT1qquKoTV8rg5E1eb6ZATA8r6VYRoZutzHN5/v4eww1ogxmc > cE+DVzEcK5VJYFtfUHEyOCO785Xu1TSCctmmvzjrv2SpBQcgxJJ6pSrDrk+Qw614 > g50IJz26t0zqlrC/Z+LU0SeAgW7iboPID5yA/3bxWLSnupex3W93lwlPSJu48Pg= > =V6pf > -END PGP SIGNATURE- > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Block VPN access like hola.org ,ultrasurf
Hi, I have working trasparent squid , Some users are using proxy vpn in moziilla as addon and bypassing my squid, Please tell me how to block all hola.org vpn and ulrta surf, I have already blocked websites,but seems not working. Please let me know how to block these vpn access. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Assign multiple IP Address to squid
Hi all Thanks for reply. I have this squid setup and I am using squid as my router and my requirement is like I have one local webserver and I want to access it from home and I want to nat external ip to internal ip so that I can access my local machine from outside network. My ISP gave 10 external ip and one i am using with squid and rest 9 are unused so I tried to create alias on external inferface and gave one public ip to it and nat that external ip to localip , but I cant access machine( with webserver) using external ip, its shows access denied On Tue, Dec 29, 2015 at 5:35 PM, Reet Vyas <reet.vya...@gmail.com> wrote: > Hi > > I have working squid3.5.4 configuration with ssl bump, I am using this > squid machine as router and have external IP to it and have a leased line > connection but with leased line I have 10 extra IP address and I want to > NAT those external ip to local ip on same network, like we do in our > router, so that I can assign those IP ip my machines having webservers. > > Please suggest me way to configure it. > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Assign multiple IP Address to squid
Hi I have working squid3.5.4 configuration with ssl bump, I am using this squid machine as router and have external IP to it and have a leased line connection but with leased line I have 10 extra IP address and I want to NAT those external ip to local ip on same network, like we do in our router, so that I can assign those IP ip my machines having webservers. Please suggest me way to configure it. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squidaio_queue_request: WARNING - Queue congestion
HI I am getting this error in my squid, Squid Version : 3.5.3, Can anyone help me out with this cause browsing is slow when I get this in cache.log file. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Squid Proxy Server
source destination 76873 4457K DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 to:192.168.0.200:3129 26 1184 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 redir ports 3129 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 to:192.168.0.200:3130 Chain INPUT (policy ACCEPT 9321 packets, 543K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1426 packets, 85560 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1426 packets, 85560 bytes) pkts bytes target prot opt in out source destination 81432 14M MASQUERADE all -- * eth0192.168.0.0/24 0.0.0.0/0 On Fri, Jun 5, 2015 at 1:43 PM, Reet Vyas reet.vya...@gmail.com wrote: Hi Thanks for reply. I am trying to cache youtube using this wiki http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube but I cant cache youtube. I want to cache facebook and youtube. SSl certificate installation that I have to do . Please suggest some links. On Thu, Jun 4, 2015 at 6:48 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 5/06/2015 12:55 a.m., Reet Vyas wrote: Thank you everyone for helping me to setup squid , Now its working but in access.logs I only see tcp_miss if m using same website. I mean squid is not caching You will get MISS a fair bit more with intercepted traffic than with normal proxied traffic. Particularly on certain major CDN who play tricks with DNS. The reasons and some workarounds to need to be doing are explained in http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid 3.5.3 with SSL not working
Hi Below is my squid file , I have configured squid 3.5.3 with ssl, but I cant filter https traffic and also in access log I cant see https in access logs. # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 116.72.152.37 192.168.0.0/24 # Sesuaikan dengan ip client/local acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # storeid *test* acl urlrewrite dstdomain .fbcdn.net .akamaihd.net acl speedtest url_regex -i speedtest\/.*\.(jpg|txt)\?.* acl reverbnation url_regex -i reverbnation.*audio_player.*ec_stream_song.*$ acl utmgif url_regex -i utm.gif.* acl playstoreandroid url_regex -i c.android.clients.google.com.market.GetBinary.GetBinary.* acl idyoutube url_regex -i youtube.*(ptracking|stream_204|player_204).*(v\=|docid\=|video_id\=).*$ acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\? acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\? acl CONNECT method CONNECT acl getmethod method GET acl loop_302 http_status 302 acl step1 at_step SslBump1 acl youtube dstdomain .youtube.com acl blocksites dstdomain /etc/squid/restricted-sites.squid # TAG: QUERY # - acl QUERY urlpath_regex -i (hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt) acl QUERY urlpath_regex -i (patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini) acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$) cache deny QUERY cache deny youtube # acl dontstore url_regex ^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.* acl dontstore url_regex redbot\.org \.php acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.* acl dontstore url_regex \.(aspx|php)\? acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\? acl dontstore url_regex redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).* acl store_yt_id url_regex -i youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\v|content_v)\=([^\\s]*).*$ acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$ acl store_id_list_yt url_regex ^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).* acl store-id_list urlpath_regex -i dl\.sourceforge\.net acl store-id_list urlpath_regex -i \.ytimg\.com acl store-id_list urlpath_regex -i \.(akamaihd|fbcdn)\.net acl store_id_list urlpath_regex -i [a-zA-Z]{2}[0-9]*\.4shared\.com\/download\/ acl store_id_list_url url_regex ^http:\/\/[0-9]\.bp\.blogspot\.com.*\.(jpeg|jpg|png|gif|ico) acl store_id_list_url url_regex ^http[s]?:\/\/.*\.twimg\.com\/(.*)\.(gif|jpeg|jpg|png|js|css) acl store_id_list_url url_regex ^http[s]?:\/\/(media|static)\.licdn\.com\/.*\.(png|jpg|gif|woff) acl store_id_list_url url_regex ^https:\/\/fb(static|cdn)\-.*\- a.akamaihd.net\/(.*)\.(gif|jpeg|jpg|png|js|css|mp4) acl store_id_list_url url_regex ^http:\/\/.*\.ak\.fbcdn\.net\/.*\.(gif|jpg|png|js|mp4) # pass requests url_rewrite_program /etc/squid/phpredir.php url_rewrite_access allow youtube request_header_access Range deny store_id_list_yt range_offset_limit 10 KB store_id_list_yt ### # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports ### http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny blocksites http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all ### # squid ssl_bump option ### always_direct allow all ssl_bump
Re: [squid-users] Transparent Squid Proxy Server
Hi Thanks for reply. I am trying to cache youtube using this wiki http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube but I cant cache youtube. I want to cache facebook and youtube. SSl certificate installation that I have to do . Please suggest some links. On Thu, Jun 4, 2015 at 6:48 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 5/06/2015 12:55 a.m., Reet Vyas wrote: Thank you everyone for helping me to setup squid , Now its working but in access.logs I only see tcp_miss if m using same website. I mean squid is not caching You will get MISS a fair bit more with intercepted traffic than with normal proxied traffic. Particularly on certain major CDN who play tricks with DNS. The reasons and some workarounds to need to be doing are explained in http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Squid Proxy Server
Hi, I changed the iptables still no luck :( but I am using squid 3.3 only can I didn't understand why you have configured 3129 ,3130 and 3128 port? On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen k...@vsen.dk wrote: Your client needs to use your squid server as default gateway. And then you need the iptables rules I wrote about to direct traffic into squid for certain ports. Reet Vyas wrote on 06/03/2015 08:50 AM: Hi Thanks for reply. As of now we don't have router I have directly connected my machine to internet and other to LAN and I have configured client machine ubuntu to test squid which is in switch where other users are connected using gateway of router 192.168.0.1. I read your valuable suggestions, but I still confused with IPtables and squid 3.3 setting ,transparent and intercept options . root@squid:/home/squid# ip addr show 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 http://127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5974/64 scope link valid_lft forever preferred_lft forever 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff inet 192.168.0.200/24 http://192.168.0.200/24 brd 192.168.0.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5975/64 scope link valid_lft forever preferred_lft forever root@squid:/home/squid# ip -4 route show default via 116.72.152.1 dev eth0 116.72.152.0/22 http://116.72.152.0/22 dev eth0 proto kernel scope link src 116.72.152.37 192.168.0.0/24 http://192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.200 To use transparent/intercept what I have to set in my config file http_port 3128 intercept or transparent and Iptables rules , I have tried this rules http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect But not working Can you please tell me the firewall rules and let me know why my firewall rules are not working. On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk mailto:k...@vsen.dk wrote: Amos Jeffries wrote on 06/02/2015 04:34 PM: On 3/06/2015 1:20 a.m., Klavs Klavsen wrote: I have this in my squid server for it to work: The key words there are ... *in my Squid server* indeed :) NOTE to Klavs: loading the multiport kernel module seems overkill for a single-port match. it's puppets firewall module.. haven't had enough time to fix that module :) FYI: DONT_VERIFY_PEER, always_direct allow all, and slproxy_cert_error allow all have not been good ideas since 3.2. dont-verify actually inhibits the Mimic functions which give server-first bumping most of its usefulness. Thank you for those tips. -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk mailto:k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer ___ squid-users mailing list squid-users@lists.squid-cache.org mailto:squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Squid Proxy Server
Hi I got it half working My chat is working I can search google, but I cant browse websites , My configuration now acl mynet src 116.72.152.37 192.168.0.0/16# RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow mynet http_access allow localhost http_access allow all http_port 3129 http_port 3128 intercept cache_dir ufs /usr/local/cache 1 16 256 coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200 refresh_pattern .020%4320 Iptables: root@squid:/home/squid# iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 77928 packets, 4272K bytes) pkts bytes target prot opt in out source destination 290 17312 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 to:192.168.0.200:3128 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 redir ports 3128 Chain INPUT (policy ACCEPT 75943 packets, 4074K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 847 56477 MASQUERADE all -- * eth0192.168.0.0/24 0.0.0.0/0 On Thu, Jun 4, 2015 at 12:13 PM, Reet Vyas reet.vya...@gmail.com wrote: Hi, I changed the iptables still no luck :( but I am using squid 3.3 only can I didn't understand why you have configured 3129 ,3130 and 3128 port? On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen k...@vsen.dk wrote: Your client needs to use your squid server as default gateway. And then you need the iptables rules I wrote about to direct traffic into squid for certain ports. Reet Vyas wrote on 06/03/2015 08:50 AM: Hi Thanks for reply. As of now we don't have router I have directly connected my machine to internet and other to LAN and I have configured client machine ubuntu to test squid which is in switch where other users are connected using gateway of router 192.168.0.1. I read your valuable suggestions, but I still confused with IPtables and squid 3.3 setting ,transparent and intercept options . root@squid:/home/squid# ip addr show 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 http://127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5974/64 scope link valid_lft forever preferred_lft forever 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff inet 192.168.0.200/24 http://192.168.0.200/24 brd 192.168.0.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5975/64 scope link valid_lft forever preferred_lft forever root@squid:/home/squid# ip -4 route show default via 116.72.152.1 dev eth0 116.72.152.0/22 http://116.72.152.0/22 dev eth0 proto kernel scope link src 116.72.152.37 192.168.0.0/24 http://192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.200 To use transparent/intercept what I have to set in my config file http_port 3128 intercept or transparent and Iptables rules , I have tried this rules http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect But not working Can you please tell me the firewall rules and let me know why my firewall rules are not working. On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk mailto:k...@vsen.dk wrote: Amos Jeffries wrote on 06/02/2015 04:34 PM: On 3/06/2015 1:20 a.m., Klavs Klavsen wrote: I have this in my
Re: [squid-users] Transparent Squid Proxy Server
Thank you everyone for helping me to setup squid , Now its working but in access.logs I only see tcp_miss if m using same website. I mean squid is not caching Logs 43 192.168.0.198 TCP_MISS/200 384461 GET http://www.horlicksquad.com/images/tc-pic.png - HIER_DIRECT/52.74.133.61 image/png 1433422076.988309 192.168.0.198 TCP_MISS/200 38007 GET http://www.horlicksquad.com/about-us - HIER_DIRECT/52.74.133.61 text/html 1433422077.188224 192.168.0.198 TCP_MISS/200 17622 GET http://www.horlicksquad.com/images/panel05.png - HIER_DIRECT/52.74.133.61 image/png 1433422077.226140 192.168.0.198 TCP_MISS/200 13840 GET http://www.horlicksquad.com/images/au-bg.png - HIER_DIRECT/52.74.133.61 image/png 1433422077.261208 192.168.0.198 TCP_MISS/200 60858 GET http://www.horlicksquad.com/images/sonny-horlicks-abtus.png - HIER_DIRECT/ 52.74.133.61 image/png How to check cache is working or not. I want to cache videos images css On Thu, Jun 4, 2015 at 3:37 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 4/06/2015 6:43 p.m., Reet Vyas wrote: Hi, I changed the iptables still no luck :( but I am using squid 3.3 only can I didn't understand why you have configured 3129 ,3130 and 3128 port? Because due to historic (browser war politics) reasons there are three different protocol message syntax in HTTP/1.x - depending whether the traffic is on port 80 (HTTP origin), 443 (HTTPS origin), or 3128 (HTTP proxy). * Normal forward/explicit proxy traffic occurs on port 3128. Squid needs this port regardless of whether your main traffic use is on another port type, because some proxy responses will have URLs generated for embeded content to be fetched from the proxy itself. * NAT intercepted port 80 traffic needs to be delivered to a different proxy http_port with the intercept flag. The tutorials use 3129 to make it clear its not to be 3128, but it SHOULD be something random you make up that you can also have the firewall blocking connections directly to it by clients. * NAT intercepted port 443 traffic needs https_port directive (note the 's') which means another port number separate from the port 80 one. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Transparent Squid Proxy Server
Hi Thanks for reply. As of now we don't have router I have directly connected my machine to internet and other to LAN and I have configured client machine ubuntu to test squid which is in switch where other users are connected using gateway of router 192.168.0.1. I read your valuable suggestions, but I still confused with IPtables and squid 3.3 setting ,transparent and intercept options . root@squid:/home/squid# ip addr show 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5974/64 scope link valid_lft forever preferred_lft forever 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::21e:67ff:fecf:5975/64 scope link valid_lft forever preferred_lft forever root@squid:/home/squid# ip -4 route show default via 116.72.152.1 dev eth0 116.72.152.0/22 dev eth0 proto kernel scope link src 116.72.152.37 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.200 To use transparent/intercept what I have to set in my config file http_port 3128 intercept or transparent and Iptables rules , I have tried this rules http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect But not working Can you please tell me the firewall rules and let me know why my firewall rules are not working. On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen k...@vsen.dk wrote: Amos Jeffries wrote on 06/02/2015 04:34 PM: On 3/06/2015 1:20 a.m., Klavs Klavsen wrote: I have this in my squid server for it to work: The key words there are ... *in my Squid server* indeed :) NOTE to Klavs: loading the multiport kernel module seems overkill for a single-port match. it's puppets firewall module.. haven't had enough time to fix that module :) FYI: DONT_VERIFY_PEER, always_direct allow all, and slproxy_cert_error allow all have not been good ideas since 3.2. dont-verify actually inhibits the Mimic functions which give server-first bumping most of its usefulness. Thank you for those tips. -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Transparent Squid Proxy Server
I am trying to configure transparent squid proxy on ubuntu 14.04 Server and squid 3.3 version I am using My Lan and Wan settings eth0 Link encap:Ethernet HWaddr 00:1e:67:cf:59:74 inet addr:116.72.*.* Bcast:116.72.155.255 Mask:255.255.252.0 inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:238950 errors:0 dropped:0 overruns:0 frame:0 TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:22219047 (22.2 MB) TX bytes:17390502 (17.3 MB) Interrupt:16 Memory:d0a0-d0a2 eth1 Link encap:Ethernet HWaddr 00:1e:67:cf:59:75 inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:96965 errors:0 dropped:0 overruns:0 frame:0 TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10764615 (10.7 MB) TX bytes:7151763 (7.1 MB) Interrupt:17 Memory:d090-d092 my squid.conf file acl mynet src 116.72.152.37 192.168.0.0/16# RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow mynet http_access allow localhost http_access allow all http_port 3128 cache_dir ufs /usr/local/cache 1 16 256 coredump_dir /var/spool/squid3 refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200 refresh_pattern .020%4320 but when I use 192.168.0.200 in my client machine as gateway ... internet is not working and I cant see logs in access.log But when I use this IP in my browser it is working and showing logs but with my tplink router gateway i.e 192.168.0.1. IPTable rules : num target prot opt source destination 1DNAT tcp -- anywhere anywhere tcp dpt:http to:192.168.0.200:3128 2REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Please tell me what I am missing in IPtables and squid3 configuration . I tried both transparent as well as intercept option but I think I have issue with iptables or may be configuration issue. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid cache youtube and other websites
Hi Yuri, Thanks for nice info. As I mentioned I have only tplink TL-R470T router and machine with configuration of Cent OS 6 HDD 1 TB RAM 32 GB So Is this possible with above router or do I have to change my router for same. I can do this using IPtables only On Mon, May 25, 2015 at 4:57 PM, Yuri Voinov yvoi...@gmail.com wrote: Look, Ma. ;) I'm a LumberJack :)) http://i.imgur.com/NGn6Ao4.png http://i.imgur.com/Uz0zXut.png Note, that Youtube now uses QUIC protocol (especially in Chrome), which cannot be processed by Squid ever. To cache Youtube, you must solve two tasks: 1. Completely force clients use HTTP/HTTPS for YT. http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol 2. Configure and tune _correct_ SSL Bump. 3. Configure and refine Store ID feature. All of this above is know-how partially or completely. ;) WBR, Yuri 25.05.15 12:51, d...@getbusi.com пишет: Firstly, I think the biggest roadblocks you’re going to hit with caching YouTube are: 1) It’s all encrypted now (thanks Google). Squid can’t cache what it can’t see inside an SSL tunnel. 2) They have a pretty intense CDN which you’ll need a StoreID helper to deal with. There are people on this list that know way more about it than me though, so I’ll let them explain how they do it. On Mon, May 25, 2015 at 4:48 PM, Reet Vyas reet.vya...@gmail.com wrote: Hi I want to use squid to cache youtube videos, ours is media agency and lots of bandwidth issue we are facing , so I came with solution to cache youtube. I want to know the few things as I am new to squid and networking . I have tplink router and 8 broadband connc and two leased line connection so I cant make squid as router so i want to setup squid in such a way i want to use gateway my router IP only and want all request coming on port 80 to go through squid. Is this possible?? I am just assuming it can be done done using iptables but if squid server is router and I dont to use squid as router cause of so many ISP lines. Can you please suggest how to achieve this? Please give some ideas to implement this ___ squid-users mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid cache youtube and other websites
Hi I want to use squid to cache youtube videos, ours is media agency and lots of bandwidth issue we are facing , so I came with solution to cache youtube. I want to know the few things as I am new to squid and networking . I have tplink router and 8 broadband connc and two leased line connection so I cant make squid as router so i want to setup squid in such a way i want to use gateway my router IP only and want all request coming on port 80 to go through squid. Is this possible?? I am just assuming it can be done done using iptables but if squid server is router and I dont to use squid as router cause of so many ISP lines. Can you please suggest how to achieve this? Please give some ideas to implement this ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid cache youtube and other websites
Hi Thanks Dan for info. I searched google about LUSCA and scripts available but I don't think it is working now. On Mon, May 25, 2015 at 12:21 PM, d...@getbusi.com wrote: Firstly, I think the biggest roadblocks you’re going to hit with caching YouTube are: 1) It’s all encrypted now (thanks Google). Squid can’t cache what it can’t see inside an SSL tunnel. 2) They have a pretty intense CDN which you’ll need a StoreID helper to deal with. There are people on this list that know way more about it than me though, so I’ll let them explain how they do it. On Mon, May 25, 2015 at 4:48 PM, Reet Vyas reet.vya...@gmail.com wrote: Hi I want to use squid to cache youtube videos, ours is media agency and lots of bandwidth issue we are facing , so I came with solution to cache youtube. I want to know the few things as I am new to squid and networking . I have tplink router and 8 broadband connc and two leased line connection so I cant make squid as router so i want to setup squid in such a way i want to use gateway my router IP only and want all request coming on port 80 to go through squid. Is this possible?? I am just assuming it can be done done using iptables but if squid server is router and I dont to use squid as router cause of so many ISP lines. Can you please suggest how to achieve this? Please give some ideas to implement this ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users