Re: [squid-users] How to configure squid to not cache

2020-10-12 Thread Ronan Lucio 
I'm sorry. My bad.
Just found it

On Tue, Oct 13, 2020 at 8:20 AM Ronan Lucio  wrote:
>
> Hi,
> I'd like to configure squid for proxy only, no caching any content.
>
> Looking at squid docs, it instructs to use "cache deny all", but I
> didn't find this option for Squid-4:
> http://www.squid-cache.org/Versions/v4/cfgman/
>
> I didn't set any cache_dir directive, but I'm still wondering about cache_mem.
>
> Any help would be appreciated,
> Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] How to configure squid to not cache

2020-10-12 Thread Ronan Lucio 
Hi,
I'd like to configure squid for proxy only, no caching any content.

Looking at squid docs, it instructs to use "cache deny all", but I
didn't find this option for Squid-4:
http://www.squid-cache.org/Versions/v4/cfgman/

I didn't set any cache_dir directive, but I'm still wondering about cache_mem.

Any help would be appreciated,
Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL on different ports

2020-10-07 Thread Ronan Lucio 
Hi Amos,

> You are referring to the SSL_ports ACL ?

Yes.
Got your point.

Thanks for the clarification
Ronan


On Wed, Oct 7, 2020 at 4:55 PM Amos Jeffries  wrote:
>
> On 7/10/20 2:16 pm, Ronan Lucio wrote:
> > Hi,
> >
> > By default, Squid accepts SSL connection only to port 443.
>
> You are referring to the SSL_ports ACL ?
>
> That does not mean accepting SSL connections. Only that the port is
> known to be used primarily for SSL. So that opening opaque CONNECT
> tunnels there have lower security risk.
>
>
> > Are there any security concerns when need to accept HTTPS connections
> > on other ports?
> >
>
> Anything at all can go through a CONNECT tunnel and all your egress
> firewall and other security will be able to tell is that the traffic
> came from Squid.
>
> If you are certain the traffic is actually HTTPS and not something else
> it should be okay. But do check for that first.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] SSL on different ports

2020-10-06 Thread Ronan Lucio 
Hi,

By default, Squid accepts SSL connection only to port 443.
Are there any security concerns when need to accept HTTPS connections
on other ports?

Thank you,
Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Server monitoring

2020-06-10 Thread Ronan Lucio 
Hi Antony,

I mean "is it running"?

Yes, I have a couple of ways to monitor servers and services.
Specifically for this one, I plan to use GCP Stackdriver.

Agent will gather system data for CPU, disk, memory, and some services.
Besides that, I'd like to have a monitor to say "is squid running?",
regardless of CPU, disk, and memory are fine.

Thanks,
Ronan

On Thu, Jun 11, 2020 at 7:17 AM Antony Stone
 wrote:
>
> On Wednesday 10 June 2020 at 21:08:35, Ronan Lucio wrote:
>
> > Hi guys,
> >
> > How do you suggest to monitor service availability?
> > A know that some people use to monitor a few URLs through the proxy,
> > but, I'd like to know if there is any way to remotly monitor squid service.
>
> Do you mean "is it running?"
>
> Or do you mean "how busy is it?"
>
> Or do you mean "is it working and supplying the content it's expected /
> supposed to ?"
>
> Or... maybe something else?
>
> So, what it is you want to monitor?
>
>
> Next question: do you already have some monitoring system such as Icinga,
> Zabbix, Nagios, etc., which you use for other systems and services, or is
> Squid the first thing you're thinking of keeping a watchful eye on?
>
>
> Given that information, we might have some ideas, or else pointers to where
> else it's worth asking the question.
>
>
> Regards,
>
>
> Antony.
>
> --
> "In fact I wanted to be John Cleese and it took me some time to realise that
> the job was already taken."
>
>  - Douglas Adams
>
>Please reply to the list;
>  please *don't* CC me.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Server monitoring

2020-06-10 Thread Ronan Lucio 
Hi guys,

How do you suggest to monitor service availability?
A know that some people use to monitor a few URLs through the proxy,
but, I'd like to know if there is any way to remotly monitor squid
service.

Thanks,
Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] HTTPS_PORT AND SSL CERT

2020-05-26 Thread Ronan Lucio 
If your server listens on a public IP, you can use a valid certificate.

On Tue, May 26, 2020 at 7:24 PM Julien TEHERY
 wrote:
>
> Hi there,
>
> I'm actually facing a problem with Squid 4.6-1 (Debian 10).
> I'm using squid with https_port directive, using an SSL certficate ( a true 
> one, not self signed)
>
> Here is the simple setup:
>
> https_port X.X.X.X:8443 tls-cert=/etc/squid/mywildcard.com.pem
>
> The fact is that setup works for all firefox version using a proxy.pac file 
> for HTTPS connexions to the squid server.
> But for chrome this is quite different. Indeed chrome uses the system's proxy 
> settings and i noticed that sometimes it would work and sometinles it would 
> fail.
> To make it work all the time i had to add my intermediate certificate 
> (thawte) in the local store, so that means intermediate certificate has not 
> been delivered by the squid server as it should.
>
> The pem file in the above setup allreadycontains this (pem file done by 
> concatenating  private key, cert, intermediate and root CA. I also tried the 
> following syntax:
>
> https_port X.X.X.X:8443 cert=/etc/squid/mywildcard..com.cer 
> key=/etc/squid/mywildcard.com.key 
> cafile=/etc/squid/mywildcard..com-intermediaire.txt
>
> but each time i try to see with openssl client if my intermediate is 
> delivered, it's not
> I use "openssl s_client -showcerts -connect myproxy.com:8443"
>
> If i do the same thing on an apache server with the same certificate files i 
> can see both certificate and intermediate. Why squid isn't able to show it, 
> did i miss something ?
>
>
> Thanks for your help
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 4.4 https_port and ssl-bump : Fatal bungled line

2020-05-26 Thread Ronan Lucio 
Hi Ben,

I made working just using https_port (without ssl-bump).

I think it's a good way to secure squid authentication.
You can also use some tool (like certbot) to generate and
automatically renew certificates, so you can work with a short period
expiration time.

Hope that helps,
Ronan

On Tue, May 26, 2020 at 12:10 AM ben benml  wrote:
>
> Hello,
>
> Thank you for your prompt and precise answer.
>
> Well I'm permit myself another question, sorry. If you have an opinion about 
> securing the authentification without https_port :
> With a FreeIPA central users directory, what could be the best way to 
> secure/protect the  authentication process, the login/password.
> Or more generally what could be the best options to secure the login/password 
> with only the http_port. So no directly encrypted traffic.
>
> I was assuming https connection could secure the authentication process .. 
> but if ssl-dump  is really wanted, so I need another options to secure the 
> login/password.
>
> Did you see my point / what I'm trying to talk about ?
>
> Thank you in advance.
>
> Regards,
>
>
> Le lun. 25 mai 2020 à 12:26, Amos Jeffries  a écrit :
>>
>> On 25/05/20 9:59 pm, ben benml wrote:
>> > Hello,
>> >
>> > I'm contacting you for some help.
>> > I need to deploy a secure proxy based on Squid.
>> >
>> > I try to use https_port combined with sslbump. I get an error message
>> > about a bungled line.
>> >
>> > The reasons I want to do this :
>> > - secure connection between the client browser and the proxy server, so
>> > using https_port to do it. encrypted  traffic in TLS between the client
>> > and the server.
>>
>> Fine. Simply using https_port does that.
>>
>> > - secure login connection. So I need to use https_port to do this.
>>
>> Fine. Simply using https_port does that.
>>
>> > - Do ssl inspection of the traffic goeing through the proxy
>>
>> Squid does not yet support SSL-Bump decrypt of traffic already being
>> decrypted for the secure proxy.
>>
>>
>> Please see
>>  if
>> you want details.
>>
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending CONNECT method requests over HTTPS

2020-05-20 Thread Ronan Lucio 
Hi Alex,

Good news. It's working now fine.
I have it running on https_port and can successfully make requests
using https://proxy.

Just adding some comments:
>> I can't trust the source network, it's on the cloud and sure it has
>> other applications in the same public network. I also plan to send
>> these requests through NAT from a static IP, so I can accept requests
>> only from a specific IP.
>
> That is fine, but, FWIW, the above does not justify the need for the
> allowed_target check AFAICT. It only justifies the need for authentication

For sure. I like to add additional security layers.

Thank you very much for your time and special attention.

Cheers,
Ronan

On Thu, May 21, 2020 at 7:54 AM Alex Rousskov
 wrote:
>
> On 5/20/20 1:38 PM, Ronan Lucio wrote:
> >>> My scenario is:
> >>> I have a serverless API that needs to connect to a couple specific
> >>> targets from a static IP.
> >>> As this serverless API doesn't have a static IP, I thought to do this
> >>> through a proxy server.
> >>> That's why I need to enforce security on the authentication layer.
>
>
> >> And, I presume, you do not trust the API to only request what it should.
> >> If you trust the API, then you do not need the allowed_target check.
> >>
> >> Also, if possible, consider using certificate-based authentication
> >> rather than HTTP authentication to authenticate your clients to Squid.
> >> Certificate-based authentication happens earlier, before Squid has to
> >> deal with all the dangers of HTTP negotiations.
>
>
> > I can't trust the source network, it's on the cloud and sure it has
> > other applications in the same public network. I also plan to send
> > these requests through NAT from a static IP, so I can accept requests
> > only from a specific IP.
>
> That is fine, but, FWIW, the above does not justify the need for the
> allowed_target check AFAICT. It only justifies the need for authentication.
>
>
> > The idea of using Certificate-based authentication is really good.
> > Is it possible to do this between client-squid or do you mean
> > client-to-other-end?
>
> Certificate-based authentication works between any two TLS agents that
> support it. Squid supports it on the https_port.
>
> If the client and the origin server (what you called the "other" end)
> also support it, then the client can authenticate itself to both Squid
> and the origin server. Please note that in this case, there will be two
> (partially concurrent) TLS connections and two (sequential)
> authentications going on -- Squid cannot "forward" certificate-based
> authentication (and, without bumping, cannot modify the client-origin
> TLS connection, including the TLS client Hello message that contains the
> client certificate).
>
>
> HTH,
>
> Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending CONNECT method requests over HTTPS

2020-05-20 Thread Ronan Lucio 
Hi Alex,

> > My scenario is:
> > I have a serverless API that needs to connect to a couple specific
> > targets from a static IP.
> > As this serverless API doesn't have a static IP, I thought to do this
> > through a proxy server.
> > That's why I need to enforce security on the authentication layer.
>
> And, I presume, you do not trust the API to only request what it should.
> If you trust the API, then you do not need the allowed_target check.
>
> Also, if possible, consider using certificate-based authentication
> rather than HTTP authentication to authenticate your clients to Squid.
> Certificate-based authentication happens earlier, before Squid has to
> deal with all the dangers of HTTP negotiations.

That's a good point.
First, I can trust the requester API, but I can't trust the source
network, it's on the cloud and sure it has other applications in the
same public network.
I also plan to send these requests through NAT from a static IP, so I
can accept requests only from a specific IP.

The idea of using Certificate-based authentication is really good.
Is it possible to do this between client-squid or do you mean
client-to-other-end?

Thanks
Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending CONNECT method requests over HTTPS

2020-05-20 Thread Ronan Lucio 
OK guys, I think you got my point.
@Alex, thank you for the well-detailed answer.

My main need is to encrypt/protect username and password (or
Proxy-Authentication header) sent on the first CONNECT to the proxy
server, in a way this username and password can't be sniffed.

The other need is creating a rule allowing only some dstdomain's.

So I understand that I can achieve that:
1. Enabling "https_port" directive (on a specific port)
2. Using an ACL rule like
acl allowed_target dstdomain api.mydomain.com
http_access allow auth_users allowed_target

Is that right?

My scenario is:
I have a serverless API that needs to connect to a couple specific
targets from a static IP.
As this serverless API doesn't have a static IP, I thought to do this
through a proxy server.
That's why I need to enforce security on the authentication layer.

Thanks
Ronan

On Thu, May 21, 2020 at 1:43 AM Alex Rousskov
 wrote:
>
> On 5/20/20 6:07 AM, Matus UHLAR - fantomas wrote:
> > On 20.05.20 05:07, Ronan Lucio wrote:
> >> I read a similar thread a couple of weeks ago, but my scenario has
> >> some differences.
> >> Anyway, my need is sending CONNECT method requests over HTTPS as well.
>
> > already possible.
>
> I assume that, here and below, "over HTTPS" means "to an HTTPS proxy".
>
> Yes, any HTTP request, including CONNECT can be sent to an HTTPS proxy.
>
>
> >> 1) To send CONNECT method requests over HTTPS I'm supposed to use
> >> https_port.
>
> > no. It's very common to use HTTP proxy over HTTP, and the CONNECT requests
> > creates communication between client and server
>
> The question is difficult to interpret correctly. Here are arguably
> better questions (with answers):
>
> Q: If I want to use an HTTPS proxy, what Squid port should I configure?
> A: You must use an https_port directive.
>
> Q: Does https_port support CONNECT requests?
> A: Yes. Squid https_port supports all HTTP requests supported by
>http_port, including CONNECT.
>
> Q: How does Squid, in an HTTPS proxy mode, handle a CONNECT request?
> A: Squid handles it as it would handle a CONNECT request
>received over an http_port (by default) -- by establishing a TCP
>tunnel to the origin server and shoveling bytes back and force.
>The client-Squid portion of that tunnel would be protected by
>TLS in this case, of course -- that is always true for an HTTPS
>proxy. SslBump features are not supported in HTTPS mode (yet).
>
>
> >> May I use it on the same way as http_port (without intercept, proxy,
> >> or accelerate)?
>
> > yes.
>
> Q: Can https_port be used without an explicit mode (i.e., without
>an intercept, tproxy, accel, or ssl-bump parameter)?
> A: Yes. The https_port directive supports the default (i.e. forward
>proxy) mode.
>
> Q: What happens when https_port is used without an explicit mode?
> A: Traffic on such https_port is treated as if Squid was an HTTPS proxy.
>
>
> >> 2) If I need to apply ACL rules to restrict some destinations, I'm
> >> supposed to use bump_ssl.
> >
> > without bumping, you can only see the destination host:port and possible
> > hostname sent in the SNI request and contents of the SSL certificate.
>
> Again, it is difficult to interpret this question correctly. Here are a
> few versions with correct answers:
>
> Q: Can I use ssl_bump with an HTTPS proxy?
> A: No, that is not supported yet.
>
> Q: What ACLs can I use in an HTTPS proxy mode?
> A: All ACLs that do not require inspecting packets inside
>TLS connections from client to origin. Please note that
>a single client-origin TLS connection involves two
>TCP connections. That inspection is what SslBump does (among
>other things). This answer is (too) complex. Unfortunately,
>there is currently no documentation that, for every ACL,
>details precisely what information sources are required for
>that ACL to work. Some ACLs use multiple information sources,
>depending on Squid configuration and/or transaction state,
>complicating the matters further.
>
> Q: Is TLS origin SNI available to Squid ACLs in HTTPS proxy mode?
> A: No, not today. SslBump features are not yet supported in that mode.
>
> Q: Are URL paths of HTTP requests inside CONNECT tunnels
>available to Squid ACLS in HTTPS proxy mode?
> A: No, not today. SslBump features are not yet supported in that mode.
>
>
> HTH,
>
> Alex.
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Sending CONNECT method requests over HTTPS

2020-05-19 Thread Ronan Lucio 
Hi all,

I read a similar thread a couple of weeks ago, but my scenario has
some differences.
Anyway, my need is sending CONNECT method requests over HTTPS as well.

If read the docs and just would like to confirm with you if I got it right:

1)
To send CONNECT method requests over HTTPS I'm supposed to use https_port.
May I use it on the same way as http_port (without intercept, proxy,
or accelerate)?

2)
If I need to apply ACL rules to restrict some destinations, I'm
supposed to use bump_ssl.

Is it right?

Thank you,
Ronan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users