Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

Since the client should be involved, our business is to redirect him to
the instructions page where he will make a decision - whether to put a
proxy certificate or not. And on this page, in turn, is a script that
makes this task easier. But does not install the certificate
automatically - in this we came to a common opinion.

Or, we can simply send a link to this page to the user by e-mail - "Dear
user, we found that you are trying to access a secure site. To proceed,
please click on the link, otherwise access will not be granted in
accordance with our security policy "


26.03.2018 21:41, Matus UHLAR - fantomas пишет:
> On 25.03.18 23:47, Eliezer Croitoru wrote:
>> I do not know your level of JS or other thing but... a splash page is
>> mearly a transition step.
>> Since you can check using JS if the certificate is installed
>
> And how do you push the JS into the client?
>
> when client tries to fetch https://www.google.com/ and you don't have
> cert
> for www.google.com, answering with any other certificate by unknown
> authority will produce error before the JS is loaded.
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

Waaa, Matus,

the idea is trivial.

Catch SSL UNKNOWN ISSUER error on squid's acl and redirect by 302 to
proxy page with instructions. Which requires user's involving.

How much can repeat the obvious 


26.03.2018 21:41, Matus UHLAR - fantomas пишет:
> On 25.03.18 23:47, Eliezer Croitoru wrote:
>> I do not know your level of JS or other thing but... a splash page is
>> mearly a transition step.
>> Since you can check using JS if the certificate is installed
>
> And how do you push the JS into the client?
>
> when client tries to fetch https://www.google.com/ and you don't have
> cert
> for www.google.com, answering with any other certificate by unknown
> authority will produce error before the JS is loaded.
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 02:47, Eliezer Croitoru пишет:
> Hey Nicolas and Yuri
>
> I do not know your level of JS or other thing but... a splash page is mearly 
> a transition step.
> Since you can check using JS if the certificate is installed you can design 
> it in such a way that it will be almost transparent for the user.
> If the JS find's that you can access the test subject site\page then you can 
> just pass the user using java script into the "LOGIN" page and let it move on 
> from it.
> The other case is if the user doesn't have the ROOT CA certificate installed 
> on the browser or device.
> The splash page is better then any other solution and it's very elegant.
> What is required for mobile phones is a set of instructions or a tech support 
> phone...
>
> The example page I have introduced at:
> https://cert.rimon.net.il/
>
> was merely an example that demonstrated the potential of the detection 
> function.
> In production we have a another system based on the source code I introduced 
> before that "clears" a client\user from having the certificate installed on 
> his main device\machine\browser.
>
> Do you need an example for such a splash page?
No. Splash page is not the most problem.

As I've told, the problem is quite different.

Also, personally for me - I would like to see just automated CA install
sources and Makefile :)
>
> Eliezer
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-
> From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of 
> Nicolas Kovacs
> Sent: Sunday, March 25, 2018 14:46
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] How to configure a "proxy home" page ?
>
> Le 25/03/2018 à 13:08, Yuri a écrit :
>> The problem is not install proxy CA. The problem is identify client
>> has no proxy CA and redirect, and do it only one time.
> That is exactly the problem. And I have yet to find a solution for that.
>
> Current method is instruct everyone - with a printed paper in the office
> - to connect to proxy.company-name.lan and then get further instructions
> from the page. This works, but an automatic splash page would be more
> elegant.
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] delay-pool based on authentication

[Yuri]

Probably, yes.

I'm not so good in delay pools, but I guess you moving to right direction.

First require to make clean users separation.

I think, Amos can consult you better. ;-)


26.03.2018 19:46, vv...@gmx.net пишет:
> Dear Yuri,
>
> thank you for your quick reply.
> I spend weekend trying and testing some options.
>
> My problem is, i cannot separate authenticated users from not
> authenticated.
>
> Here in detail:
> if I try to do something like this
>  cut 
> acl users proxy_auth "/etc/squid/users"
> http_access allow users
>
> delay_pools 2
>
> delay_class 1 1
> delay_parameters 1 -1/-1 # no limit
>
> delay_access 1 allow users
> delay_access 1 deny all
>
> delay_class 2 3
> delay_parameters 2 -1/-1 -1/-1 196608/786432    # no limit, no limit,
> 1.5 Mbit/s per user 6.0 Mbis/s once
>
> delay_access 2 allow all
>  cut 
>
> then every user is asked for authentication. If they cancel that, they
> cannot access nothing.
>
> if I try to start with the restricted delay pool
>  cut 
> delay_pools 2
>
> delay_class 1 1
> delay_parameters 1 -1/-1 # no limit
>
> delay_access 1 allow users
> delay_access 1 deny all
>
> delay_class 2 3
> delay_parameters 2 -1/-1 -1/-1 196608/786432    # no limit, no limit,
> 1.5 Mbit/s per user 6.0 Mbis/s once
>
> delay_access 2 allow all
>
> acl users proxy_auth "/etc/squid/users"
> http_access allow users
>  cut 
> than every user is restricted and no query for authentication occurs.
>
> How can I separate not authenticated users from authenticated?
> I cannot use IPs because all IPs are in the same range.
>
> Thank you in advance!
> Regards,
> Vitaly
>
>
> Am Sat, 24 Mar 2018 16:20:24 +0100 schrieb Yuri <yvoi...@gmail.com>:
>
>> https://wiki.squid-cache.org/Features/DelayPools
>>
>>
>> 24.03.2018 21:15, vv...@gmx.net пишет:
>>> Dear Comunity,
>>>
>>> I have the following question:
>>> Is it possible with squid to select delay pool depending on whether
>>> the user is authenticated or not?
>>>
>>> Background:
>>> I want to set up a slow delay pool by default. (for unauthenticated
>>> users)
>>> For registered users I want to assign another delay pool with no
>>> restriction (full speed).
>>>
>>> Any suggestion is welcome.
>>>
>>> Thank you very much!
>>>
>>> Regards,
>>> Vitaly
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

Disagree.

My point about TLS is quite different.

SSH, by design, assumes end-to-end encryption and do not assumes any
third-party treats as trusty, like TLS does. SSH immediately notice you
when server key surprisingly changed. Any MiTM in SSH tunnel immediately
breaks connection. Of course, you can steal client private key, you can
break private key password. But you can't easy become fake server or
intermediate hop and silently decrypt tunneled SSH traffic. You can't do
this by design.

Basics of TLS (in HTTPS implementation) assumes trusted third-party,
which is authenticate both sides of conversations (i.e. Bob and Alice).
I.e., in case of this third party becomes untrusted by any reason (as
practice has shown, it is very likely), it can silently decrypt Bob and
Alice conversation without any notification - you still see green lock.
Here we're can not talking about SSL Bump itself. Just imagine - not
only you can do it with squid, but any who can get intermediate CA
signed by trusted root CA.

Yes, users is involved in both cases. However the difference still here.
SSH is end-to-end always by design (we're not talking about things like
Kerberos here), TLS is not.


26.03.2018 13:47, Sticher, Jascha пишет:
> Hi everyone,
>
> I know this is quite off-topic, but I wanted to clarify a bit.
>
> SSH and TLS both provide the same thing, namely a tunnel between a client and 
> a server. While both use asymmetric crypto for authentication and symmetric 
> crypto for data transfer and therefore the same algorithms (that's why 
> openssh requires openssl/gnutls - as crypto library), they are independent 
> protocols. SSH uses its own key format, which does not know such a thing as a 
> CA – each server generates its own server key pair (or at least it 
> should).[1,2]
>
> As to SSH-MiTM, this is indeed possible, in two cases:
> a) The server key is unknown to the client and not verified correctly (by the 
> user!). Then a fake server can decrypt SSH and intercept everything.
> b) The client validates server certificates incorrectly or is told ignore 
> changes in the server key (eg. “-o StrictHostKeyChecking=no” with openssh)
>
> There are some SSH-MITM solutions available on the internet.[3]
>
> To conclude, if crypto is involved _every_ part of the conversation needs to 
> do it _right_. Including the user.
>
>
> Kind regards,
>
> Jascha
>
>
> [1] 
> https://security.stackexchange.com/questions/1599/what-is-the-difference-between-ssl-vs-ssh-which-is-more-secure
> [2] https://wiki.hetzner.de/index.php/Ed25519 - hetzner shipped the same 
> elliptic-curve host key on each host for a time
> [2] e.g. https://github.com/mitmproxy/mitmproxy
>
>
>
> Von: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Im 
> Auftrag von Yuri
> Gesendet: Montag, 26. März 2018 03:13
> An: squid-users@lists.squid-cache.org
> Betreff: Re: [squid-users] How to configure a "proxy home" page ?
>
>
>
> 26.03.2018 07:08, Amos Jeffries пишет:
> On 26/03/18 13:44, Yuri wrote:
>
>
> 26.03.2018 06:41, Yuri пишет:
>
> 26.03.2018 06:30, Amos Jeffries пишет:
> On 26/03/18 12:34, Yuri wrote:
> 26.03.2018 05:23, Amos Jeffries пишет:
> On 26/03/18 12:07, Yuri wrote:
> 26.03.2018 05:05, Amos Jeffries пишет:
> On 26/03/18 11:05, Yuri wrote:
>
>
> On 26/03/18 12:34, Yuri wrote:>
> 26.03.2018 05:23, Amos Jeffries пишет:
> This is what I mean by "TLS used properly" - proper is when it always
> circles back to user deciding who they trust. No matter how indirectly,
> the user installs a (root) CA causing trust or allowed someone else to
> do so.
> Generally speaking, yes.
>
> I just mean, that in some other protocols you have no any possibility to
> make MiTM by any way, whenever installing something or not. This
> prevents any improper or malicious use of protocol.
>
> TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
> SSH by installing any key/certs to client. Correct? This is by design?
> No. SSH is just TCP/telnet over TLS. So if the SSH software were to
> trust the cert/key Squid delivers one could use SSL-Bump on that SSH
> traffic.
> You sure?
>
> https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl
>
> Quote: "SSH has its own transport protocol independent from SSL, so that
> means SSH DOES NOT use SSL under the hood."
>
> Because I'm not. Different sources tells opposite.
> I'm sure SSH using openssl under the hood. But not sure it uses same
> tunneling implementation like TLS-over-HTTP. And now it is still unknown
> any method to MiTM SSH, AFAIK.
>
> I'm not 100% sure, but it uses the same message framing as TLS and
> performs the same handshake seq

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 15:33, Matus UHLAR - fantomas пишет:
>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>
>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>> that.
>>>>>>
>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>> office
>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>> instructions
>>>>>> from the page. This works, but an automatic splash page would be
>>>>>> more
>>>>>> elegant.
>>>
>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>> page shows
>>>
>>> On 25.03.18 18:44, Yuri wrote:
>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>> implemented already.
>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>> it's possible to install splash page, but not install trusted authority
>>> certificate.  Using such authority on a proxy is the MITM attack and
>>> whole
>>> SSL has been designed to prevent this.
>
> On 25.03.18 21:41, Yuri wrote:
>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>
> it's not, you must break throught it to allow ssl-bump by installing your
> CA certificate.  You haven't explained how to do that automatically
> although
> you claim it's possible.
>
> Please provide evidence.
Waaa. No. My misunderstanding. Of course, not automatically.
>
>>> without certificate, the browser complains which is a security measure
>>> against this.
>
>> Sure. It should.
>
> and it does. unless you tweak it not to, which must be configured
> manually
> (please provide evidence if not).
Exactly. I'm talking only about it. My misunderstanding.
>
>>>>> up and in such case the splash page is irelevant.
>>>>>
>>>>> If you have windows domain, you can force security policy through it.
>>>
>>>> In enterprise environment with AD, yes. But hardly in service
>>>> provider's
>>>> scenarious.
>>>
>>> service providers should not do this without users' permission.
>>> at least not in countries where the privacy is guaranteed by law.
>
>> Thank you, Captain Obvious. :-) Enterprises also should get user
>> agreement before do that. Especially in BYOD scenarious.
>>
>> All these things are well known here. The question was about technical
>> implementation, and not about the well-known truisms in the field of
>> security and privacy (in most cases of ephemeral).
>
> maybe you know that, but many of people asking for ssl bump how-to do not
> know that.
A bit disagree.
 
This has been repeated so many times here and in Wiki that it's hard to
imagine that someone does not already know this.

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 07:08, Amos Jeffries пишет:
> On 26/03/18 13:44, Yuri wrote:
>>
>> 26.03.2018 06:41, Yuri пишет:
>>> 26.03.2018 06:30, Amos Jeffries пишет:
>>>> On 26/03/18 12:34, Yuri wrote:
>>>>> 26.03.2018 05:23, Amos Jeffries пишет:
>>>>>> On 26/03/18 12:07, Yuri wrote:
>>>>>>> 26.03.2018 05:05, Amos Jeffries пишет:
>>>>>>>> On 26/03/18 11:05, Yuri wrote:
>>>> On 26/03/18 12:34, Yuri wrote:>
>>>>> 26.03.2018 05:23, Amos Jeffries пишет:
>>>>>> This is what I mean by "TLS used properly" - proper is when it always
>>>>>> circles back to user deciding who they trust. No matter how indirectly,
>>>>>> the user installs a (root) CA causing trust or allowed someone else to
>>>>>> do so.
>>>>> Generally speaking, yes.
>>>>>
>>>>> I just mean, that in some other protocols you have no any possibility to
>>>>> make MiTM by any way, whenever installing something or not. This
>>>>> prevents any improper or malicious use of protocol.
>>>>>
>>>>> TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
>>>>> SSH by installing any key/certs to client. Correct? This is by design?
>>>> No. SSH is just TCP/telnet over TLS. So if the SSH software were to
>>>> trust the cert/key Squid delivers one could use SSL-Bump on that SSH
>>>> traffic.
>>> You sure?
>>>
>>> https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl
>>>
>>> Quote: "SSH has its own transport protocol independent from SSL, so that
>>> means SSH DOES NOT use SSL under the hood."
>>>
>>> Because I'm not. Different sources tells opposite.
>> I'm sure SSH using openssl under the hood. But not sure it uses same
>> tunneling implementation like TLS-over-HTTP. And now it is still unknown
>> any method to MiTM SSH, AFAIK.
> I'm not 100% sure, but it uses the same message framing as TLS and
> performs the same handshake sequence and security verifications.
This is not the same as transport, yes? Because of transport is primary
target for bumping.
>
> That said *SSL* _is_ different from TLS so the quote is technically
> correct either way.
It seems to me that the difference is not of principle. Both SSL and TLS
use the same architecture, in which, in principle, it is possible to
have an MiTM certificate, which one of the parties trusts.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 06:41, Yuri пишет:
>
> 26.03.2018 06:30, Amos Jeffries пишет:
>> On 26/03/18 12:34, Yuri wrote:
>>> 26.03.2018 05:23, Amos Jeffries пишет:
>>>> On 26/03/18 12:07, Yuri wrote:
>>>>> 26.03.2018 05:05, Amos Jeffries пишет:
>>>>>> On 26/03/18 11:05, Yuri wrote:
>>>>>>> And yes, HTTPS is insecure by design and all our actions does not it
>>>>>>> less insecure :-D
>>>>>> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
>>>>>> is what is "failing" at the time any of these details we are discussing
>>>>>> are relevant.
>>>>>>
>>>>>> The "page" mentioned is HTML created by the _client_ as its way to show
>>>>>> the user things. Still no HTTP(S) involvement. Squid has zero
>>>>>> involvement with that so cannot make it do anything active (like install
>>>>>> CA certs).
>>>>> Exactly. Users do. And we're almost have all required tools to implement
>>>>> user'driven helper ;)
>>>> Yet again you are circled back to involving the user. Remember the
>>>> original point was trying to do things *without any user* knowing or
>>>> being involved.
>>> I could not make such a stupid idea. It does not work out that way. The
>>> user is always asked whether trust the installing CA certificate.
>> "
>> On 17/03/18 01:43, Yuri wrote:
>>> I guess better way to do this is create special ACL to catch exactly
>>> certificate error and then redirect by 302 using deny_info to proxy page
>>> with explanation and certificate.
>> "
>>
>> The mistake here was thinking the error was something Squid could see or
>> detect. It is not.
>>
>>
>>> The only way known for me to make this silently - using AD group policy.
>>>
>>> AFAIK, we're discussing usual way with catch error and redirect to page.
>>> No more. Captive Portal, Splash, ACL etc.
>>>
>> In order to deliver that splash page or redirect requires the client to
>> trust the proxy CA and decrypt the proxy HTTPS response.
>>
>> BUT, the problem Nicolas had in the first place was the client not
>> trusting the proxy CA and displaying a page of its own:
>>
>> "
>> On 16/03/18 23:37, Nicolas Kovacs wrote:
>>> User who don't have the certificate installed
>>> normally get a big fat HTTPS error as soon as they connect
>> "
>>
>> The idea proposed to replace the client-created page was to send a
>> custom one from the proxy. Which is a circle.
> My bad. Miss it. So obvious thing for me.
>>
>>
>>
>> On 26/03/18 12:34, Yuri wrote:>
>>> 26.03.2018 05:23, Amos Jeffries пишет:
>>>> This is what I mean by "TLS used properly" - proper is when it always
>>>> circles back to user deciding who they trust. No matter how indirectly,
>>>> the user installs a (root) CA causing trust or allowed someone else to
>>>> do so.
>>> Generally speaking, yes.
>>>
>>> I just mean, that in some other protocols you have no any possibility to
>>> make MiTM by any way, whenever installing something or not. This
>>> prevents any improper or malicious use of protocol.
>>>
>>> TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
>>> SSH by installing any key/certs to client. Correct? This is by design?
>> No. SSH is just TCP/telnet over TLS. So if the SSH software were to
>> trust the cert/key Squid delivers one could use SSL-Bump on that SSH
>> traffic.
> You sure?
>
> https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl
>
> Quote: "SSH has its own transport protocol independent from SSL, so that
> means SSH DOES NOT use SSL under the hood."
>
> Because I'm not. Different sources tells opposite.
I'm sure SSH using openssl under the hood. But not sure it uses same
tunneling implementation like TLS-over-HTTP. And now it is still unknown
any method to MiTM SSH, AFAIK.
>> The on_unsupported_protocol feature is for exactly this non-HTTP traffic
>> to be bumped (and rejected) or spliced by Squid.
>>
>> NP: The only thing protecting SSH against SSL-Bump is that servers there
>> are *supposed* to check client certs as well as the server certs being
>> checked by clients. The bi-directional checking breaks bumping.
>>
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 06:30, Amos Jeffries пишет:
> On 26/03/18 12:34, Yuri wrote:
>> 26.03.2018 05:23, Amos Jeffries пишет:
>>> On 26/03/18 12:07, Yuri wrote:
>>>> 26.03.2018 05:05, Amos Jeffries пишет:
>>>>> On 26/03/18 11:05, Yuri wrote:
>>>>>> And yes, HTTPS is insecure by design and all our actions does not it
>>>>>> less insecure :-D
>>>>> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
>>>>> is what is "failing" at the time any of these details we are discussing
>>>>> are relevant.
>>>>>
>>>>> The "page" mentioned is HTML created by the _client_ as its way to show
>>>>> the user things. Still no HTTP(S) involvement. Squid has zero
>>>>> involvement with that so cannot make it do anything active (like install
>>>>> CA certs).
>>>> Exactly. Users do. And we're almost have all required tools to implement
>>>> user'driven helper ;)
>>> Yet again you are circled back to involving the user. Remember the
>>> original point was trying to do things *without any user* knowing or
>>> being involved.
>> I could not make such a stupid idea. It does not work out that way. The
>> user is always asked whether trust the installing CA certificate.
> "
> On 17/03/18 01:43, Yuri wrote:
>> I guess better way to do this is create special ACL to catch exactly
>> certificate error and then redirect by 302 using deny_info to proxy page
>> with explanation and certificate.
> "
>
> The mistake here was thinking the error was something Squid could see or
> detect. It is not.
>
>
>> The only way known for me to make this silently - using AD group policy.
>>
>> AFAIK, we're discussing usual way with catch error and redirect to page.
>> No more. Captive Portal, Splash, ACL etc.
>>
> In order to deliver that splash page or redirect requires the client to
> trust the proxy CA and decrypt the proxy HTTPS response.
>
> BUT, the problem Nicolas had in the first place was the client not
> trusting the proxy CA and displaying a page of its own:
>
> "
> On 16/03/18 23:37, Nicolas Kovacs wrote:
>> User who don't have the certificate installed
>> normally get a big fat HTTPS error as soon as they connect
> "
>
> The idea proposed to replace the client-created page was to send a
> custom one from the proxy. Which is a circle.
My bad. Miss it. So obvious thing for me.
>
>
>
>
> On 26/03/18 12:34, Yuri wrote:>
>> 26.03.2018 05:23, Amos Jeffries пишет:
>>> This is what I mean by "TLS used properly" - proper is when it always
>>> circles back to user deciding who they trust. No matter how indirectly,
>>> the user installs a (root) CA causing trust or allowed someone else to
>>> do so.
>> Generally speaking, yes.
>>
>> I just mean, that in some other protocols you have no any possibility to
>> make MiTM by any way, whenever installing something or not. This
>> prevents any improper or malicious use of protocol.
>>
>> TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
>> SSH by installing any key/certs to client. Correct? This is by design?
> No. SSH is just TCP/telnet over TLS. So if the SSH software were to
> trust the cert/key Squid delivers one could use SSL-Bump on that SSH
> traffic.
You sure?

https://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl-especially-in-terms-of-sftp-vs-ftp-over-ssl

Quote: "SSH has its own transport protocol independent from SSL, so that
means SSH DOES NOT use SSL under the hood."

Because I'm not. Different sources tells opposite.
>
> The on_unsupported_protocol feature is for exactly this non-HTTP traffic
> to be bumped (and rejected) or spliced by Squid.
>
> NP: The only thing protecting SSH against SSL-Bump is that servers there
> are *supposed* to check client certs as well as the server certs being
> checked by clients. The bi-directional checking breaks bumping.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 05:23, Amos Jeffries пишет:
> On 26/03/18 12:07, Yuri wrote:
>> 26.03.2018 05:05, Amos Jeffries пишет:
>>> On 26/03/18 11:05, Yuri wrote:
>>>> And yes, HTTPS is insecure by design and all our actions does not it
>>>> less insecure :-D
>>> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
>>> is what is "failing" at the time any of these details we are discussing
>>> are relevant.
>>>
>>> The "page" mentioned is HTML created by the _client_ as its way to show
>>> the user things. Still no HTTP(S) involvement. Squid has zero
>>> involvement with that so cannot make it do anything active (like install
>>> CA certs).
>> Exactly. Users do. And we're almost have all required tools to implement
>> user'driven helper ;)
> Yet again you are circled back to involving the user. Remember the
> original point was trying to do things *without any user* knowing or
> being involved.
I could not make such a stupid idea. It does not work out that way. The
user is always asked whether trust the installing CA certificate.

The only way known for me to make this silently - using AD group policy.

AFAIK, we're discussing usual way with catch error and redirect to page.
No more. Captive Portal, Splash, ACL etc.

>
>
> This is what I mean by "TLS used properly" - proper is when it always
> circles back to user deciding who they trust. No matter how indirectly,
> the user installs a (root) CA causing trust or allowed someone else to
> do so.
Generally speaking, yes.

I just mean, that in some other protocols you have no any possibility to
make MiTM by any way, whenever installing something or not. This
prevents any improper or malicious use of protocol.

TLS*have* this possibility. SSH is *not*. You can't MiTM or compromise
SSH by installing any key/certs to client. Correct? This is by design?

> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

Waa. You're right. I hurried.

Hmm.

Seems we're can't distinguish unknown server CA and unknown proxy CA.

Sadly.

26.03.2018 05:14, Amos Jeffries пишет:
> On 26/03/18 11:15, Yuri wrote:
>> I mean, for example:
>>
>> SSL_ERROR_CLIENT_DOES_NOT_KNOW_THIS_CA
>>
> Consider carefully what the words "CLIENT_DOES_NOT_KNOW_THIS_CA" mean in
> normal English.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 05:05, Amos Jeffries пишет:
> On 26/03/18 11:05, Yuri wrote:
>> And yes, HTTPS is insecure by design and all our actions does not it
>> less insecure :-D
> We are not talking about HTTPS. Only about TLS. Because the TLS decrypt
> is what is "failing" at the time any of these details we are discussing
> are relevant.
>
> The "page" mentioned is HTML created by the _client_ as its way to show
> the user things. Still no HTTP(S) involvement. Squid has zero
> involvement with that so cannot make it do anything active (like install
> CA certs).
Exactly. Users do. And we're almost have all required tools to implement
user'driven helper ;)
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

I mean, for example:

SSL_ERROR_CLIENT_DOES_NOT_KNOW_THIS_CA

during TLS negotiation between client and proxy.

To be separated from rare cases when real world CA exists, but not yet
included to well-known CA's bundle.

Something like this. Now we're can't differentiate UNKNOWN_ISSUES error
- it is external or internal issue.


26.03.2018 04:11, Yuri пишет:
>
> By the way, Amos. I have an idea spinning around. Is it possible to
> specify the SSL error of the unknown certificate issuer for the
> correct processing of the situation when the client does not have a
> proxy certificate installed? This would greatly facilitate the task
> that we are discussing.
>
> We're can, in this case, just use deny_info to redirect client to
> proxy page. ;-)
>
>
> 26.03.2018 04:05, Yuri пишет:
>> And yes, HTTPS is insecure by design and all our actions does not it
>> less insecure :-D
>>
>>
>> 26.03.2018 04:03, Yuri пишет:
>>> 26.03.2018 03:55, Amos Jeffries пишет:
>>>> On 26/03/18 10:16, Yuri wrote:
>>>>> 26.03.2018 03:02, Amos Jeffries пишет:
>>>>>> On 26/03/18 09:49, Yuri wrote:
>>>>>>> 26.03.2018 02:45, Amos Jeffries пишет:
>>>>>>>> On 26/03/18 04:41, Yuri wrote:
>>>>>>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>>>>>>> The problem is not install proxy CA. The problem is identify 
>>>>>>>>>>>>>> client
>>>>>>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>>>>>>> that.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>>>>>>> office
>>>>>>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>>>>>>> instructions
>>>>>>>>>>>>> from the page. This works, but an automatic splash page would be 
>>>>>>>>>>>>> more
>>>>>>>>>>>>> elegant.
>>>>>>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>>>>>>> page shows
>>>>>>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>>>>>>> implemented already.
>>>>>>>>>> it's possible to install splash page, but not install trusted 
>>>>>>>>>> authority
>>>>>>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>>>>>>> whole
>>>>>>>>>> SSL has been designed to prevent this.
>>>>>>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>>>>>> As all our SSL-Bump documentation should be saying:
>>>>>>>>
>>>>>>>>when TLS is used properly SSL-Bump *does not work*.
>>>>>>>>
>>>>>>>> A client checking the cert validity and producing _its own_ error page
>>>>>>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>>>>>>> client is producing the "page" itself there is no possibility of Squid
>>>>>>>> replacing that with something else.
>>>>>>> Amos,
>>>>>>>
>>>>>>> squid is irrelevant here. "Used properly" and "Implemented properly",
>>>>>>> and, especially, "Designed properly" - which means "Secure by design",
>>>>>>> like SSH or The Onion Router.
>>>>>>>
>>>>>>> HTTPS is *NOT*.
>>>>>>>
>>>>>> You are missing the point. Sometimes TLS *is* implemented properly.
>>>>>>
>>>>>> Squid is very relevan

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

By the way, Amos. I have an idea spinning around. Is it possible to
specify the SSL error of the unknown certificate issuer for the correct
processing of the situation when the client does not have a proxy
certificate installed? This would greatly facilitate the task that we
are discussing.

We're can, in this case, just use deny_info to redirect client to proxy
page. ;-)


26.03.2018 04:05, Yuri пишет:
> And yes, HTTPS is insecure by design and all our actions does not it
> less insecure :-D
>
>
> 26.03.2018 04:03, Yuri пишет:
>> 26.03.2018 03:55, Amos Jeffries пишет:
>>> On 26/03/18 10:16, Yuri wrote:
>>>> 26.03.2018 03:02, Amos Jeffries пишет:
>>>>> On 26/03/18 09:49, Yuri wrote:
>>>>>> 26.03.2018 02:45, Amos Jeffries пишет:
>>>>>>> On 26/03/18 04:41, Yuri wrote:
>>>>>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>>>>>> The problem is not install proxy CA. The problem is identify 
>>>>>>>>>>>>> client
>>>>>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>>>>>> that.
>>>>>>>>>>>>
>>>>>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>>>>>> office
>>>>>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>>>>>> instructions
>>>>>>>>>>>> from the page. This works, but an automatic splash page would be 
>>>>>>>>>>>> more
>>>>>>>>>>>> elegant.
>>>>>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>>>>>> page shows
>>>>>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>>>>>> implemented already.
>>>>>>>>> it's possible to install splash page, but not install trusted 
>>>>>>>>> authority
>>>>>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>>>>>> whole
>>>>>>>>> SSL has been designed to prevent this.
>>>>>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>>>>> As all our SSL-Bump documentation should be saying:
>>>>>>>
>>>>>>>when TLS is used properly SSL-Bump *does not work*.
>>>>>>>
>>>>>>> A client checking the cert validity and producing _its own_ error page
>>>>>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>>>>>> client is producing the "page" itself there is no possibility of Squid
>>>>>>> replacing that with something else.
>>>>>> Amos,
>>>>>>
>>>>>> squid is irrelevant here. "Used properly" and "Implemented properly",
>>>>>> and, especially, "Designed properly" - which means "Secure by design",
>>>>>> like SSH or The Onion Router.
>>>>>>
>>>>>> HTTPS is *NOT*.
>>>>>>
>>>>> You are missing the point. Sometimes TLS *is* implemented properly.
>>>>>
>>>>> Squid is very relevant here because it is the agent producing the
>>>>> un-verifiable certificate. The certificate is un-verifiable exactly
>>>>> because Squids own CA is being used and the client does not trust that CA.
>>>> W, Amos, why you say "unverifiable"? 
>>> Because that is the situation. The client software cannot silently
>>> verify the certificate nor automatically install the not-trusted CA to
>>> cause that *previous* verification attempt to succeed.
>> Sure. User always should:
>>
>> a) Have root/administrative privilegies to install any CA in 

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

And yes, HTTPS is insecure by design and all our actions does not it
less insecure :-D


26.03.2018 04:03, Yuri пишет:
>
> 26.03.2018 03:55, Amos Jeffries пишет:
>> On 26/03/18 10:16, Yuri wrote:
>>> 26.03.2018 03:02, Amos Jeffries пишет:
>>>> On 26/03/18 09:49, Yuri wrote:
>>>>> 26.03.2018 02:45, Amos Jeffries пишет:
>>>>>> On 26/03/18 04:41, Yuri wrote:
>>>>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>>>>> that.
>>>>>>>>>>>
>>>>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>>>>> office
>>>>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>>>>> instructions
>>>>>>>>>>> from the page. This works, but an automatic splash page would be 
>>>>>>>>>>> more
>>>>>>>>>>> elegant.
>>>>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>>>>> page shows
>>>>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>>>>> implemented already.
>>>>>>>> it's possible to install splash page, but not install trusted authority
>>>>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>>>>> whole
>>>>>>>> SSL has been designed to prevent this.
>>>>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>>>> As all our SSL-Bump documentation should be saying:
>>>>>>
>>>>>>when TLS is used properly SSL-Bump *does not work*.
>>>>>>
>>>>>> A client checking the cert validity and producing _its own_ error page
>>>>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>>>>> client is producing the "page" itself there is no possibility of Squid
>>>>>> replacing that with something else.
>>>>> Amos,
>>>>>
>>>>> squid is irrelevant here. "Used properly" and "Implemented properly",
>>>>> and, especially, "Designed properly" - which means "Secure by design",
>>>>> like SSH or The Onion Router.
>>>>>
>>>>> HTTPS is *NOT*.
>>>>>
>>>> You are missing the point. Sometimes TLS *is* implemented properly.
>>>>
>>>> Squid is very relevant here because it is the agent producing the
>>>> un-verifiable certificate. The certificate is un-verifiable exactly
>>>> because Squids own CA is being used and the client does not trust that CA.
>>> W, Amos, why you say "unverifiable"? 
>> Because that is the situation. The client software cannot silently
>> verify the certificate nor automatically install the not-trusted CA to
>> cause that *previous* verification attempt to succeed.
> Sure. User always should:
>
> a) Have root/administrative privilegies to install any CA in trusted
> store on client
> b) Device always asks users "Hey, somebody tries to install CA with
> fingerprint blah-blah-blah you trust them? Install? (Yes/No)"
>
> We're not talking about forced silently push proxy CA to client, right?
>>> You can show CA to users,
>> Er, you are now going in circles.
>>
>> The initial problem was that it is not possible to verify the cert
>> automatically *without* showing the user things. Requiring the user to
>> see something to get around that problem ...
> Yes. We're want just to determine - is proxy CA installed? and if not,
> redirect user to page to make desicion - install/not install. Get
> internet/remain locally ;)
> On this page we're can inform user about all require things: our CPS,
> our privacy policy, warnings, legal issues, CA fingerprint, CA issuer
> etc. ;)
>
> This seems better? All same like adult CA does :)
>
> We're all understand we're can't silently push any CA to client ;) This
> is illegal, technically impossible, insecure... ;)
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 03:55, Amos Jeffries пишет:
> On 26/03/18 10:16, Yuri wrote:
>>
>> 26.03.2018 03:02, Amos Jeffries пишет:
>>> On 26/03/18 09:49, Yuri wrote:
>>>> 26.03.2018 02:45, Amos Jeffries пишет:
>>>>> On 26/03/18 04:41, Yuri wrote:
>>>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>>>> that.
>>>>>>>>>>
>>>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>>>> office
>>>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>>>> instructions
>>>>>>>>>> from the page. This works, but an automatic splash page would be more
>>>>>>>>>> elegant.
>>>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>>>> page shows
>>>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>>>> implemented already.
>>>>>>> it's possible to install splash page, but not install trusted authority
>>>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>>>> whole
>>>>>>> SSL has been designed to prevent this.
>>>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>>> As all our SSL-Bump documentation should be saying:
>>>>>
>>>>>when TLS is used properly SSL-Bump *does not work*.
>>>>>
>>>>> A client checking the cert validity and producing _its own_ error page
>>>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>>>> client is producing the "page" itself there is no possibility of Squid
>>>>> replacing that with something else.
>>>> Amos,
>>>>
>>>> squid is irrelevant here. "Used properly" and "Implemented properly",
>>>> and, especially, "Designed properly" - which means "Secure by design",
>>>> like SSH or The Onion Router.
>>>>
>>>> HTTPS is *NOT*.
>>>>
>>> You are missing the point. Sometimes TLS *is* implemented properly.
>>>
>>> Squid is very relevant here because it is the agent producing the
>>> un-verifiable certificate. The certificate is un-verifiable exactly
>>> because Squids own CA is being used and the client does not trust that CA.
>> W, Amos, why you say "unverifiable"? 
> Because that is the situation. The client software cannot silently
> verify the certificate nor automatically install the not-trusted CA to
> cause that *previous* verification attempt to succeed.
Sure. User always should:

a) Have root/administrative privilegies to install any CA in trusted
store on client
b) Device always asks users "Hey, somebody tries to install CA with
fingerprint blah-blah-blah you trust them? Install? (Yes/No)"

We're not talking about forced silently push proxy CA to client, right?
>
>> You can show CA to users,
> Er, you are now going in circles.
>
> The initial problem was that it is not possible to verify the cert
> automatically *without* showing the user things. Requiring the user to
> see something to get around that problem ...
Yes. We're want just to determine - is proxy CA installed? and if not,
redirect user to page to make desicion - install/not install. Get
internet/remain locally ;)
On this page we're can inform user about all require things: our CPS,
our privacy policy, warnings, legal issues, CA fingerprint, CA issuer
etc. ;)

This seems better? All same like adult CA does :)

We're all understand we're can't silently push any CA to client ;) This
is illegal, technically impossible, insecure... ;)
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 03:02, Amos Jeffries пишет:
> On 26/03/18 09:49, Yuri wrote:
>>
>> 26.03.2018 02:45, Amos Jeffries пишет:
>>> On 26/03/18 04:41, Yuri wrote:
>>>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>>>> that.
>>>>>>>>
>>>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>>>> office
>>>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>>>> instructions
>>>>>>>> from the page. This works, but an automatic splash page would be more
>>>>>>>> elegant.
>>>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>>>> page shows
>>>>> On 25.03.18 18:44, Yuri wrote:
>>>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>>>> implemented already.
>>>>> it's possible to install splash page, but not install trusted authority
>>>>> certificate.  Using such authority on a proxy is the MITM attack and
>>>>> whole
>>>>> SSL has been designed to prevent this.
>>>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>> As all our SSL-Bump documentation should be saying:
>>>
>>>when TLS is used properly SSL-Bump *does not work*.
>>>
>>> A client checking the cert validity and producing _its own_ error page
>>> about missing/unknown/untrusted CA is one of those cases. Since the
>>> client is producing the "page" itself there is no possibility of Squid
>>> replacing that with something else.
>> Amos,
>>
>> squid is irrelevant here. "Used properly" and "Implemented properly",
>> and, especially, "Designed properly" - which means "Secure by design",
>> like SSH or The Onion Router.
>>
>> HTTPS is *NOT*.
>>
> You are missing the point. Sometimes TLS *is* implemented properly.
>
> Squid is very relevant here because it is the agent producing the
> un-verifiable certificate. The certificate is un-verifiable exactly
> because Squids own CA is being used and the client does not trust that CA.
W, Amos, why you say "unverifiable"? You can show CA to users,
they can see your PKI by eyes, check fingerprint, read your CPS ;)
Users, in this case, trust not NSA or any abstract CA issuer, but your
personally. Client can trust or do not trust you. But in case of far far
away What-due-call-am-CA client trust them by default. Why?

Can you do the same checks against, for example, Comodo, or DigiCert? I
think no. You forced to trust them in absentia. "We swear by my mother,
everything is safe with us!"

Do your remember Trustico story?

So, what is more secure? I am here or What-due-call-am-CA there?

The point is not technical. It is rather a matter of faith.

The Onion Router uses only self-signed in they infrastructure. We're
should not trust'em due to it CA's not signed by global "trusted" CA? It
makes TOR less secure?

The same case here. Security/insecurity is not a matter of technique.
This is a question of man. The car can carry, and can kill.

However, there is secure by design things. And there is insecure by
design things.

End-to-end encryption in IM is secure by design. HTTPS is not.
End-to-end you can't be easy break. HTTPS - just install third-party CA
into your PC! HTTPS permits it.

Squid here just tool. Which can be used for MiTM. Or can't. It's
independent from you. You just manufacture the car for me. I'll deside,
how it will be uses.

So, users will decide - if they trust me, or do not trust. Me, not
abstract remote CA.
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

26.03.2018 02:45, Amos Jeffries пишет:
> On 26/03/18 04:41, Yuri wrote:
>>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>>> that.
>>>>>>
>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>> office
>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>> instructions
>>>>>> from the page. This works, but an automatic splash page would be more
>>>>>> elegant.
>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>> page shows
>>> On 25.03.18 18:44, Yuri wrote:
>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>> implemented already.
>>> it's possible to install splash page, but not install trusted authority
>>> certificate.  Using such authority on a proxy is the MITM attack and
>>> whole
>>> SSL has been designed to prevent this.
>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
> As all our SSL-Bump documentation should be saying:
>
>when TLS is used properly SSL-Bump *does not work*.
>
> A client checking the cert validity and producing _its own_ error page
> about missing/unknown/untrusted CA is one of those cases. Since the
> client is producing the "page" itself there is no possibility of Squid
> replacing that with something else.
Amos,

squid is irrelevant here. "Used properly" and "Implemented properly",
and, especially, "Designed properly" - which means "Secure by design",
like SSH or The Onion Router.

HTTPS is *NOT*.

Security should not be dependent from client/user behaviour. For
example, End-to-end security in IM. It is completely independent from user.

If HTTPS permits MiTM in theory and practice by any manner - it is
insecure by design. Point.

>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

Therefore, please, PLEASE, never mention SSL Bump and security/privacy
in one letter.O:-)

These are mutually exclusive concepts.

Just like HTTPS and security.

25.03.2018 22:00, Yuri пишет:
>
> In principle, I do not consider as secure the technology that allows
> MiTM (even in theory) - anyway, for what purpose.
>
> Since this is so - HTTPS is nothing more than a security theater with
> a green lock for calming users.
>
> This does not mean that I do not care about the security and privacy
> of users. But I provide it somewhat differently, carefully protecting
> the proxy itself, its infrastructure and its cache.
>
>
> 25.03.2018 21:41, Yuri пишет:
>>
>>
>>
>> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>>
>>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>>> That is exactly the problem. And I have yet to find a solution
>>>>>> for that.
>>>>>>
>>>>>> Current method is instruct everyone - with a printed paper in the
>>>>>> office
>>>>>> - to connect to proxy.company-name.lan and then get further
>>>>>> instructions
>>>>>> from the page. This works, but an automatic splash page would be
>>>>>> more
>>>>>> elegant.
>>>
>>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>>> impossible and unsafe. The CA must be installed before such splash
>>>>> page shows
>>>
>>> On 25.03.18 18:44, Yuri wrote:
>>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>>> implemented already.
>>>
>>> it's possible to install splash page, but not install trusted authority
>>> certificate.  Using such authority on a proxy is the MITM attack and
>>> whole
>>> SSL has been designed to prevent this.
>> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>>
>>> without certificate, the browser complains which is a security measure
>>> against this.
>> Sure. It should.
>>>
>>>>> up and in such case the splash page is irelevant.
>>>>>
>>>>> If you have windows domain, you can force security policy through it.
>>>
>>>> In enterprise environment with AD, yes. But hardly in service
>>>> provider's
>>>> scenarious.
>>>
>>> service providers should not do this without users' permission.
>>> at least not in countries where the privacy is guaranteed by law.
>> Thank you, Captain Obvious. :-) Enterprises also should get user
>> agreement before do that. Especially in BYOD scenarious.
>>
>> All these things are well known here. The question was about
>> technical implementation, and not about the well-known truisms in the
>> field of security and privacy (in most cases of ephemeral).
>>
>> -- 
>> "C++ seems like a language suitable for firing other people's legs."
>>
>> *
>> * C++20 : Bug to the future *
>> *
>
> -- 
> "C++ seems like a language suitable for firing other people's legs."
>
> *
> * C++20 : Bug to the future *
> *

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

In principle, I do not consider as secure the technology that allows
MiTM (even in theory) - anyway, for what purpose.

Since this is so - HTTPS is nothing more than a security theater with a
green lock for calming users.

This does not mean that I do not care about the security and privacy of
users. But I provide it somewhat differently, carefully protecting the
proxy itself, its infrastructure and its cache.


25.03.2018 21:41, Yuri пишет:
>
>
>
> 25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>>> The problem is not install proxy CA. The problem is identify client
>>>>>> has no proxy CA and redirect, and do it only one time.
>>>>
>>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>>> That is exactly the problem. And I have yet to find a solution for
>>>>> that.
>>>>>
>>>>> Current method is instruct everyone - with a printed paper in the
>>>>> office
>>>>> - to connect to proxy.company-name.lan and then get further
>>>>> instructions
>>>>> from the page. This works, but an automatic splash page would be more
>>>>> elegant.
>>
>>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>>> impossible and unsafe. The CA must be installed before such splash
>>>> page shows
>>
>> On 25.03.18 18:44, Yuri wrote:
>>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>>> implemented already.
>>
>> it's possible to install splash page, but not install trusted authority
>> certificate.  Using such authority on a proxy is the MITM attack and
>> whole
>> SSL has been designed to prevent this.
> Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>>
>> without certificate, the browser complains which is a security measure
>> against this.
> Sure. It should.
>>
>>>> up and in such case the splash page is irelevant.
>>>>
>>>> If you have windows domain, you can force security policy through it.
>>
>>> In enterprise environment with AD, yes. But hardly in service
>>> provider's
>>> scenarious.
>>
>> service providers should not do this without users' permission.
>> at least not in countries where the privacy is guaranteed by law.
> Thank you, Captain Obvious. :-) Enterprises also should get user
> agreement before do that. Especially in BYOD scenarious.
>
> All these things are well known here. The question was about technical
> implementation, and not about the well-known truisms in the field of
> security and privacy (in most cases of ephemeral).
>
> -- 
> "C++ seems like a language suitable for firing other people's legs."
>
> *
> * C++20 : Bug to the future *
> *

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

25.03.2018 20:32, Matus UHLAR - fantomas пишет:
>>>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>>>> The problem is not install proxy CA. The problem is identify client
>>>>> has no proxy CA and redirect, and do it only one time.
>>>
>>> On 25.03.18 13:46, Nicolas Kovacs wrote:
>>>> That is exactly the problem. And I have yet to find a solution for
>>>> that.
>>>>
>>>> Current method is instruct everyone - with a printed paper in the
>>>> office
>>>> - to connect to proxy.company-name.lan and then get further
>>>> instructions
>>>> from the page. This works, but an automatic splash page would be more
>>>> elegant.
>
>> 25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>>> impossible and unsafe. The CA must be installed before such splash
>>> page shows
>
> On 25.03.18 18:44, Yuri wrote:
>> Possible. "Safe/Unsafe" should not be discussion when SSL Bump
>> implemented already.
>
> it's possible to install splash page, but not install trusted authority
> certificate.  Using such authority on a proxy is the MITM attack and
> whole
> SSL has been designed to prevent this.
Heh. If SSL designed - why SSL Bump itself possible? ;):-P
>
> without certificate, the browser complains which is a security measure
> against this.
Sure. It should.
>
>>> up and in such case the splash page is irelevant.
>>>
>>> If you have windows domain, you can force security policy through it.
>
>> In enterprise environment with AD, yes. But hardly in service provider's
>> scenarious.
>
> service providers should not do this without users' permission.
> at least not in countries where the privacy is guaranteed by law.
Thank you, Captain Obvious. :-) Enterprises also should get user
agreement before do that. Especially in BYOD scenarious.

All these things are well known here. The question was about technical
implementation, and not about the well-known truisms in the field of
security and privacy (in most cases of ephemeral).

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

25.03.2018 18:42, Matus UHLAR - fantomas пишет:
>> Le 25/03/2018 à 13:08, Yuri a écrit :
>>> The problem is not install proxy CA. The problem is identify client
>>> has no proxy CA and redirect, and do it only one time.
>
> On 25.03.18 13:46, Nicolas Kovacs wrote:
>> That is exactly the problem. And I have yet to find a solution for that.
>>
>> Current method is instruct everyone - with a printed paper in the office
>> - to connect to proxy.company-name.lan and then get further instructions
>> from the page. This works, but an automatic splash page would be more
>> elegant.
>
> impossible and unsafe. The CA must be installed before such splash
> page shows
Possible. "Safe/Unsafe" should not be discussion when SSL Bump
implemented already.
> up and in such case the splash page is irelevant.
>
> If you have windows domain, you can force security policy through it.
In enterprise environment with AD, yes. But hardly in service provider's
scenarious.


-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

25.03.2018 17:46, Nicolas Kovacs пишет:
> Le 25/03/2018 à 13:08, Yuri a écrit :
>> The problem is not install proxy CA. The problem is identify client
>> has no proxy CA and redirect, and do it only one time.
> That is exactly the problem. And I have yet to find a solution for that.
>
> Current method is instruct everyone - with a printed paper in the office
> - to connect to proxy.company-name.lan and then get further instructions
> from the page. This works, but an automatic splash page would be more
> elegant.
Splash

https://wiki.squid-cache.org/ConfigExamples/Portal/Splash

will occurs too often and require external helper.

I mean more elegant using something like content adaptation, to store
in, for example, SQLite db users already covered (by any attribute) and
not to check them in the future.

Or, as I've told, using SSL error + acl functionality.

However, mobile clients still an issue in all cases, as we're all knows.

>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

Hey Eliezer,

PC browsers non-required automated installers for CA. In it all simple
do by JS directly from page.

Can you do automated installer for mobile clients? iPhones, Android? For
both - mobile browsers and apps as well?

The problem is not install proxy CA. The problem is identify client has
no proxy CA and redirect, and do it only one time.

Splash is perfect idea, but it will execute too often.

So, require more elegant solution.

25.03.2018 15:29, Eliezer Croitoru пишет:
> Hey Nicolas,
>
> You can use a "splash page" concept which will contain a test page that will 
> try to verify if the client has the root ca certificate installed.
> I have created and published an example at:
> https://github.com/elico/ca-cert-test-page
>
> And a real usage at:
> https://cert.rimon.net.il/
>
> If the client will first try to access an http site it will work but if the 
> client will try https site it will not work but once the client will get pass 
> the error page he will be able to get instructions on how and what to install.
>
> Will it work for your environment?
>
> Eliezer
>
> 
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
> -Original Message-
> From: squid-users  On Behalf Of 
> Nicolas Kovacs
> Sent: Friday, March 16, 2018 12:37
> To: squid-users@lists.squid-cache.org
> Subject: [squid-users] How to configure a "proxy home" page ?
>
> Hi,
>
> I have Squid + SquidGuard + SquidAnalyzer running on my LAN server as a
> transparent cache + filtering proxy, and it's working real nicely.
>
> When a client in my company wants to connect to the wifi, all he or she
> has to do is this:
>
> 1. Connect to http://nestor.microlinux.lan
>
> 2. Download the nestor.microlinux.lan.der certificate
>
> 3. Install the certificate in the web browser (Firefox does it
> automatically)
>
> 4. Surf the web
>
> Now I wonder if there is a way to configure this page as a "proxy home
> page" of some sorts. User who don't have the certificate installed
> normally get a big fat HTTPS error as soon as they connect to a secure
> site. So what I'd like to do is redirect "new" traffic to
> http://nestor.microlinux.lan, which also explains what is happening.
>
> I don't really know how to go about that, or if it is even possible.
> Maybe some basic form of authentication ?
>
> Any suggestion ?
>
> Cheers,
>
> Niki

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

[Yuri]

23.03.2018 21:25, Keith Hartley пишет:
> I had not thought to test that. I will do that today.
>
> In regards to Yuri's comments on firewall vs squid - I don’t agree that a 
> firewall would be a direct replacement in this case.
>
> The 30-40 URIs I need to access resolve to a potential pool of several 
> million IP addresses, and the pool of IP addresses gets updated multiple 
> times per year. Writing rules at the network level would not be practical to 
> implement even one time, let alone maintain over time. A more expensive 
> firewall that is able to implement ACLs by hostname would be needed, and 
> options for virtual firewalls hosted in Azure are limited. It would also 
> require either implementing many static routes, or a transit network with a 
> virtual router, and this environment will be supported by an organization 
> that does not have a network engineer on staff.
It depends. If your make Internet access for servers due to updates - in
most cases updates has limited distribution points (of course, we're not
considering CDN now). Some cases can be easy solved by server's built-in
firewall.

If we're talking about infrastructure, best solution for updates is
internal updates server (like WSUS), which only have access to Internet
with all security restrictions. You know this better than me ;) Anyway,
centralized patch/updates server behind the border firewall is best
solution.

But this is, of course, abstract discussion.
>
> I understand that there is very little functionality I need to leverage, but 
> I like Squid, as it is a name that most people in IT will recognize and be 
> able to google.
We're like it too, but Squid's itself is big and relatively complex
software, requires much experience to use and not always easy in
support. It has a lot of functions and can have very complex
configurations. This is why I can't recommend use it in all cases
requires proxying/caching without serious reasons.
>
> I may still review privoxy however. If it is simple enough that supporting it 
> would be something easy to just figure out with minimal research, it may 
> still be a good option. I like simple, but high supportability is mandatory
Yes. Privoxy is very simple instead Squid. It is non-caching proxy,
which have all functionality you require. It works with hostnames.

Don't worry - you will not require much support for it. It's just works. ;)
>
>
> Keith Hartley
> Network Engineer II
> khart...@geocent.com
> www.geocent.com
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Matus UHLAR - fantomas
> Sent: Friday, March 23, 2018 3:56 AM
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid for windows Very slow downloads of large 
> files through squid with normal uploads
>
> On 22.03.18 23:08, Keith Hartley wrote:
>> However on large files I am only getting 115 Kbps sustained download speeds.
> does this happen evben when you try using squid on the mavchine squid is 
> installed?
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I drive way too fast to worry about cholesterol.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> Confidentiality Notice:
> This email communication may contain confidential information, may be legally 
> privileged, and is intended only for the use of the intended recipients(s) 
> identified. Any unauthorized review, use, distribution, downloading, or 
> copying of this communication is strictly prohibited. If you are not the 
> intended recipient and have received this message in error, immediately 
> notify the sender by reply email, delete the communication, and destroy all 
> copies. Thank you.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

[Yuri]

And, if you still insist that you need a proxy, consider Privoxy.

Lightweight primitive HTTP proxy with basic access control, has Windows
implementation, works as service.

It will be good enough.

https://www.privoxy.org/

23.03.2018 05:27, Yuri пишет:
>
> Your task is simple - you need a simple control of access to the
> Internet, for servers, without any caching. Squid here is excessive,
> moreover, in your configuration it gives an excessive overhead.
>
> You not requires advanced requests processing, SSL bumping, content
> adaptation, AV real-time checking, advanced caching, content
> compression - am I right yet?
>
> So, firewall is enough.
>
>
> 23.03.2018 05:11, Yuri пишет:
>>
>>
>>
>> 23.03.2018 05:08, Keith Hartley пишет:
>>>
>>> I don’t need it to cache anything – the goal of it is not
>>> performance optimization, it is to provide restricted access to the
>>> internet. I have 1200 Mbps of network i/o available to the squid
>>> servers and can confirm I am able to reliably achieve at least 800
>>> Mbps when I download something directly on the squid server.
>>> Additionally, it would be extremely rare that the same file ever
>>> would get downloaded more than once, if it ever actually happens.
>>>
>>>  
>>>
>>> By policy none of the servers may have direct internet access. This
>>> is to protect the data contained in the environment. Only one 4 bit
>>> subnet has internet access, where the squids are located, and 8 of
>>> the 45 servers need restricted internet access.
>>>
>> Now your protects nothing. You don't have any advanced ACLs in your
>> config.
>>>
>>>  
>>>
>>> This config is complete at least in a base configuration. If I have
>>> time in the project I am going to add URI restrictions. The 8
>>> servers will only need to get to about 30-40 static URIs in total
>>> and want to block the others, but first I need to get the throughput up.
>>>
>>>  
>>>
>>> I have 800 Mbps minimum available bandwidth to the squid servers
>>> that I can confirm is available in download tests from the squids. I
>>> have 1200 Mbps (these are Azure virtual machines) of bandwidth
>>> available in both directions between the servers that use the squids
>>> and the squids.
>>>
>>>  
>>>
>>> However on large files I am only getting 115 Kbps sustained download
>>> speeds.
>>>
>>>  
>>>
>>> Now if squid needs to be able to buffer the downloads to cache in
>>> order to perform well – I could enable caching if that is the case,
>>> but would prefer to not cache anything. I very seriously doubt that
>>> I will ever download the same file two times in this environment as
>>> the only thing being downloaded is software updates that are
>>> centrally distributed from WSUS, and antivirus definitions that are
>>> released about 6-10 times per day. Most of the traffic is also
>>> https, with very little http.
>>>
>>>  
>>>
>>> Is it the case that I may see better performance if I configure it
>>> to cache the files first before sending it to clients?
>>>
>> Nothing above can not be solved by trivial border firewall.
>>
>> Just imagine - now you have useless server which not buffers network IO.
>>
>> Ideally just drop it. And setup border firewall. This solves all of
>> your problems.
>>
>> Squid's (especially Windows Squid) is not appropriate tool here.
>>>
>>> * *
>>>
>>> *Keith Hartley*
>>>
>>> /Network Engineer II/
>>>
>>> khart...@geocent.com <mailto:khart...@geocent.com>
>>>
>>> www.geocent.com <http://www.geocent.com>
>>>
>>>  
>>>
>>> *From:*squid-users
>>> [mailto:squid-users-boun...@lists.squid-cache.org] *On Behalf Of *Yuri
>>> *Sent:* Thursday, March 22, 2018 5:39 PM
>>> *To:* squid-users@lists.squid-cache.org
>>> *Subject:* Re: [squid-users] Squid for windows Very slow downloads
>>> of large files through squid with normal uploads
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>> 22.03.2018 23:10, Keith Hartley пишет:
>>>
>>> I am using squid 3.5 for windows as a transparent proxy to
>>> provide internet access to 7 servers in a secure environment
>>> that otherwise does not have internet access. I have two squids
>>> run

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

[Yuri]

Your task is simple - you need a simple control of access to the
Internet, for servers, without any caching. Squid here is excessive,
moreover, in your configuration it gives an excessive overhead.

You not requires advanced requests processing, SSL bumping, content
adaptation, AV real-time checking, advanced caching, content compression
- am I right yet?

So, firewall is enough.


23.03.2018 05:11, Yuri пишет:
>
>
>
> 23.03.2018 05:08, Keith Hartley пишет:
>>
>> I don’t need it to cache anything – the goal of it is not performance
>> optimization, it is to provide restricted access to the internet. I
>> have 1200 Mbps of network i/o available to the squid servers and can
>> confirm I am able to reliably achieve at least 800 Mbps when I
>> download something directly on the squid server. Additionally, it
>> would be extremely rare that the same file ever would get downloaded
>> more than once, if it ever actually happens.
>>
>>  
>>
>> By policy none of the servers may have direct internet access. This
>> is to protect the data contained in the environment. Only one 4 bit
>> subnet has internet access, where the squids are located, and 8 of
>> the 45 servers need restricted internet access.
>>
> Now your protects nothing. You don't have any advanced ACLs in your
> config.
>>
>>  
>>
>> This config is complete at least in a base configuration. If I have
>> time in the project I am going to add URI restrictions. The 8 servers
>> will only need to get to about 30-40 static URIs in total and want to
>> block the others, but first I need to get the throughput up.
>>
>>  
>>
>> I have 800 Mbps minimum available bandwidth to the squid servers that
>> I can confirm is available in download tests from the squids. I have
>> 1200 Mbps (these are Azure virtual machines) of bandwidth available
>> in both directions between the servers that use the squids and the
>> squids.
>>
>>  
>>
>> However on large files I am only getting 115 Kbps sustained download
>> speeds.
>>
>>  
>>
>> Now if squid needs to be able to buffer the downloads to cache in
>> order to perform well – I could enable caching if that is the case,
>> but would prefer to not cache anything. I very seriously doubt that I
>> will ever download the same file two times in this environment as the
>> only thing being downloaded is software updates that are centrally
>> distributed from WSUS, and antivirus definitions that are released
>> about 6-10 times per day. Most of the traffic is also https, with
>> very little http.
>>
>>  
>>
>> Is it the case that I may see better performance if I configure it to
>> cache the files first before sending it to clients?
>>
> Nothing above can not be solved by trivial border firewall.
>
> Just imagine - now you have useless server which not buffers network IO.
>
> Ideally just drop it. And setup border firewall. This solves all of
> your problems.
>
> Squid's (especially Windows Squid) is not appropriate tool here.
>>
>> * *
>>
>> *Keith Hartley*
>>
>> /Network Engineer II/
>>
>> khart...@geocent.com <mailto:khart...@geocent.com>
>>
>> www.geocent.com <http://www.geocent.com>
>>
>>  
>>
>> *From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
>> *On Behalf Of *Yuri
>> *Sent:* Thursday, March 22, 2018 5:39 PM
>> *To:* squid-users@lists.squid-cache.org
>> *Subject:* Re: [squid-users] Squid for windows Very slow downloads of
>> large files through squid with normal uploads
>>
>>  
>>
>>  
>>
>>  
>>
>> 22.03.2018 23:10, Keith Hartley пишет:
>>
>> I am using squid 3.5 for windows as a transparent proxy to
>> provide internet access to 7 servers in a secure environment that
>> otherwise does not have internet access. I have two squids
>> running behind a load balancer, each one is running server 2016
>> core with 2 Xeon processors that is either haswell generation
>> with 1:1 physical processor to virtual processor mapping or a
>> hyper-threading Broadwell generation processor that is 1:1
>> logical processor to virtual processor mapping, depending on how
>> they are provisioned when they get started.
>>
>>  
>>
>> Doing a bandwidth test directly in the VM I am able to get
>> internet throughput of 800-1200 Mbps.
>>
>>  
>>
>> Doing a file copy to and from the VM I am able to get 1200 Mbps
>> lan throughput.

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

[Yuri]

23.03.2018 05:08, Keith Hartley пишет:
>
> I don’t need it to cache anything – the goal of it is not performance
> optimization, it is to provide restricted access to the internet. I
> have 1200 Mbps of network i/o available to the squid servers and can
> confirm I am able to reliably achieve at least 800 Mbps when I
> download something directly on the squid server. Additionally, it
> would be extremely rare that the same file ever would get downloaded
> more than once, if it ever actually happens.
>
>  
>
> By policy none of the servers may have direct internet access. This is
> to protect the data contained in the environment. Only one 4 bit
> subnet has internet access, where the squids are located, and 8 of the
> 45 servers need restricted internet access.
>
Now your protects nothing. You don't have any advanced ACLs in your config.
>
>  
>
> This config is complete at least in a base configuration. If I have
> time in the project I am going to add URI restrictions. The 8 servers
> will only need to get to about 30-40 static URIs in total and want to
> block the others, but first I need to get the throughput up.
>
>  
>
> I have 800 Mbps minimum available bandwidth to the squid servers that
> I can confirm is available in download tests from the squids. I have
> 1200 Mbps (these are Azure virtual machines) of bandwidth available in
> both directions between the servers that use the squids and the squids.
>
>  
>
> However on large files I am only getting 115 Kbps sustained download
> speeds.
>
>  
>
> Now if squid needs to be able to buffer the downloads to cache in
> order to perform well – I could enable caching if that is the case,
> but would prefer to not cache anything. I very seriously doubt that I
> will ever download the same file two times in this environment as the
> only thing being downloaded is software updates that are centrally
> distributed from WSUS, and antivirus definitions that are released
> about 6-10 times per day. Most of the traffic is also https, with very
> little http.
>
>  
>
> Is it the case that I may see better performance if I configure it to
> cache the files first before sending it to clients?
>
Nothing above can not be solved by trivial border firewall.

Just imagine - now you have useless server which not buffers network IO.

Ideally just drop it. And setup border firewall. This solves all of your
problems.

Squid's (especially Windows Squid) is not appropriate tool here.
>
> * *
>
> *Keith Hartley*
>
> /Network Engineer II/
>
> khart...@geocent.com <mailto:khart...@geocent.com>
>
> www.geocent.com <http://www.geocent.com>
>
>  
>
> *From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
> *On Behalf Of *Yuri
> *Sent:* Thursday, March 22, 2018 5:39 PM
> *To:* squid-users@lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid for windows Very slow downloads of
> large files through squid with normal uploads
>
>  
>
>  
>
>  
>
> 22.03.2018 23:10, Keith Hartley пишет:
>
> I am using squid 3.5 for windows as a transparent proxy to provide
> internet access to 7 servers in a secure environment that
> otherwise does not have internet access. I have two squids running
> behind a load balancer, each one is running server 2016 core with
> 2 Xeon processors that is either haswell generation with 1:1
> physical processor to virtual processor mapping or a
> hyper-threading Broadwell generation processor that is 1:1 logical
> processor to virtual processor mapping, depending on how they are
> provisioned when they get started.
>
>  
>
> Doing a bandwidth test directly in the VM I am able to get
> internet throughput of 800-1200 Mbps.
>
>  
>
> Doing a file copy to and from the VM I am able to get 1200 Mbps
> lan throughput.
>
>  
>
> In proxied uploads I have observed speeds as high as 120 Mbps,
> which is more than enough for what I need and the bottleneck is
> likely in the backup software rather than squid. Uploads
> performance I am not worried about where they are at now – even if
> I only got 20-30 Mbps it would be adequate for what I need it for.
>
>  
>
> Downloads however are very slow. Small files do not seem to be
> impacted. Using the test a thinkbroadband.com/download, files up
> to 20 Mb will download at a reasonable 20-30 Mbps, but when I get
> to 50, it slows down to about 17 Mbps, and when I download AD
> Connect from Microsoft, which is about 80 Mb, I can see it start
> at about 30 Mbps, but eventually goes down to about 115 kbps and
> levels off. When I put an IP on 

Re: [squid-users] Squid for windows Very slow downloads of large files through squid with normal uploads

[Yuri]

And also:

your configuration is not transparent proxy.

a) Squid 3.5 for windows does not built as transparent proxy (i.e. with
NAT support).

b) You do not have keyword*intercept* in your configuration.

This is simple forwarding proxy.


23.03.2018 04:38, Yuri пишет:
>
>
>
> 22.03.2018 23:10, Keith Hartley пишет:
>>
>> I am using squid 3.5 for windows as a transparent proxy to provide
>> internet access to 7 servers in a secure environment that otherwise
>> does not have internet access. I have two squids running behind a
>> load balancer, each one is running server 2016 core with 2 Xeon
>> processors that is either haswell generation with 1:1 physical
>> processor to virtual processor mapping or a hyper-threading Broadwell
>> generation processor that is 1:1 logical processor to virtual
>> processor mapping, depending on how they are provisioned when they
>> get started.
>>
>>  
>>
>> Doing a bandwidth test directly in the VM I am able to get internet
>> throughput of 800-1200 Mbps.
>>
>>  
>>
>> Doing a file copy to and from the VM I am able to get 1200 Mbps lan
>> throughput.
>>
>>  
>>
>> In proxied uploads I have observed speeds as high as 120 Mbps, which
>> is more than enough for what I need and the bottleneck is likely in
>> the backup software rather than squid. Uploads performance I am not
>> worried about where they are at now – even if I only got 20-30 Mbps
>> it would be adequate for what I need it for.
>>
>>  
>>
>> Downloads however are very slow. Small files do not seem to be
>> impacted. Using the test a thinkbroadband.com/download, files up to
>> 20 Mb will download at a reasonable 20-30 Mbps, but when I get to 50,
>> it slows down to about 17 Mbps, and when I download AD Connect from
>> Microsoft, which is about 80 Mb, I can see it start at about 30 Mbps,
>> but eventually goes down to about 115 kbps and levels off. When I put
>> an IP on the server I am using for testing that proxies through
>> squid, I am able to download the file at several hundred mbps.  When
>> I download the same file on the squid server – I can’t tell exactly
>> what throughput I was getting, but the 80 Mb file downloaded within 5
>> seconds.
>>
>>  
>>
>> In both squid servers, other than when the servers were booting,
>> processor activity has not exceeded 9% in the last 7 days but usually
>> sits below 2%. Memory usage has not exceeded 2 Gb, leaving 2 Gb free.
>>
>>  
>>
>> I am using OpenDNS for a DNS source, and have tried changing DNS to
>> level3 but it made no performance difference.
>>
>>  
>>
>> I think that this may be squid trying to cache something, but had
>> tried to turn all caching off.
>>
>>  
>>
>> My cache.log doesn’t really have anything interesting in it that I
>> can see. It’s the same ~30 or so log entries each time the service
>> starts, and that is about it. Here it is:
>>
>>  
>>
>> 2018/03/22 09:47:27 kid1| Set Current Directory to /var/cache/squid
>>
>> 2018/03/22 09:47:27 kid1| Starting Squid Cache version 3.5.27 for
>> x86_64-unknown-cygwin...
>>
>> 2018/03/22 09:47:27 kid1| Service Name: squid
>>
>> 2018/03/22 09:47:27 kid1| Process ID 1164
>>
>> 2018/03/22 09:47:27 kid1| Process Roles: worker
>>
>> 2018/03/22 09:47:27 kid1| With 3200 file descriptors available
>>
>> 2018/03/22 09:47:27 kid1| Initializing IP Cache...
>>
>> 2018/03/22 09:47:27 kid1| parseEtcHosts: /etc/hosts: (2) No such file
>> or directory
>>
>> 2018/03/22 09:47:27 kid1| DNS Socket created at [::], FD 5
>>
>> 2018/03/22 09:47:27 kid1| DNS Socket created at 0.0.0.0, FD 6
>>
>> 2018/03/22 09:47:27 kid1| Adding nameserver 208.67.222.222 from
>> squid.conf
>>
>> 2018/03/22 09:47:27 kid1| Adding nameserver 208.67.220.220 from
>> squid.conf
>>
>> 2018/03/22 09:47:27 kid1| Logfile: opening log
>> daemon:/var/log/squid/access.log
>>
>> 2018/03/22 09:47:27 kid1| Logfile Daemon: opening log
>> /var/log/squid/access.log
>>
>> 2018/03/22 09:47:27 kid1| WARNING: no_suid: setuid(0): (22) Invalid
>> argument
>>
>> 2018/03/22 09:47:27 kid1| Store logging disabled
>>
>> 2018/03/22 09:47:27 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
>> objects
>>
>> 2018/03/22 09:47:27 kid1| Target number of buckets: 1008
>>
>> 2018/03/22 09:47:27 kid1| Using 8192 Store buckets
>>
>> 2018/03/22 09:47:27 kid1| Max Mem  size: 262144 KB
>>
>&

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

Use OS performance tools. Require to identify bottleneck. Pay attention
on wait events.


21.03.2018 20:05, FredB пишет:
> I agree, to be honest I started with low values updated again and again, I 
> should have post my previous tests rather than the latest :)
>  
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

Aha, this is better.

So, next step should be detailed performance statistics to identify
bottleneck.

As I've said - check wait events first.


21.03.2018 19:23, FredB пишет:
> Sorry, it was just a wrong cut/paste cache_size=50MB the previous result 
> still the same
> About children I tried with 256, unfortunately squid is still stuck at 100% 
>
> Regards
>
> Fred
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

Finally.

Premature optimization is the root of all evils.

Never start new setups from your assumptions only. Set good enough
starting values and monitor. Increase only if required.

And, pls, don't think all performance problems can solves with giant RAM.

It does not matter how big your RAM is. It's important how you use it.

Scaling is also done differently.


21.03.2018 19:08, Yuri пишет:
>
>
>
> 21.03.2018 14:55, FredB пишет:
>>>> Perhaps I should retry SMP but unfortunately in the past I had many
>>>> issues with, and some features I'm using still SMP-unaware
>>> Squid's SMP itself does not solves SSL Bump issues. It's about
>>> different
>>> things, and, IMHO, irrelevant your load profile.
>> I'm thinking about that, because the single squid core is 100% CPU
>> I tried with 900MB and 50MB without more success, I also added 
>> sslflags-NO_DEFAULT_CA
>>
>> How much simultaneous users do you have ? and bandwidth ? 
>>
>> I'm using this right now, the number of process used is very better now but 
>> still an issue with CPU  
>>
>> acl nobump dstdomain "/home/squid/domains"
>>
>> http_port 8080 ssl-bump cert=/etc/squid/ca_orion/cert 
>> generate-host-certificates=on sslflags=NO_DEFAULT_CA 
>> dynamic_cert_mem_cache_size=500MB
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 500MB
>> sslcrtd_children 1000 startup=100 idle=5
> Still misconfiguration. Pay attention. You set
> dynamic_cert_mem_cache_size=500MB
> Again - why so much?
>
> Do not think that a lot of RAM will not make anything worse.
>
> For some unknown reason, you set dynamic_cert_mem_cache_size equal to
> -M on-disk fs limit. It is enough to set dynamic_cert_mem_cache_size
> to 1/10-1/20 of overall SSL db on-disk size.
>
> And still too high upper children limit. Just imagine, how much RAM
> will eat by 1000 processes. Each with own heap.
>
> It seems for me, in your case good initial approximation will be
>
> sslcrtd_children 256 startup=100 idle=200
>
> No more. Other changes will do only based on performance stats and
> diagnostics.
>
>> sslproxy_capath /etc/ssl/certs/
>> sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
>>
>> acl step1 at_step SslBump1
>> ssl_bump peek step1 all
>> ssl_bump splice nobump
>> ssl_bump bump all
>>
>> Maybe there is a problem with memory, but as you can see here CPU is the 
>> point 
>>
>> top - 09:50:04 up 16:16,  1 user,  load average: 1,72, 1,78, 1,39
>> Tasks: 393 total,   3 running, 390 sleeping,   0 stopped,   0 zombie
>> %Cpu(s):  8,4 us,  1,2 sy,  0,0 ni, 89,6 id,  0,3 wa,  0,0 hi,  0,5 si,  0,0 
>> st
>> KiB Mem:  66086692 total, 28654240 used, 37432452 free,  2974568 buffers
>> KiB Swap:  1952764 total,0 used,  1952764 free. 17653336 cached Mem
>>
>>   PID USER  PR  NIVIRTRESSHR S  %CPU %MEM TIME+ COMMAND  
>>  
>>  
>>   
>>  9803 squid 20   0 3913044 3,452g  13464 R  99,9  5,5   7:47.47 squid
>>  
>>  
>>   
>> 10051 e2guard+  20   0  0,122t 284392   5124 S  25,6  0,4   1:33.10 
>> e2guardian   
>>  
>>
>>  9804 squid 20   0   21956   5628   4420 S   7,3  0,0   0:48.93 ssl_crtd 
>>  
>>  
>>   
>>  9805 squid 20   0   21952   5672   4372 S   6,3  0,0   0:31.25 ssl_crtd 
>>  
>>  
>>   
>>  9806 squid 20   0   21952   5476   4252 S   2,7  0,0   0:19.10 ssl_crtd 
>>  
>>  
>>   
>>  9807 squid 20   0   21952   5616   4408 S   2,3  0,0   0:13.88 ssl_crtd 
>> 

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

21.03.2018 14:55, FredB пишет:
>>> Perhaps I should retry SMP but unfortunately in the past I had many
>>> issues with, and some features I'm using still SMP-unaware
>> Squid's SMP itself does not solves SSL Bump issues. It's about
>> different
>> things, and, IMHO, irrelevant your load profile.
>
> I'm thinking about that, because the single squid core is 100% CPU
> I tried with 900MB and 50MB without more success, I also added 
> sslflags-NO_DEFAULT_CA
>
> How much simultaneous users do you have ? and bandwidth ? 
>
> I'm using this right now, the number of process used is very better now but 
> still an issue with CPU  
>
> acl nobump dstdomain "/home/squid/domains"
>
> http_port 8080 ssl-bump cert=/etc/squid/ca_orion/cert 
> generate-host-certificates=on sslflags=NO_DEFAULT_CA 
> dynamic_cert_mem_cache_size=500MB
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 500MB
> sslcrtd_children 1000 startup=100 idle=5
Still misconfiguration. Pay attention. You set

dynamic_cert_mem_cache_size=500MB

Again - why so much?

Do not think that a lot of RAM will not make anything worse.

For some unknown reason, you set dynamic_cert_mem_cache_size equal to -M
on-disk fs limit. It is enough to set dynamic_cert_mem_cache_size to
1/10-1/20 of overall SSL db on-disk size.

And still too high upper children limit. Just imagine, how much RAM will
eat by 1000 processes. Each with own heap.

It seems for me, in your case good initial approximation will be

sslcrtd_children 256 startup=100 idle=200


No more. Other changes will do only based on performance stats and
diagnostics.

> sslproxy_capath /etc/ssl/certs/
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
>
> acl step1 at_step SslBump1
> ssl_bump peek step1 all
> ssl_bump splice nobump
> ssl_bump bump all
>
> Maybe there is a problem with memory, but as you can see here CPU is the 
> point 
>
> top - 09:50:04 up 16:16,  1 user,  load average: 1,72, 1,78, 1,39
> Tasks: 393 total,   3 running, 390 sleeping,   0 stopped,   0 zombie
> %Cpu(s):  8,4 us,  1,2 sy,  0,0 ni, 89,6 id,  0,3 wa,  0,0 hi,  0,5 si,  0,0 
> st
> KiB Mem:  66086692 total, 28654240 used, 37432452 free,  2974568 buffers
> KiB Swap:  1952764 total,0 used,  1952764 free. 17653336 cached Mem
>
>   PID USER  PR  NIVIRTRESSHR S  %CPU %MEM TIME+ COMMAND   
>   
>   
>
>  9803 squid 20   0 3913044 3,452g  13464 R  99,9  5,5   7:47.47 squid 
>   
>   
>
> 10051 e2guard+  20   0  0,122t 284392   5124 S  25,6  0,4   1:33.10 
> e2guardian
>   
>  
>  9804 squid 20   0   21956   5628   4420 S   7,3  0,0   0:48.93 ssl_crtd  
>   
>   
>
>  9805 squid 20   0   21952   5672   4372 S   6,3  0,0   0:31.25 ssl_crtd  
>   
>   
>
>  9806 squid 20   0   21952   5476   4252 S   2,7  0,0   0:19.10 ssl_crtd  
>   
>   
>
>  9807 squid 20   0   21952   5616   4408 S   2,3  0,0   0:13.88 ssl_crtd  
>   
>   
>
>  9808 squid 20   0   21952   5540   4332 S   2,3  0,0   0:10.59 ssl_crtd  
>   
>   
>
>  9810 squid 20   0   21956   5536   4332 S   2,0  0,0   0:05.61 ssl_crtd  
>   
>   
>
>  9809 squid 20   0   21952   5584   4372 S   1,7  0,0   0:07.40 ssl_crtd  
>   
>   
>
>  9996 squid 20   0   25612   2924   2696 S   1,3  0,0   0:05.47 diskd 
>   
> 

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

Forgot about:

My server is relatively modest (more resources just do not need :))

Just 8 cores (Xeon 2.3 GHz), 16 Gb RAM, SAS HDD's 10k RPM (~300 Gb in
RAID-10)  :)

Overall CPU usage is ~3% (with SSL Bump). And half of RAM is free :)


20.03.2018 23:14, Yuri пишет:
>
> 20.03.2018 23:10, Yuri пишет:
>> 20.03.2018 23:03, FredB пишет:
>>> Hi Yuri,
>>>
>>> 200 mbits, more or less 1000/2000 simultaneous users 
>>>
>>> I increase children value, because the limit is reached very quickly 
>> Because of SSL processing to slow. Investigate, why. Simple increasing
>> number of children exghausting your RAM.
>>>> and only 100 MB on disk?
>>> 100 MB by process, no ? I think I should reduce this value and rather 
>>> increase the max of children
>> No. This is overall fs limit to store.
> Look on my relatively big server (Squid 5.0) config snippet:
>
> https_port 3127 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
> key=/usr/local/squid/etc/rootCA2.key
> tls-cafile=/usr/local/squid/etc/rootCA12.crt
> options=SINGLE_DH_USE:SINGLE_ECDH_USE
> tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
> key=/usr/local/squid/etc/rootCA2.key
> tls-cafile=/usr/local/squid/etc/rootCA12.crt
> options=SINGLE_DH_USE:SINGLE_ECDH_USE
> tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
> tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
>
> # Cert database on ramdisk
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /ramdisk1/ssl_db -M 1GB
> sslcrtd_children 32 startup=10 idle=5
>
> Pay attention - I've put SSL db on RAM disk. :)
>>> Maybe such load is just impossible because I reached a limit with a single 
>>> core 
>> Hardly. SSL helper children should spread across cores by OS scheduler.
>>> Perhaps I should retry SMP but unfortunately in the past I had many issues 
>>> with, and some features I'm using still SMP-unaware 
>> Squid's SMP itself does not solves SSL Bump issues. It's about different
>> things, and, IMHO, irrelevant your load profile.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

20.03.2018 23:10, Yuri пишет:
>
> 20.03.2018 23:03, FredB пишет:
>> Hi Yuri,
>>
>> 200 mbits, more or less 1000/2000 simultaneous users 
>>
>> I increase children value, because the limit is reached very quickly 
> Because of SSL processing to slow. Investigate, why. Simple increasing
> number of children exghausting your RAM.
>>> and only 100 MB on disk?
>> 100 MB by process, no ? I think I should reduce this value and rather 
>> increase the max of children
> No. This is overall fs limit to store.
Look on my relatively big server (Squid 5.0) config snippet:

https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS

# Cert database on ramdisk
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/ramdisk1/ssl_db -M 1GB
sslcrtd_children 32 startup=10 idle=5

Pay attention - I've put SSL db on RAM disk. :)
>> Maybe such load is just impossible because I reached a limit with a single 
>> core 
> Hardly. SSL helper children should spread across cores by OS scheduler.
>> Perhaps I should retry SMP but unfortunately in the past I had many issues 
>> with, and some features I'm using still SMP-unaware 
> Squid's SMP itself does not solves SSL Bump issues. It's about different
> things, and, IMHO, irrelevant your load profile.
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

20.03.2018 23:03, FredB пишет:
> Hi Yuri,
>
> 200 mbits, more or less 1000/2000 simultaneous users 
>
> I increase children value, because the limit is reached very quickly 
Because of SSL processing to slow. Investigate, why. Simple increasing
number of children exghausting your RAM.
>
>> and only 100 MB on disk?
> 100 MB by process, no ? I think I should reduce this value and rather 
> increase the max of children
No. This is overall fs limit to store.
>
> Maybe such load is just impossible because I reached a limit with a single 
> core 
Hardly. SSL helper children should spread across cores by OS scheduler.
> Perhaps I should retry SMP but unfortunately in the past I had many issues 
> with, and some features I'm using still SMP-unaware 
Squid's SMP itself does not solves SSL Bump issues. It's about different
things, and, IMHO, irrelevant your load profile.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSLBump, system requirements ?

[Yuri]

20.03.2018 21:30, FredB пишет:
> Hi all,
>
> I'm testing SSLBump and Squid eats up all my CPU, maybe I made something 
> wrong or maybe some updates are required ? Any advice would be greatly 
> appreciated.
>
> Debian 8.10 64 bits, Squid 3.5.27 + 64 Go ram + SSD + 15 Cores Xeon(R) CPU 
> E5-2637 v2 @ 3.50GHz
Big box. How much users and traffic?
>  
> FI, I don't see anything about limit reached in kern.log (File descriptor or 
> network)
>
> acl nobump dstdomain "/home/squid/domains" -> Some very used websites 
> (google, fb, etc) otherwise the system dies after less 1 minute 
> http_port 3128 ssl-bump cert=/etc/squid/ca_orion/cert 
> generate-host-certificates=on dynamic_cert_mem_cache_size=500MB
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB
Disbalanced config.

dynamic_cert_mem_cache_size=500MB

and only 100 MB on disk?

sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 100MB


> sslcrtd_children 2000 startup=100 idle=20 
Why so much children? Again - for what workload?
> sslproxy_capath /etc/ssl/certs/
> sslproxy_foreign_intermediate_certs /etc/squid/ssl_certs/imtermediate.ca.pem
> acl step1 at_step SslBump1
> ssl_bump peek step1 all
> ssl_bump splice nobump
> ssl_bump bump all
>
> The sslcrtd_children increases quickly and permanently
>
> root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1321
> root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1341
> root@proxyorion5:/tmp# ps -edf | grep ssl | wc -l
> 1341
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1380
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1381
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1382
> root@proxyorion5:/tmp# ps -edf | grep ssl_crt | wc -l
> 1395
>
> Of course after a while 2000 is reached and the system becomes completely 
> mad, but I already tried 200, 500, 1000, etc 
>
> Right after squid start CPU and load average values are very, very, high 
>
> top - 16:06:17 up 13 days,  2:46,  3 users,  load average: 102,02, 56,67, 
> 30,75
> Tasks: 1964 total,   3 running, 1961 sleeping,   0 stopped,   0 zombie
> %Cpu(s): 15,3 us,  3,7 sy,  0,0 ni, 80,2 id,  0,4 wa,  0,0 hi,  0,4 si,  0,0 
> st
> KiB Mem:  66086692 total, 52378248 used, 13708444 free,  2899764 buffers
> KiB Swap:  1952764 total,0 used,  1952764 free. 32798948 cached Mem
>
>   PID USER  PR  NIVIRTRESSHR S  %CPU %MEM TIME+ COMMAND   
>
> 23711 squid 20   0 3438832 2,976g  13784 R 100,0  4,7   6:01.02 squid 
>
> 23724 squid 20   0   24868   8552   4340 S   3,6  0,0   0:02.46 ssl_crtd  
>
> 23712 squid 20   0   25132   8896   4428 R   3,0  0,0   0:02.62 ssl_crtd  
>
> 23714 squid 20   0   24868   8556   4344 S   2,3  0,0   0:02.43 ssl_crtd  
>
> 23716 squid 20   0   24868   8636   4428 S   2,3  0,0   0:02.26 ssl_crtd  
>
> 23720 squid 20   0   24868   8612   4400 S   2,3  0,0   0:02.58 ssl_crtd  
>
> 23771 squid 20   0   24868   8580   4368 S   2,0  0,0   0:01.86 ssl_crtd  
>
> 23780 squid 20   0   24872   8484   4268 S   2,0  0,0   0:01.86 ssl_crtd  
>
> 23787 squid 20   0   24868   8612   4404 S   2,0  0,0   0:01.92 ssl_crtd 
 what means some bottlenecks. Obviously.
>  
>
> The same system without SSLBump and e2guardian (web filtering) added (I tried 
> without more or less 10% CPU )
>
> Tasks: 304 total,   2 running, 302 sleeping,   0 stopped,   0 zombie
> %Cpu(s):  2,0 us,  1,1 sy,  0,0 ni, 95,9 id,  0,1 wa,  0,0 hi,  0,9 si,  0,0 
> st
> KiB Mem:  66086700 total, 65627952 used,   458748 free,  2652264 buffers
> KiB Swap:  1952764 total,20884 used,  1931880 free. 32639208 cached Mem
>
>   PID USER  PR  NIVIRTRESSHR S  %CPU %MEM TIME+ COMMAND   
>   
> 20389 e2guard+  20   0  0,122t 1,133g   6144 S  28,6  1,8 191:06.50 
> e2guardian  
> 20283 squid 20   0 21,761g 0,021t   8128 R  24,2 34,0 145:00.09 squid 
>   
>   101 root  20   0   0  0  0 S   1,3  0,0  19:05.09 kswapd1   
>   
>   100 root  20   0   0  0  0 S   1,0  0,0  22:41.82 kswapd0   
>   
> 8 root  20   0   0  0  0 S   0,7  0,0  68:49.48 rcu_sched 
>   
>24 root  20   0   0  0  0 S   0,3  0,0   8:37.14 
> ksoftirqd/3 
>65 root  20   0   0  0  0 S   0,3  0,0   8:05.02 
> ksoftirqd/11
>   929 root  20   0   71928   6984   4716 S   0,3  0,0  

Re: [squid-users] http get request with body

[Yuri]

What else goes into head. Hmmm..

May be timeout during long body downloading/uploading session.

Anyway, require additional info to make advice.


19.03.2018 05:36, Yuri пишет:
>
> Hm, George.
>
> In what direction your request tresspasses Squid?
>
> Because of by default:
>
> #  TAG: request_body_max_size    (bytes)
> #    This specifies the maximum size for an HTTP request body.
> #    In other words, the maximum size of a PUT/POST request.
> #    A user who attempts to send a request with a body larger
> #    than this limit receives an "Invalid Request" error message.
> #    If you set this parameter to a zero (the default), there will
> #    be no limit imposed.
> #
> #    See also client_request_buffer_max_size for an alternative
> #    limitation on client uploads which can be configured.
> #Default:
> # No limit.
>
> and reply also:
>
> #  TAG: reply_body_max_size    size [acl acl...]
> #    This option specifies the maximum size of a reply body. It can be
> #    used to prevent users from downloading very large files, such as
> #    MP3's and movies. When the reply headers are received, the
> #    reply_body_max_size lines are processed, and the first line where
> #    all (if any) listed ACLs are true is used as the maximum body size
> #    for this reply.
> #
> #    This size is checked twice. First when we get the reply headers,
> #    we check the content-length value.  If the content length value
> exists
> #    and is larger than the allowed size, the request is denied and the
> #    user receives an error message that says "the request or reply
> #    is too large." If there is no content-length, and the reply
> #    size exceeds this limit, the client's connection is just closed
> #    and they will receive a partial reply.
> #
> #    WARNING: downstream caches probably can not detect a partial reply
> #    if there is no content-length header, so they will cache
> #    partial responses and give them out as hits.  You should NOT
> #    use this option if you have downstream caches.
> #
> #    WARNING: A maximum size smaller than the size of squid's error
> messages
> #    will cause an infinite loop and crash squid. Ensure that the smallest
> #    non-zero value you use is greater that the maximum header size plus
> #    the size of your largest error page.
> #
> #    If you set this parameter none (the default), there will be
> #    no limit imposed.
> #
> #    Configuration Format is:
> #        reply_body_max_size SIZE UNITS [acl ...]
> #    ie.
> #        reply_body_max_size 10 MB
> #
> #Default:
> # No limit is applied.
>
> No limit.
>
> May be, Squid's debug can light issue better?
>
> 19.03.2018 05:17, George S пишет:
>> Hello folks. Need some help on this. I am not sure if it has been
>> posted already a 100 times, so apologies for once more.
>>
>> Having said that. I am in the process of deploying of a rest api
>> layer which exposes among other things a path that entails a get
>> request but with a heavy json body. Seems like the request breaks
>> when going through squid. 
>>
>> Is there a limitation on this front on squid as far as supporting
>> this feature or is there possibly a configuration or component to
>> make it possible?
>>
>> -G
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> -- 
> "C++ seems like a language suitable for firing other people's legs."
>
> *
> * C++20 : Bug to the future *
> *

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] http get request with body

[Yuri]

Hm, George.

In what direction your request tresspasses Squid?

Because of by default:

#  TAG: request_body_max_size    (bytes)
#    This specifies the maximum size for an HTTP request body.
#    In other words, the maximum size of a PUT/POST request.
#    A user who attempts to send a request with a body larger
#    than this limit receives an "Invalid Request" error message.
#    If you set this parameter to a zero (the default), there will
#    be no limit imposed.
#
#    See also client_request_buffer_max_size for an alternative
#    limitation on client uploads which can be configured.
#Default:
# No limit.

and reply also:

#  TAG: reply_body_max_size    size [acl acl...]
#    This option specifies the maximum size of a reply body. It can be
#    used to prevent users from downloading very large files, such as
#    MP3's and movies. When the reply headers are received, the
#    reply_body_max_size lines are processed, and the first line where
#    all (if any) listed ACLs are true is used as the maximum body size
#    for this reply.
#
#    This size is checked twice. First when we get the reply headers,
#    we check the content-length value.  If the content length value exists
#    and is larger than the allowed size, the request is denied and the
#    user receives an error message that says "the request or reply
#    is too large." If there is no content-length, and the reply
#    size exceeds this limit, the client's connection is just closed
#    and they will receive a partial reply.
#
#    WARNING: downstream caches probably can not detect a partial reply
#    if there is no content-length header, so they will cache
#    partial responses and give them out as hits.  You should NOT
#    use this option if you have downstream caches.
#
#    WARNING: A maximum size smaller than the size of squid's error messages
#    will cause an infinite loop and crash squid. Ensure that the smallest
#    non-zero value you use is greater that the maximum header size plus
#    the size of your largest error page.
#
#    If you set this parameter none (the default), there will be
#    no limit imposed.
#
#    Configuration Format is:
#        reply_body_max_size SIZE UNITS [acl ...]
#    ie.
#        reply_body_max_size 10 MB
#
#Default:
# No limit is applied.

No limit.

May be, Squid's debug can light issue better?

19.03.2018 05:17, George S пишет:
> Hello folks. Need some help on this. I am not sure if it has been
> posted already a 100 times, so apologies for once more.
>
> Having said that. I am in the process of deploying of a rest api layer
> which exposes among other things a path that entails a get request but
> with a heavy json body. Seems like the request breaks when going
> through squid. 
>
> Is there a limitation on this front on squid as far as supporting this
> feature or is there possibly a configuration or component to make it
> possible?
>
> -G
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

ast acl types.
#
#    Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
#    Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
#    corresponding adaptation algorithm to generate the certificate and
#    ignores all subsequent sslproxy_cert_adapt options in that algorithm's
#    group (i.e., the first match wins within each algorithm group). If no
#    acl(s) match, the default mimicking action takes place.
#
#    WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and
ssl:certDomainMismatch can
#    be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
#    CONNECT request that carries a domain name. In all other cases (CONNECT
#    to an IP address or an intercepted SSL connection), Squid cannot detect
#    the domain mismatch at certificate generation time when
#    bump-server-first is used.
#Default:
# none




16.03.2018 19:09, Nicolas Kovacs пишет:
> Le 16/03/2018 à 13:43, Yuri a écrit :
>> I guess better way to do this is create special ACL to catch exactly 
>> certificate error and then redirect by 302 using deny_info to proxy
>> page with explanation and certificate.
> This sounds like the way to go.
>
> I just removed the root certificate from one of the clients and then
> tried to open a few HTTPS sites. Invariably, I get the follwoing error
> code :
>
> SEC_ERROR_UNKNOWN_ISSUER
Keep in mind: this is significantly wide SSL error. It can occurs also
on some sites with self-signed certs, or, in case of site's root CA is
not in your proxy certificate bundle.
>
> So how would I tell Squid in its own syntax to go to
> http://nestor.microlinux.lan when it encounters such an error ? Is this
> a trivial task, or more complicated to put in practice ?
M. It seems not too complicated, however, AFAIK, nobody done
this yet.
>
> BTW, this would be the last piece in my puzzle, and my installation
> would be perfect if I got this to work.
>
> Cheers,
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to configure a "proxy home" page ?

[Yuri]

I guess better way to do this is create special ACL to catch exactly
certificate error and then redirect by 302 using deny_info to proxy page
with explanation and certificate.

Sadly, however I have no full solution for this logic (we're simple
install proxy certificate manually), but idea exists ;)


16.03.2018 16:37, Nicolas Kovacs пишет:
> Hi,
>
> I have Squid + SquidGuard + SquidAnalyzer running on my LAN server as a
> transparent cache + filtering proxy, and it's working real nicely.
>
> When a client in my company wants to connect to the wifi, all he or she
> has to do is this:
>
> 1. Connect to http://nestor.microlinux.lan
>
> 2. Download the nestor.microlinux.lan.der certificate
>
> 3. Install the certificate in the web browser (Firefox does it
> automatically)
>
> 4. Surf the web
>
> Now I wonder if there is a way to configure this page as a "proxy home
> page" of some sorts. User who don't have the certificate installed
> normally get a big fat HTTPS error as soon as they connect to a secure
> site. So what I'd like to do is redirect "new" traffic to
> http://nestor.microlinux.lan, which also explains what is happening.
>
> I don't really know how to go about that, or if it is even possible.
> Maybe some basic form of authentication ?
>
> Any suggestion ?
>
> Cheers,
>
> Niki

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL intercept in explicit mode

[Yuri]

I guess, your using wrong approach.

You trying to find ready-to-use solution for /custom/ configuration.

At maximum, you can find some bricks for this. And anyway you should
build your custom solution yourself.

Bricks is here: https://wiki.squid-cache.org :-)

14.03.2018 20:28, Danilo V пишет:
> Thanks for the explanation.
> Do you have any guide?
>
> Em qua, 14 de mar de 2018 às 10:26, Matus UHLAR - fantomas
> > escreveu:
>
> On 13.03.18 14:44, Danilo V wrote:
> >I mean SSL bump in explicit mode.
> >So intercept is a essencial requirement for running SSL bump?
>
> No, you asked for "explicit mode with ssl intercept" which I
> pointed out is
> illogical.
>
>
> >Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas <
> >uh...@fantomas.sk > escreveu:
> >> On 13.03.18 13:44, Danilo V wrote:
> >> >Is it possible/feasible to configure squid in explicit mode
> with ssl
> >> >intercept?
> >>
> >> maybe you mean SSL bump in explicit mode?
>
> It is possible to bump explicit proxy.
>
> >> >Due to architecture of my network it is not possible to implement
> >> >transparent proxy.
> >>
> >> excuse me?
> >> by "transparent" people mean what we usually call "intercept".
>
> >> >What would be the behavior of applications that dont support
> proxy - i.e.
> >> >dont forward requests to proxy?
> >>
> >> they mest be intercepted.
>
> "must" be intercepted. Since you said that it's not possible
> transparent (I
> believe you have meant intercepting) proxy, it's apparently not
> possible to
> handle applications that do not support proxy.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk
>  ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> 
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + SquidGuard : static block page not working

[Yuri]

14.03.2018 19:55, Nicolas Kovacs пишет:
> Le 14/03/2018 à 14:46, Marcus Kool a écrit :
>> ufdbGuard is the tool that you need.
>> It is an old fork of ufdbGuard with many new features, very good
>> performance and it has regular maintenance.
>> If you have a question, you can ask the support desk at
>> www.urlfilterdb.com.
>> You will get an answer from me or a colleague.
> Thanks for the heads-up.
>
> On the school server running SquidGuard, I'm using the blacklist
> collection of the University of Toulouse, which has several millions (!)
> of URLS/domains in about a hundred different categories.
>
> Will I be able to use these blacklists with ufdbGuard ?
Niki,

you can use any blacklist you want with ufdbguard. ufdbguard has own
commercial database, but can easy combined with any plain-text free
database by you choise. For example, with Shallalist. Or your own custom.

>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid + SquidGuard : static block page not working

[Yuri]

14.03.2018 19:06, Amos Jeffries пишет:
> On 15/03/18 01:43, Nicolas Kovacs wrote:
>> Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit :
>>> Yes, I do. Because this is part of a step-by-step course about
>>> SquidGuard, which worked perfectly under Slackware Linux. And my
>>> filtering rules are becoming increasingly complex.
>> FYI, this is the course. It's a HOWTO in simple text format.
>>
>> I'm currently trying to adapt this to CentOS 7.
> Then the first thing you and your readers need to be clear on is that
> SquidGuard was end-of-life'd many years ago. It is long overdue for
> removal or replacement. This has impact such as the one you saw on HTTPS
> traffic support which was only added to Squid-3 after SG stopped being
> maintained.
>
> The best thing to be doing these days is upgrading simple configs like
> the one you presented earlier to using modern Squid features directly in
> squid.conf - as I recommended earlier.
>
> For very complex configurations (or emergency upgrades) the ufdbguard
> tool can be used as a drop-in replacement for squidGuard while the
> config migration is evaluated. It handles the HTTPS situation better
> than SG does, but for simple configs any helper is still very much
> overkill and a performance drag.
I can confirm - ufdbguard is up-to-date and very good customizable
replacement for SquidGuard. Using ufdbguard last three years gives
perfect results and bring functionality which is absent in SquidGuard.

ufdbguard has good support of https (including SSL Bump), incredible
fast (it is thread-aware) and has small memory footprint.
>
> HTH
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL intercept in explicit mode

[Yuri]

As practical experience shows, it is counterproductive to swear. :)
Especially when you need to solve the problem;)

It's just that sometimes a bad character wins :)

14.03.2018 03:30, Alex Rousskov пишет:
> Yuri,
>
> The quality of many of your recent mailing list posts was
> exceptionally high: to-the-point, with a healthy level of technical
> detail, cool triage, actionable advice, and no distractions (up to the
> footer:-). Your new approach resulted in a much more enjoyable
> experience for me personally and, I bet, for many other list readers.
> Thank you and please keep it up!
>
> Alex.
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SSL intercept in explicit mode

[Yuri]

FInally,

just take a look:

This is SSL Bump-aware setup. Seems no memory leaks, yes? Normal memory
distribution.

Let's see on overall OS memory:

No leaks.

13.03.2018 23:44, Yuri пишет:
>
> AFAIK,
>
> SSL bump subsystem uses OpenSSL memory routines. So, first of all,
> most probably leaks (if any) can be OpenSSL-related, but not squid itself.
>
> Now let's see your config snippets.
>
> 13.03.2018 23:00, Aaron Turner пишет:
>> "Usually misconfiguration leads to memory overhead."
>>
>> This may be true, but if you look in the list archives a few months
>> ago I basically chased my tail in circles and nobody could tell me
>> what I was doing wrong and so many of the docs are so old that they're
>> worse then useless, they seem to suggest the wrong thing.
>>
>> It was literally leaking GB's worth of RAM.  I even disabled all
>> caching and process sizes were growing into the GB's.  Turn off
>> ssl-bump and the leak went away.
>>
>> This is what I was using:
>>
>> http_port 10.0.0.1:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=400MB cert=/etc/squid/ssl_cert/myCA.pem
>> sslflags=NO_DEFAULT_CA
>> http_port localhost:3128
>> ssl_bump bump all
> bump all is useless without peek/splice.
>
> Let's see on my config snippets:
>
> https_port 3127 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
> key=/usr/local/squid/etc/rootCA2.key
> tls-cafile=/usr/local/squid/etc/rootCA12.crt
> options=SINGLE_DH_USE:SINGLE_ECDH_USE
> tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
> http_port 3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
> key=/usr/local/squid/etc/rootCA2.key
> tls-cafile=/usr/local/squid/etc/rootCA12.crt
> options=SINGLE_DH_USE:SINGLE_ECDH_USE
> tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
> tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
> cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
> # Cert database on ramdisk
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /ramdisk1/ssl_db -M 1GB
> sslcrtd_children 32 startup=10 idle=5
>
> # SSL bump rules
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex
> "/usr/local/squid/etc/acl.url.nobump"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
>> sslcrtd_children 32 startup=2 idle=2
> This is defaults. Pay attention, -M is limits use ssl_db directory to
> 4 Mb in size. It's too few for production servers. My ramdisk for ssl
> db is 1+ Gb in size:
>
> /dev/ramdisk/ramdisk1   961M   14M  890M   2% /ramdisk1/ssl_db
>
>> sslproxy_session_cache_size 100 MB
> This is disbalanced size instead of previous setting. Why so big?
>
> #  TAG: sslproxy_session_cache_size
> #    Sets the cache size to use for ssl session
> #Default:
> # sslproxy_session_cache_size 2 MB
>
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
> *NEVER use this options. It is unsafe.
>
> SSL Bump is dangerous enough itself. Don't do it more unsafe
> additionally by yourself.
> *
>> This was on a machine (EC2 VM) with 14GB of RAM.
> Pay attention on several places:
>
> 1. OS memory allocator.
> 2. OpenSSL version.
> 3. OS configuration (IPC, shared memory, swap - all memory related).
> 4. Squid's memory/pools configuration.
>
> Don't forget about: Often memory fragmentation seems like leaks. But
> no leaks occurs indeed.
>
> Also, don't forget - squid's memory consumption is not only cache_mem,
> but also caching on-disk metadata (swap.state), pools settings,
> working memory areas, processes memory. And - also - such things like
> content adaptation (did you know wide uses ecap gzip adapter is leaky
> itself?).
>
> But this is just for example.
>
> In any case, dig to the OpenSSL/OS side. Squid's memory in most cases
> is ok.
>
> I know, this appears SSL Bump is leaky. But this is not correct.
>> --
>> Aaron Turner
>> https://synfin.net/ Twitter: @synfinatic
>> My father once told me that respect for the truth comes close to being
>> the basis for all morality.  "Something cannot emer

Re: [squid-users] SSL intercept in explicit mode

[Yuri]

AFAIK,

SSL bump subsystem uses OpenSSL memory routines. So, first of all, most
probably leaks (if any) can be OpenSSL-related, but not squid itself.

Now let's see your config snippets.

13.03.2018 23:00, Aaron Turner пишет:
> "Usually misconfiguration leads to memory overhead."
>
> This may be true, but if you look in the list archives a few months
> ago I basically chased my tail in circles and nobody could tell me
> what I was doing wrong and so many of the docs are so old that they're
> worse then useless, they seem to suggest the wrong thing.
>
> It was literally leaking GB's worth of RAM.  I even disabled all
> caching and process sizes were growing into the GB's.  Turn off
> ssl-bump and the leak went away.
>
> This is what I was using:
>
> http_port 10.0.0.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=400MB cert=/etc/squid/ssl_cert/myCA.pem
> sslflags=NO_DEFAULT_CA
> http_port localhost:3128
> ssl_bump bump all
bump all is useless without peek/splice.

Let's see on my config snippets:

https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=NO_DEFAULT_CA:VERIFY_CRL_ALL
tls_outgoing_options cafile=/usr/local/squid/etc/ca-bundle.crt
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
# Cert database on ramdisk
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/ramdisk1/ssl_db -M 1GB
sslcrtd_children 32 startup=10 idle=5

# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/acl.url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

>
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
> sslcrtd_children 32 startup=2 idle=2
This is defaults. Pay attention, -M is limits use ssl_db directory to 4
Mb in size. It's too few for production servers. My ramdisk for ssl db
is 1+ Gb in size:

/dev/ramdisk/ramdisk1   961M   14M  890M   2% /ramdisk1/ssl_db

> sslproxy_session_cache_size 100 MB
This is disbalanced size instead of previous setting. Why so big?

#  TAG: sslproxy_session_cache_size
#    Sets the cache size to use for ssl session
#Default:
# sslproxy_session_cache_size 2 MB

> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
*NEVER use this options. It is unsafe.

SSL Bump is dangerous enough itself. Don't do it more unsafe
additionally by yourself.
*
>
> This was on a machine (EC2 VM) with 14GB of RAM.
Pay attention on several places:

1. OS memory allocator.
2. OpenSSL version.
3. OS configuration (IPC, shared memory, swap - all memory related).
4. Squid's memory/pools configuration.

Don't forget about: Often memory fragmentation seems like leaks. But no
leaks occurs indeed.

Also, don't forget - squid's memory consumption is not only cache_mem,
but also caching on-disk metadata (swap.state), pools settings, working
memory areas, processes memory. And - also - such things like content
adaptation (did you know wide uses ecap gzip adapter is leaky itself?).

But this is just for example.

In any case, dig to the OpenSSL/OS side. Squid's memory in most cases is ok.

I know, this appears SSL Bump is leaky. But this is not correct.
>
> --
> Aaron Turner
> https://synfin.net/ Twitter: @synfinatic
> My father once told me that respect for the truth comes close to being
> the basis for all morality.  "Something cannot emerge from nothing,"
> he said.  This is profound thinking if you understand how unstable
> "the truth" can be.  -- Frank Herbert, Dune
>
>
> On Tue, Mar 13, 2018 at 9:47 AM, Yuri <yvoi...@gmail.com> wrote:
>> I've used it on all versions starting from 3.4.
>>
>> Now I'm using Squid 5.0.0.
>>
>> I'm afraid, my config is completely useless, because of it contains tons
>> of optimizations/tweaks/tricks and designed for customized Squid 5.0.0,
>> with different memory allocator for custom infrastructure.
>>
>> You can't just take my config, implement it and hope it will give same
>> results for you.
>>
>&

Re: [squid-users] SSL intercept in explicit mode

[Yuri]

I've used it on all versions starting from 3.4.

Now I'm using Squid 5.0.0.

I'm afraid, my config is completely useless, because of it contains tons
of optimizations/tweaks/tricks and designed for customized Squid 5.0.0,
with different memory allocator for custom infrastructure.

You can't just take my config, implement it and hope it will give same
results for you.

At least, it uses non-system CA bundle, platform-specific configuration
parameters combinations, etc.

I can say, than SSL Bump is not directly related to memory leaks. Squid
itself almost not contains memory leaks now. Usually misconfiguration
leads to memory overhead.

As a recommendation, I can give some advices.

1. Use server with enough RAM. 4 Gb usually enough just for default
squid configuration. Usually whole system RAM usage should never be
bigger than 1/2 of overall physical RAM. (I.e. at least 1/3 of RAM
should always be free during normal running. This prevents OS allocator
pressure to your proxy and, also, increasing performance of proxy). In
case of medium proxy server 16 Gb of RAM seems big enough, but never try
to fill it up completely.

2. Don't set giant cache_mem. Remember how you platform allocates whole
RAM - kernel, anon pages, fs caches, etc. - and use reasonable squid's
memory-related settings.

3. Use sslflags=NO_DEFAULT_CA with your SSL Bump ports.

4. Never remember - SSL Bump increases your cache memory pressure due to
increasing caching. So, you still require to have enough memory in your
system.


13.03.2018 22:25, Aaron Turner пишет:
> What version are you using Yuri?  Can you share your config?
> Everytime I use ssl bump, I have massive memory leaks.  It's been
> effectively unusable for me.
> --
> Aaron Turner
> https://synfin.net/ Twitter: @synfinatic
> My father once told me that respect for the truth comes close to being
> the basis for all morality.  "Something cannot emerge from nothing,"
> he said.  This is profound thinking if you understand how unstable
> "the truth" can be.  -- Frank Herbert, Dune
>
>
> On Tue, Mar 13, 2018 at 9:10 AM, Yuri <yvoi...@gmail.com> wrote:
>> Moreover,
>>
>> SSL Bump combines with interception/explicit proxy in one setup.
>>
>> And works perfectly.
>>
>>
>> 13.03.2018 21:14, Marcus Kool пишет:
>>> "SSL bump" is the name of a complex Squid feature.
>>> With ssl_bump ACLs one can decide which domains can be 'spliced' (go
>>> through the proxy untouched) or can be 'bumped' (decrypted).
>>>
>>> Interception is not a requirement for SSL bump.
>>>
>>> Marcus
>>>
>>> On 13/03/18 11:44, Danilo V wrote:
>>>> I mean SSL bump in explicit mode.
>>>> So intercept is a essencial requirement for running SSL bump?
>>>>
>>>> Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas
>>>> <uh...@fantomas.sk <mailto:uh...@fantomas.sk>> escreveu:
>>>>
>>>> On 13.03.18 13:44, Danilo V wrote:
>>>>  >Is it possible/feasible to configure squid in explicit mode
>>>> with ssl
>>>>  >intercept?
>>>>
>>>> explicit is not intercept, intercept is not explicit.
>>>>
>>>> explicit is where browser is configured (manually or
>>>> automatically via WPAD)
>>>> to use the proxy.
>>>>
>>>> intercept is where network device forcifully redirects http/https
>>>> connections
>>>> to the proxy.
>>>>
>>>> maybe you mean SSL bump in explicit mode?
>>>>
>>>>  >Due to architecture of my network it is not possible to implement
>>>>  >transparent proxy.
>>>>
>>>> excuse me?
>>>> by "transparent" people mean what we usually call "intercept".
>>>>
>>>>  >What would be the behavior of applications that dont support
>>>> proxy - i.e.
>>>>  >dont forward requests to proxy?
>>>>
>>>> they mest be intercepted.
>>>>
>>>> --
>>>> Matus UHLAR - fantomas, uh...@fantomas.sk
>>>> <mailto:uh...@fantomas.sk> ; http://www.fantomas.sk/
>>>> Warning: I wish NOT to receive e-mail advertising to this address.
>>>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>>> Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
>>>> ___
>>>> squid-users mailing list
>>>> squid-users@lists.squid-cac

Re: [squid-users] SSL intercept in explicit mode

[Yuri]

Moreover,

SSL Bump combines with interception/explicit proxy in one setup.

And works perfectly.


13.03.2018 21:14, Marcus Kool пишет:
> "SSL bump" is the name of a complex Squid feature.
> With ssl_bump ACLs one can decide which domains can be 'spliced' (go
> through the proxy untouched) or can be 'bumped' (decrypted).
>
> Interception is not a requirement for SSL bump.
>
> Marcus
>
> On 13/03/18 11:44, Danilo V wrote:
>> I mean SSL bump in explicit mode.
>> So intercept is a essencial requirement for running SSL bump?
>>
>> Em ter, 13 de mar de 2018 às 11:10, Matus UHLAR - fantomas
>> > escreveu:
>>
>>     On 13.03.18 13:44, Danilo V wrote:
>>  >Is it possible/feasible to configure squid in explicit mode
>> with ssl
>>  >intercept?
>>
>>     explicit is not intercept, intercept is not explicit.
>>
>>     explicit is where browser is configured (manually or
>> automatically via WPAD)
>>     to use the proxy.
>>
>>     intercept is where network device forcifully redirects http/https
>> connections
>>     to the proxy.
>>
>>     maybe you mean SSL bump in explicit mode?
>>
>>  >Due to architecture of my network it is not possible to implement
>>  >transparent proxy.
>>
>>     excuse me?
>>     by "transparent" people mean what we usually call "intercept".
>>
>>  >What would be the behavior of applications that dont support
>> proxy - i.e.
>>  >dont forward requests to proxy?
>>
>>     they mest be intercepted.
>>
>>     --
>>     Matus UHLAR - fantomas, uh...@fantomas.sk
>>  ; http://www.fantomas.sk/
>>     Warning: I wish NOT to receive e-mail advertising to this address.
>>     Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>     Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
>>     ___
>>     squid-users mailing list
>>     squid-users@lists.squid-cache.org
>> 
>>     http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_MISS_ABORTED/000|

[Yuri]

You can also play around with squid's config parameters to fit your LAN
specifications.

13.03.2018 01:20, Juan Manuel P пишет:
> I found a solutions to problem  TCP_MISS_ABORTED/000, we have a
> balance router tplink betwen the squid proxy server and the ISP, just
> eliminate the balance router tplinkand the problem desapear , later I
> will investigate the balance router to found a final solution, and
> tell us.
>
> regards
>
> 2018-02-28 18:01 GMT-03:00 Yuri <yvoi...@gmail.com
> <mailto:yvoi...@gmail.com>>:
>
> Windows often spit on RFC due to do not disturb users. Squid is not.
>
> Anyway, as you can see, from my side, with well-configured
> infrastructure and well-configured squid, is also no problem.
>
> So, may be, somebody's hands like legs ;-)
>
>
> 01.03.2018 02:59, Juan Manuel P пишет:
>> We are migrating from a old proxy server kerio-win-route on
>> windows to a squid proxy server.
>> The old proxy server no have problems.
>>
>> regards.
>>
>>
>>
>> 2018-02-28 17:56 GMT-03:00 Yuri <yvoi...@gmail.com
>> <mailto:yvoi...@gmail.com>>:
>>
>>     Seems so. May be, ever ISP. Misconfigured MPLS can lead this
>> errors.
>>
>>
>> 01.03.2018 02:55, Juan Manuel P пишет:
>>> Hello Yuri today on access.log a get a lot off
>>> TCP_MISS_ABORTED/000 on many diferentes sites:
>>>
>>> 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>> 
>>> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/style.css
>>> 
>>> <http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/style.css>?
>>> || -
>>> 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>> 
>>> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/script.js
>>> 
>>> <http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/script.js>?
>>> || -
>>> 28/Feb/2018:13:53:37 -0300 || - || 10.15.43.31 ||
>>> TCP_MISS_ABORTED/000|| POST ||
>>> http://m.addthis.com/live/red_lojson/100eng.json
>>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>>> 28/Feb/2018:13:54:09 -0300 || - || 10.15.43.31 ||
>>> TCP_MISS_ABORTED/000|| POST ||
>>> http://m.addthis.com/live/red_lojson/100eng.json
>>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>>> 28/Feb/2018:14:04:19 -0300 || - || 10.14.43.147 ||
>>> TCP_MISS_ABORTED/000|| POST ||
>>> http://m.addthis.com/live/red_lojson/100eng.json
>>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>>> 28/Feb/2018:14:04:19 -0300 || - || 10.14.43.147 ||
>>> TCP_MISS_ABORTED/000|| POST ||
>>> http://m.addthis.com/live/red_lojson/100eng.json
>>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>>> 28/Feb/2018:14:07:56 -0300 || - || 10.14.43.88 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>> 
>>> http://ocsp2.globalsign.com/gsextendvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRYCCQuHbjl0T2z%2Bv2quSEm8NK1fgQU2kB3Q2Uc%2BP6n4%2FRkgj5NQxMiMQICDGPo4Vlu6pcIoIq7tA%3D%3D
>>> 
>>> <http://ocsp2.globalsign.com/gsextendvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRYCCQuHbjl0T2z%2Bv2quSEm8NK1fgQU2kB3Q2Uc%2BP6n4%2FRkgj5NQxMiMQICDGPo4Vlu6pcIoIq7tA%3D%3D>
>>> || -
>>> 28/Feb/2018:14:08:11 -0300 || - || 10.14.43.88 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>> http://crl.globalsign.com/gs/gsextendvalsha2g2.crl
>>> <http://crl.globalsign.com/gs/gsextendvalsha2g2.crl> || -
>>> 28/Feb/2018:14:11:56 -0300 || - || 10.15.43.30 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>> http://ipv6.msftncsi.com/ncsi.txt
>>> <http://ipv6.msftncsi.com/ncsi.txt> || -
>>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>> http://www.bancopatagonia.com/comunes/imas/facebook.jpg
>>> <http://www.bancopatagonia.com/comunes/imas/facebook.jpg> || -
>>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>>> TCP_MISS_ABORTED/000|| GET ||
>>>

Re: [squid-users] Trouble accessing outlook.com

[Yuri]

I've just tried to reproduce your issue on my Squid 5.0.0.

1. First browser goes to http://outlook.com

2. Server redirects it to https://outlook.com, and, then redirect to
https://outlook.live.com/owa/

3. I have outlook.com and outlook.live.com in my splice ACL (I'm using
SSL bump, yes).

4. Before outlook.live.com, browser goes via

1520865842.280   6994 192.168.201.10 TCP_MISS/200 364906 GET
https://r1.res.offi
ce365.com/owalanding/v1.16/images/landing-macbook.png -
HIER_DIRECT/23.45.97.45
image/png

4. After this, https://outlook.live.com/owa/ correctly opens.

So, when I splice both domains on step 2, they are tunnels and, finally,
I've passed to outlook web interface.


12.03.2018 20:21, Yuri пишет:
>
> But your client do.
>
>
> 12.03.2018 20:19, Danilo V пишет:
>> 1520862206.757      0 10.32.12.250 TCP_MISS/503 0 CONNECT
>> www.outlook.com:443 <http://www.outlook.com:443> - HIER_NONE/- -
>
> -- 
> "C++ seems like a language suitable for firing other people's legs."
>
> *
> * C++20 : Bug to the future *
> *

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trouble accessing outlook.com

[Yuri]

But your client do.


12.03.2018 20:19, Danilo V пишет:
> 1520862206.757      0 10.32.12.250 TCP_MISS/503 0 CONNECT
> www.outlook.com:443  - HIER_NONE/- -

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trouble accessing outlook.com

[Yuri]

3.4.8 is too ancient to correctly work with SSL.

At least upgrade to 3.5.27 first.


12.03.2018 20:03, Danilo V пишет:
> Hello, I'm having trouble accessing *http://outlook.com* through Squid.
> The browser returns: Unable to connect (ERR_TUNNEL_CONNECTION_FAILED).
> This problem is intermittent, it means that at some times it's all right.
> Everything else is normal. Requests without proxy are allways OK.
> I also tested using a clean installation of squid 3.4.8
>
> - Access.log:
> 1520862206.753    492 10.32.12.250 TCP_MISS/301 506 GET
> http://outlook.com/ - HIER_DIRECT/40.97.161.50  -
> 1520862206.757      0 10.32.12.250 TCP_MISS/503 0 CONNECT
> www.outlook.com:443  - HIER_NONE/- -
>
> - Cache.log
> 2018/03/12 10:43:43.505 kid1| Ip.cc(560) match: aclIpMatchIp:
> '10.32.12.250:56352 ' found
> 2018/03/12 10:43:43.505 kid1| Acl.cc(177) matches: checked: all = 1
> 2018/03/12 10:43:43.505 kid1| Acl.cc(177) matches: checked:
> http_access#1 = 1
> 2018/03/12 10:43:43.505 kid1| Acl.cc(177) matches: checked:
> http_access = 1
> 2018/03/12 10:43:43.505 kid1| Checklist.cc(55) markFinished:
> 0x7f0f1350ada8 answer ALLOWED for match
> 2018/03/12 10:43:43.505 kid1| Checklist.cc(155) checkCallback:
> ACLChecklist::checkCallback: 0x7f0f1350ada8 answer=ALLOWED
> 2018/03/12 10:43:43.505 kid1| Checklist.cc(62) preCheck:
> 0x7ffd6dda7e10 checking fast ACLs
> 2018/03/12 10:43:43.505 kid1| Acl.cc(177) matches: checked:
> (access_log daemon:/var/log/squid3/access.log line) = 1
> 2018/03/12 10:43:43.505 kid1| Acl.cc(177) matches: checked: access_log
> daemon:/var/log/squid3/access.log = 1
> 2018/03/12 10:43:43.505 kid1| Checklist.cc(55) markFinished:
> 0x7ffd6dda7e10 answer ALLOWED for match
> 2018/03/12 10:43:45.836 kid1| Checklist.cc(62) preCheck:
> 0x7ffd6dda7e10 checking fast ACLs
> 2018/03/12 10:43:45.836 kid1| Acl.cc(177) matches: checked:
> (access_log daemon:/var/log/squid3/access.log line) = 1
> 2018/03/12 10:43:45.836 kid1| Acl.cc(177) matches: checked: access_log
> daemon:/var/log/squid3/access.log = 1
> 2018/03/12 10:43:45.836 kid1| Checklist.cc(55) markFinished:
> 0x7ffd6dda7e10 answer ALLOWED for match
>
> Any suggestions?
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Distribute root certificate to clients

[Yuri]

I guess, there is no easy solution for this job.

The more difficult tasks is also mobile clients.

In my case, I use just a bit simple JS-trick solution found on
serverfault once upon a time.

It is point-and-click based, but not works for each and every browser.
Just for Chrome-based/Firefox and MS Edge (with some difficults).

Also, don't forget about such thing like JRE. Sometimes it also requires
to install cache root CA.

And, such thing as Thunderbird - it does not share certificate store
with FF.

12.03.2018 15:40, Nicolas Kovacs пишет:
> Hi,
>
> I have a few prospective clients who want/need to log and monitor all
> their web traffic and asked me to find a viable solution for this.
>
> After a couple of weeks of fiddling, I decided to opt for the
> Squid+SquidAnalyzer setup, which works quite well. I have a sandbox
> installation here in my office that already works quite satisfyingly.
>
> While working out the solution (thanks again to you guys, you know who
> you are), I took some extensive notes on my technical blog:
>
>   * https://blog.microlinux.fr/squid-centos/
>
>   * https://blog.microlinux.fr/squid-https-centos/
>
>   * https://blog.microlinux.fr/squidanalyzer-centos/
>
>   * https://blog.microlinux.fr/squid-exceptions/
>
> I have yet one problem to tackle, and I already have a solution in mind.
> Though I thought I'd rather ask here first, since this is a bit new to
> me, and you guys have much more experience.
>
> Most of my clients are small businesses with up to a few dozen client
> PCs, and also wireless access.
>
> The problem I'm currently facing is: how to provide an easy installation
> of Squid's root certificate? During my tests, I wrote some short
> instructions for my Linux clients with Firefox, Chrome and Konqueror:
>
> https://blog.microlinux.fr/squid-https-centos/#navigateurs
>
> Here's what I intend to do. Configure a local web page
> http://proxy.company.lan where clients can download the certificate file
> proxy.company.lan.der. This page also contains quick & dirty
> instructions on how to install the certificate on the most popular
> browsers/platforms (Chrome, Firefox, Safari, Internet Explorer).
>
> Each company will also have a printed document, explaining how to access
> the Internet. Something like this:
>
>   1. Open http://proxy.company.lan in your browser.
>
>   2. Download the proxy.company.lan.der certificate file.
>
>   3. Follow instructions to import this file into your browser.
>
>   4. Browse the web normally.
>
> Before doing that, I thought I'd inquire how you guys go about that. As
> a long-time Slackware user I've always been a fan of the KISS principle
> (Keep It Simple Stupid), so I try to have a no-nonsense approach.
>
> Any suggestions?
>
> Cheers from the sunny South of France,
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Allow some domains to bypass Squid

[Yuri]

You're welcome ;)

This config works several years on my servers :)


12.03.2018 02:17, Nicolas Kovacs пишет:
> Le 11/03/2018 à 19:44, Yuri a écrit :
>> It's trivial to implement. Here is my config snippet:
>>
>> # SSL bump rules
>> acl DiscoverSNIHost at_step SslBump1
>> acl NoSSLIntercept ssl::server_name_regex
>> "/usr/local/squid/etc/acl.url.nobump"
>> ssl_bump peek DiscoverSNIHost
>> ssl_bump splice NoSSLIntercept
>> ssl_bump bump all
>>
>> acl.ur.nobump fragment:
>>
>> # Adobe updates (web installation)
>> # This requires to splice due to SSL-pinned web-downloader
>> (get|platformdl|fpdownload|ardownload[0-9])\.adobe\.com
> I gave this configuration a spin on my local proxy, and it works great,
> without special firewall rules.
>
> Thanks very much! You made my day!
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Allow some domains to bypass Squid

[Yuri]

Also,
feel free to read our config examples here:

https://wiki.squid-cache.org/ConfigExamples


12.03.2018 00:39, Nicolas Kovacs пишет:
> Le 11/03/2018 à 16:48, Alex Crow a écrit :
>> It would be a lot easier to just create exceptions on the squid device
>> for sites where bumping doesn't work which cause then to be tunnelled or
>> spliced rather then bumped. You can then at least use dstdomain or
>> ssl:servername rules. dstdomain will let you tunnel or splice, whereas
>> ssl servername you will only be able to splice as an SSL connection must
>> already have been started AFAIK. Your firewall will probably need
>> restarting every time one of the IP addresses behind those hostnames
>> changes. Squid will at least do a lookup every request for dstdomain
>> (you need a good DNS server nearby or on the squid box).
> What would this configuration look like? Do you have a working example?
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Allow some domains to bypass Squid

[Yuri]

Alex would like to say, splice, when implemented, more easy to
maintenance than iptables/firewall rules.

It's trivial to implement. Here is my config snippet:

# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex
"/usr/local/squid/etc/acl.url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

acl.ur.nobump fragment:

# Adobe updates (web installation)
# This requires to splice due to SSL-pinned web-downloader
(get|platformdl|fpdownload|ardownload[0-9])\.adobe\.com


As Alex said, splice list require to maintenance all time.

Common rule is:

- Each SSL Pinning site must be spliced.

- Each OCSP stapling site must be spliced.

- Each site could not be bumped should spliced.

Feel free to make RTFM first:

https://wiki.squid-cache.org/Features/SslPeekAndSplice


12.03.2018 00:39, Nicolas Kovacs пишет:
> Le 11/03/2018 à 16:48, Alex Crow a écrit :
>> It would be a lot easier to just create exceptions on the squid device
>> for sites where bumping doesn't work which cause then to be tunnelled or
>> spliced rather then bumped. You can then at least use dstdomain or
>> ssl:servername rules. dstdomain will let you tunnel or splice, whereas
>> ssl servername you will only be able to splice as an SSL connection must
>> already have been started AFAIK. Your firewall will probably need
>> restarting every time one of the IP addresses behind those hostnames
>> changes. Squid will at least do a lookup every request for dstdomain
>> (you need a good DNS server nearby or on the squid box).
> What would this configuration look like? Do you have a working example?
>
> Niki
>

-- 
"C++ seems like a language suitable for firing other people's legs."

*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP_MISS_ABORTED/000|

[Yuri]

Windows often spit on RFC due to do not disturb users. Squid is not.

Anyway, as you can see, from my side, with well-configured
infrastructure and well-configured squid, is also no problem.

So, may be, somebody's hands like legs ;-)


01.03.2018 02:59, Juan Manuel P пишет:
> We are migrating from a old proxy server kerio-win-route on windows to
> a squid proxy server.
> The old proxy server no have problems.
>
> regards.
>
>
>
> 2018-02-28 17:56 GMT-03:00 Yuri <yvoi...@gmail.com
> <mailto:yvoi...@gmail.com>>:
>
> Seems so. May be, ever ISP. Misconfigured MPLS can lead this errors.
>
>
> 01.03.2018 02:55, Juan Manuel P пишет:
>> Hello Yuri today on access.log a get a lot off
>> TCP_MISS_ABORTED/000 on many diferentes sites:
>>
>> 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> 
>> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/style.css
>> 
>> <http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/style.css>?
>> || -
>> 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> 
>> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/script.js
>> 
>> <http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/script.js>?
>> || -
>> 28/Feb/2018:13:53:37 -0300 || - || 10.15.43.31 ||
>> TCP_MISS_ABORTED/000|| POST ||
>> http://m.addthis.com/live/red_lojson/100eng.json
>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>> 28/Feb/2018:13:54:09 -0300 || - || 10.15.43.31 ||
>> TCP_MISS_ABORTED/000|| POST ||
>> http://m.addthis.com/live/red_lojson/100eng.json
>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>> 28/Feb/2018:14:04:19 -0300 || - || 10.14.43.147 ||
>> TCP_MISS_ABORTED/000|| POST ||
>> http://m.addthis.com/live/red_lojson/100eng.json
>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>> 28/Feb/2018:14:04:19 -0300 || - || 10.14.43.147 ||
>> TCP_MISS_ABORTED/000|| POST ||
>> http://m.addthis.com/live/red_lojson/100eng.json
>> <http://m.addthis.com/live/red_lojson/100eng.json>? || -
>> 28/Feb/2018:14:07:56 -0300 || - || 10.14.43.88 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> 
>> http://ocsp2.globalsign.com/gsextendvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRYCCQuHbjl0T2z%2Bv2quSEm8NK1fgQU2kB3Q2Uc%2BP6n4%2FRkgj5NQxMiMQICDGPo4Vlu6pcIoIq7tA%3D%3D
>> 
>> <http://ocsp2.globalsign.com/gsextendvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRYCCQuHbjl0T2z%2Bv2quSEm8NK1fgQU2kB3Q2Uc%2BP6n4%2FRkgj5NQxMiMQICDGPo4Vlu6pcIoIq7tA%3D%3D>
>> || -
>> 28/Feb/2018:14:08:11 -0300 || - || 10.14.43.88 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> http://crl.globalsign.com/gs/gsextendvalsha2g2.crl
>> <http://crl.globalsign.com/gs/gsextendvalsha2g2.crl> || -
>> 28/Feb/2018:14:11:56 -0300 || - || 10.15.43.30 ||
>> TCP_MISS_ABORTED/000|| GET || http://ipv6.msftncsi.com/ncsi.txt
>> <http://ipv6.msftncsi.com/ncsi.txt> || -
>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> http://www.bancopatagonia.com/comunes/imas/facebook.jpg
>> <http://www.bancopatagonia.com/comunes/imas/facebook.jpg> || -
>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> http://www.bancopatagonia.com/comunes/imas/youtube.jpg
>> <http://www.bancopatagonia.com/comunes/imas/youtube.jpg> || -
>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> http://www.bancopatagonia.com/personas/imas/dest_espectaculos.jpg
>> <http://www.bancopatagonia.com/personas/imas/dest_espectaculos.jpg>
>> || -
>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> http://www.bancopatagonia.com/comunes/imas/img_youtube.gif
>> <http://www.bancopatagonia.com/comunes/imas/img_youtube.gif> || -
>> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
>> TCP_MISS_ABORTED/000|| GET ||
>> http://www.bancopatagonia.com/comunes/imas/facebook-pie.jpg
>> <http://www.bancopatagonia.com/comunes/imas/facebook-pie.jpg> || -
>> 28/Feb/2018:15:13:48 -0300 || - || 10.14.43.162 ||
>> TCP_MISS_ABORTED/000|| POST || http://ocsp.usertrust.com/ || -
>> 28/Feb/2018:15:34:18 -0300 || - || 10.14.43.77 ||
&g

Re: [squid-users] TCP_MISS_ABORTED/000|

[Yuri]

Seems so. May be, ever ISP. Misconfigured MPLS can lead this errors.


01.03.2018 02:55, Juan Manuel P пишет:
> Hello Yuri today on access.log a get a lot off TCP_MISS_ABORTED/000 on
> many diferentes sites:
>
> 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/style.css?
> || -
> 28/Feb/2018:13:50:00 -0300 || - || 10.15.43.31 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/script.js?
> || -
> 28/Feb/2018:13:53:37 -0300 || - || 10.15.43.31 ||
> TCP_MISS_ABORTED/000|| POST ||
> http://m.addthis.com/live/red_lojson/100eng.json? || -
> 28/Feb/2018:13:54:09 -0300 || - || 10.15.43.31 ||
> TCP_MISS_ABORTED/000|| POST ||
> http://m.addthis.com/live/red_lojson/100eng.json? || -
> 28/Feb/2018:14:04:19 -0300 || - || 10.14.43.147 ||
> TCP_MISS_ABORTED/000|| POST ||
> http://m.addthis.com/live/red_lojson/100eng.json? || -
> 28/Feb/2018:14:04:19 -0300 || - || 10.14.43.147 ||
> TCP_MISS_ABORTED/000|| POST ||
> http://m.addthis.com/live/red_lojson/100eng.json? || -
> 28/Feb/2018:14:07:56 -0300 || - || 10.14.43.88 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://ocsp2.globalsign.com/gsextendvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRYCCQuHbjl0T2z%2Bv2quSEm8NK1fgQU2kB3Q2Uc%2BP6n4%2FRkgj5NQxMiMQICDGPo4Vlu6pcIoIq7tA%3D%3D
> || -
> 28/Feb/2018:14:08:11 -0300 || - || 10.14.43.88 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://crl.globalsign.com/gs/gsextendvalsha2g2.crl || -
> 28/Feb/2018:14:11:56 -0300 || - || 10.15.43.30 ||
> TCP_MISS_ABORTED/000|| GET || http://ipv6.msftncsi.com/ncsi.txt || -
> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com/comunes/imas/facebook.jpg || -
> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com/comunes/imas/youtube.jpg || -
> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com/personas/imas/dest_espectaculos.jpg || -
> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com/comunes/imas/img_youtube.gif || -
> 28/Feb/2018:14:30:13 -0300 || - || 10.14.43.101 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com/comunes/imas/facebook-pie.jpg || -
> 28/Feb/2018:15:13:48 -0300 || - || 10.14.43.162 ||
> TCP_MISS_ABORTED/000|| POST || http://ocsp.usertrust.com/ || -
> 28/Feb/2018:15:34:18 -0300 || - || 10.14.43.77 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://search.it.online.fr/covers/wp-content/Milo_Manara,_in_Giuseppe_Bergman,_2005_(Manet).jpg
> <http://search.it.online.fr/covers/wp-content/Milo_Manara,_in_Giuseppe_Bergman,_2005_%28Manet%29.jpg>
> || -
> 28/Feb/2018:15:51:21 -0300 || - || 10.14.43.162 ||
> TCP_MISS_ABORTED/000|| GET || http://csi.gstatic.com/csi? || -
> 28/Feb/2018:15:51:22 -0300 || - || 10.14.43.162 ||
> TCP_MISS_ABORTED/404|| GET ||
> http://www.snehashish.com/wp-content/themes/computers/images/slide-left.png
> || text/html
> 28/Feb/2018:15:52:42 -0300 || - || 10.14.43.159 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com.ar/personas/imas/dest_espectaculos.jpg || -
> 28/Feb/2018:15:52:42 -0300 || - || 10.14.43.159 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com.ar/comunes/imas/facebook.jpg || -
> 28/Feb/2018:15:52:42 -0300 || - || 10.14.43.159 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com.ar/comunes/imas/img_youtube.gif || -
> 28/Feb/2018:15:52:42 -0300 || - || 10.14.43.159 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com.ar/comunes/imas/facebook-pie.jpg || -
> 28/Feb/2018:15:52:42 -0300 || - || 10.14.43.159 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.bancopatagonia.com.ar/comunes/imas/youtube.jpg || -
> 28/Feb/2018:16:18:53 -0300 || - || 192.168.43.57 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/script.js?
> || -
> 28/Feb/2018:16:18:53 -0300 || - || 192.168.43.57 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://loprincipal.com.ar/wp-content/plugins/wp-facebook-live-video/inc/style.css?
> || -
>
> I thinking the problem is not in squid, maybe DNS or something similar.
>
> regards.
>
>
> 2018-02-28 17:46 GMT-03:00 Yuri <yvoi...@gmail.com
> <mailto:yvoi...@gmail.com>>:
>
> Let's look on your server:
>
>  # wget -S http://rionegro.gov.ar/download/images/00033636.jpg
> <http://rionegro.gov.ar/download/images/00033636.jpg>
> --2018-03-01 02:37:38-- 
> http://rionegro.gov.ar/download/images/00033636.jpg
>

Re: [squid-users] help with the error TCP_MISS_ABORTED/000

[Yuri]

1519672183.376  3 192.168.201.10 TCP_MEM_HIT/200 99641 GET
http://www.rioneg
ro.gov.ar/download/images/00033494.jpg - HIER_NONE/- image/jpeg

Request size = 99,641

No problem on 3.5.27 and 5.0.0.

Try to upgrade proxy first.


27.02.2018 00:57, Juan Manuel P пишет:
> I am using Squid Cache: Version 3.5.12, but some pages give me the
> next error:
>
> 1/Feb/2018:18:14:40 -0300 || - || 10.12.43.20 ||
> TCP_MISS_ABORTED/000|| GET ||
> http://www.rionegro.gov.ar/download/images/00033494.jpg
>  || -
>
> And load so slowly.
>
> I investigate that the problem can origin in this param -->
> dns_v4_first on , so I configured and restarting the server. But the
> error still append.
>
> Can someone help me please ?
>
> Regards.
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Kerberos negotiate slow avg service time

[Yuri]

Users complains?


23.02.2018 23:29, erdosain9 пишет:
> Hi to all.
> I dont know why i have this bad values. My network is woking fine. How i can
> do to fix this. I think is a high value.
>
> HTTP/1.1 200 OK
> Server: squid/3.5.27
> Mime-Version: 1.0
> Date: Fri, 23 Feb 2018 17:16:25 GMT
> Content-Type: text/plain;charset=utf-8
> Expires: Fri, 23 Feb 2018 17:16:25 GMT
> Last-Modified: Fri, 23 Feb 2018 17:16:25 GMT
> X-Cache: MISS from proxy.mydomain.lan
> X-Cache-Lookup: MISS from proxy.mydomain.lan:3128
> Via: 1.1 proxy.mydomain.lan (squid/3.5.27)
> Connection: close
>
> Negotiate Authenticator Statistics:
> program: /lib64/squid/negotiate_kerberos_auth
> number active: 50 of 50 (0 shutting down)
> requests sent: 4106
> replies received: 4105
> queue length: 0
> avg service time: 82 msec
>
>ID #FD PID  # Requests   # Replies  Flags Time 
>  Offset
> Request
>  2118   5725911831182 B R   0.293 
>   0 (none)
>  2222   57260 652 652   0.164 
>   0 (none)
>  2342   57261 440 440   0.163 
>   0 (none)
>  2446   57262 307 307   0.962 
>   0 (none)
>  2548   57263 223 223   0.642 
>   0 (none)
>  2650   57264 180 180   0.642 
>   0 (none)
>  2755   57265 138 138   1.048 
>   0 (none)
>  2859   57266 115 115   1.158 
>   0 (none)
>  2965   57267  90  90   1.193 
>   0 (none)
>  3056   57268  77  77   1.193 
>   0 (none)
>  3174   57269  69  69   1.193 
>   0 (none)
>  3276   57270  64  64   1.039 
>   0 (none)
>  3378   57271  56  56   1.015 
>   0 (none)
>  3480   57272  54  54   0.993 
>   0 (none)
>  3582   57273  46  46   0.956 
>   0 (none)
>  3684   57274  39  39   0.763 
>   0 (none)
>  3779   57275  37  37   0.763 
>   0 (none)
>  3883   57276  31  31   0.690 
>   0 (none)
>  3994   57277  28  28   0.635 
>   0 (none)
>  4096   57278  26  26   0.624 
>   0 (none)
>  4198   57279  25  25   0.577 
>   0 (none)
>  42   100   57280  23  23   0.504 
>   0 (none)
>  43   102   57281  20  20   1.262 
>   0 (none)
>  4499   57282  20  20   1.259 
>   0 (none)
>  45   122   57283  17  17   1.252 
>   0 (none)
>  46   124   57284  16  16   0.836 
>   0 (none)
>  47   126   57285  14  14   0.796 
>   0 (none)
>  48   128   57286  14  14   0.543 
>   0 (none)
>  49   119   57287  13  13   0.520 
>   0 (none)
>  50   125   57288  11  11   0.942 
>   0 (none)
>  52   222   57292   8   8   0.900 
>   0 (none)
>  53   224   57293   7   7   0.921 
>   0 (none)
>  54   227   57294   6   6   0.740 
>   0 (none)
>  55   230   57295   5   5   1.912 
>   0 (none)
>  56   231   57296   4   4   1.979 
>   0 (none)
>  57   233   57297   5   5   1.857 
>   0 (none)
>  58   236   57298   5   5   1.665 
>   0 (none)
>  59   237   57299   5   5   1.652 
>   0 (none)
>  60   239   57300   4   4   1.659 
>   0 (none)
>  61   241   57301   5   5   1.614 
>   0 (none)
>  62   243   57304   5   5   1.499 
>   0 (none)
>  63   245   57305   5   5   

Re: [squid-users] squid-5 lost my cached dir

[Yuri]

Yes, after re-indexing, every next restart cleans up swap.state again
and again.


21.02.2018 05:57, Yuri пишет:
> It's immediately lost swap.state contents after any restart and starts
> up with empty swap.state.
>
> After removal of swap.state with stopped squid, it's correctly
> re-indexing cache contents and then run normally.
>
>
> 21.02.2018 05:50, Yuri пишет:
>> # -
>> # Store parameters
>> # -
>> minimum_object_size 10 bytes
>> maximum_object_size 4 GB
>>
>> cache_dir aufs /data/cache/d1 48000 64 512
>> cache_dir aufs /data/cache/d2 48000 64 512
>> cache_dir aufs /data/cache/d3 48000 64 512
>> cache_dir aufs /data/cache/d4 48000 64 512
>>
>> # -
>> # Memory parameters
>> # -
>> cache_mem 512 MB
>>
>> memory_pools off
>> #memory_pools_limit 1024 MB
>>
>> maximum_object_size_in_memory 1 MB
>>
>>
>> 21.02.2018 05:48, Alex Rousskov пишет:
>>> On 02/20/2018 04:38 PM, joseph wrote:
>>>> alex tested on 2 environmentdebian 9 and solariss
>>>> same shame  just keep for 30 minute running caching and do squid restart 
>>>> and
>>>> chek your swap.state  you will notice its empty almost on 2 environment
>>>> totally different ok
>>>> i removed that patch and all fine swap.state stay perfect and all fine
>>>> so i guess one of the 2 scenario  its detecting swap file on start never
>>>> exist or detecting wrong size that all
>>> Thank you for providing these additional snippets of information. We
>>> will, of course, try to reproduce the problem with the info you have
>>> already provided. If you would like to increase our chances of
>>> reproducing this problem, please see my original response (quoted below).
>>>
>>> Alex.
>>>
>>>
>>>> On 02/20/2018 04:28 PM, Alex Rousskov wrote:
>>>>> ... Please share your Squid
>>>>> configuration (at least the SMP-, cache_mem-, and cache_dir-related
>>>>> directives). You may want to file a bug report to track this fix better.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-5 lost my cached dir

[Yuri]

It's immediately lost swap.state contents after any restart and starts
up with empty swap.state.

After removal of swap.state with stopped squid, it's correctly
re-indexing cache contents and then run normally.


21.02.2018 05:50, Yuri пишет:
> # -
> # Store parameters
> # -
> minimum_object_size 10 bytes
> maximum_object_size 4 GB
>
> cache_dir aufs /data/cache/d1 48000 64 512
> cache_dir aufs /data/cache/d2 48000 64 512
> cache_dir aufs /data/cache/d3 48000 64 512
> cache_dir aufs /data/cache/d4 48000 64 512
>
> # -
> # Memory parameters
> # -
> cache_mem 512 MB
>
> memory_pools off
> #memory_pools_limit 1024 MB
>
> maximum_object_size_in_memory 1 MB
>
>
> 21.02.2018 05:48, Alex Rousskov пишет:
>> On 02/20/2018 04:38 PM, joseph wrote:
>>> alex tested on 2 environmentdebian 9 and solariss
>>> same shame  just keep for 30 minute running caching and do squid restart and
>>> chek your swap.state  you will notice its empty almost on 2 environment
>>> totally different ok
>>> i removed that patch and all fine swap.state stay perfect and all fine
>>> so i guess one of the 2 scenario  its detecting swap file on start never
>>> exist or detecting wrong size that all
>> Thank you for providing these additional snippets of information. We
>> will, of course, try to reproduce the problem with the info you have
>> already provided. If you would like to increase our chances of
>> reproducing this problem, please see my original response (quoted below).
>>
>> Alex.
>>
>>
>>> On 02/20/2018 04:28 PM, Alex Rousskov wrote:
>>>> ... Please share your Squid
>>>> configuration (at least the SMP-, cache_mem-, and cache_dir-related
>>>> directives). You may want to file a bug report to track this fix better.
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-5 lost my cached dir

[Yuri]

# -
# Store parameters
# -
minimum_object_size 10 bytes
maximum_object_size 4 GB

cache_dir aufs /data/cache/d1 48000 64 512
cache_dir aufs /data/cache/d2 48000 64 512
cache_dir aufs /data/cache/d3 48000 64 512
cache_dir aufs /data/cache/d4 48000 64 512

# -
# Memory parameters
# -
cache_mem 512 MB

memory_pools off
#memory_pools_limit 1024 MB

maximum_object_size_in_memory 1 MB


21.02.2018 05:48, Alex Rousskov пишет:
> On 02/20/2018 04:38 PM, joseph wrote:
>> alex tested on 2 environmentdebian 9 and solariss
>> same shame  just keep for 30 minute running caching and do squid restart and
>> chek your swap.state  you will notice its empty almost on 2 environment
>> totally different ok
>> i removed that patch and all fine swap.state stay perfect and all fine
>> so i guess one of the 2 scenario  its detecting swap file on start never
>> exist or detecting wrong size that all
> Thank you for providing these additional snippets of information. We
> will, of course, try to reproduce the problem with the info you have
> already provided. If you would like to increase our chances of
> reproducing this problem, please see my original response (quoted below).
>
> Alex.
>
>
>> On 02/20/2018 04:28 PM, Alex Rousskov wrote:
>>> ... Please share your Squid
>>> configuration (at least the SMP-, cache_mem-, and cache_dir-related
>>> directives). You may want to file a bug report to track this fix better.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid-5 lost my cached dir

[Yuri]

We're never use SMP. Just regular SMP-unaware configuration.


21.02.2018 05:28, Alex Rousskov пишет:
> On 02/20/2018 04:22 PM, joseph wrote:
>> using squid-5.0.0-20180218-r3b65960 release kill my cache dir some how
>> swap.state is empty  and the size of the cached dir has 30 geg
>> if i run for couple HR  and the swap.state grow like couple meg  then
>> restart squid 
>> it become empty swap.state  but the cached item in storage stay 
>> i removed patch by patch the  killer was
>> http://www.squid-cache.org/Versions/v5/changesets/squid-5-4310f8b00dd574542dcec4208112bb89ef403528.patch
>> so please fix it
> Since our tests for that change were successful, we may need to know
> more about your environment to fix this problem. Please share your Squid
> configuration (at least the SMP-, cache_mem-, and cache_dir-related
> directives). You may want to file a bug report to track this fix better.
>
>
> Thank you,
>
> Alex.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

[Yuri]

20.02.2018 22:15, erdosain9 пишет:
> sorry, yuri, yes is working. 
> i can connect via ldap and also turn on debug for investigate, and is no
> error know...
> but time to time, this error is happening... so... is strange.
No. Check your network first in this case (generally speaking better to
start troubleshooting from this).
L1/L2/L3 layer, I mean.
>
> In the other hand im getting this values with just one machine using the
> squid :
>
> Negotiate Authenticator Statistics:
> program: /lib64/squid/negotiate_kerberos_auth
> number active: 32 of 50 (0 shutting down)
> requests sent: 66
> replies received: 66
> queue length: 0
> avg service time: 208 msec
>
>ID #FD PID  # Requests   # Replies  Flags Time 
>  Offset
> Request
>  21442193  24  24   0.022 
>   0 (none)
>  22612194   5   5   0.322 
>   0 (none)
>  23642195   5   5   0.387 
>   0 (none)
>  24702196   3   3   0.397 
>   0 (none)
>  25   1502201   2   2   0.323 
>   0 (none)
>  26   1512202   1   1   0.158 
>   0 (none)
>  27   1532203   1   1   0.192 
>   0 (none)
>  28   1552204   1   1   0.152 
>   0 (none)
>  29   1572205   1   1   0.380 
>   0 (none)
>  30   1592206   1   1   0.394 
>   0 (none)
>  31   1612207   1   1   0.465 
>   0 (none)
>  32   1632208   1   1   0.439 
>   0 (none)
>  33   1652209   1   1   0.437 
>   0 (none)
>  34   1672210   1   1   0.591 
>   0 (none)
>  35   1692211   1   1   0.226 
>   0 (none)
>  36   1712212   1   1   0.564 
>   0 (none)
>  37   1732213   1   1   0.221 
>   0 (none)
>  38   1752214   1   1   0.115 
>   0 (none)
>  39   1772215   1   1   0.161 
>   0 (none)
>  40   1792216   1   1   0.335 
>   0 (none)
>  41   1812217   1   1   0.382 
>   0 (none)
>  42   1542218   1   1   0.547 
>   0 (none)
>  43   1582219   1   1   0.605 
>   0 (none)
>  44   1622220   1   1   0.493 
>   0 (none)
>  45   1662221   1   1   0.465 
>   0 (none)
>  46   170   1   1   0.586 
>   0 (none)
>  47   1742223   1   1   0.270 
>   0 (none)
>  48   1782224   1   1   0.249 
>   0 (none)
>  49   1822225   1   1   0.504 
>   0 (none)
>  50   1842226   1   1   0.479 
>   0 (none)
>  51   1862227   1   1   0.284 
>   0 (none)
>  52   1882228   1   1   0.560 
>   0 (none)
>
> a little high dont you think?? avg service time: 208 msec
> In the working squid some times the values go to 2500 msec. (with 70
> users)
Usually squid's direct-action helpers (I mean - not client-server, like
ufdbguard) directly depends from LAN/WAN. This means, if your network
gives delay - this will mirrored in helper stats as increased service
time. As I've told - check your network.
>
> Thanks
>
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

[Yuri]

Of course, you, as sysadmin, should knows basics of troubleshooting,
isn't it?

If port is open, try to connect with it from proxy box via ldap client.
If it will successfully,
next step is turn on squid's debug and investigate detailed logs.

20.02.2018 20:00, erdosain9 пишет:
> Hi.
> The port is open.
>
> There is a way to have a little more log??'
> Thanks
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ldap_sasl_interactive_bind_s error: Can't contact LDAP server

[Yuri]

Check LDAP port availability on LDAP server. On firewall it should be open.

If your LDAP is WIndows server, AFAIK, it has closed firewall by
default. I.e. all incoming connections are blocked.


20.02.2018 19:35, erdosain9 пишет:
> Hi. Im having this problem. Im running squid on a Centos 7 container (lxc on
> proxmox).
>
> This is cache.log
>
> support_sasl.cc(276): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
> ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server
> support_ldap.cc(957): pid=555 :2018/02/20 10:13:34| kerberos_ldap_group:
> ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact
> LDAP server
>
>
> Can somebody give me a hand???
>
> I dont know what can be bad. This is the config:
>
>  cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MYDOMAIN.LAN
> dns_lookup_kdc = no
> dns_lookup_realm = no
> ticket_lifetime = 24h
> default_keytab_name = /etc/squid/PROXY.keytab
>
> ; for Windows 2003
> ;default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
> des-cbc-md5
>
>
> [realms]
> MYDOMAIN.LAN = {
> kdc = adw-1.mydomain.lan
> kdc = w-data2.mydomain.lan
> admin_server = adw-1.mydomain.lan
> default_domain = mydomain.lan
> }
>
> [domain_realm]
> .mydomain.lan = MYDOMAIN.LAN
> mydomain.lan = MYDOMAIN.LAN  
>
>
> SQUID.CONF
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/proxy.mydomain@mydomain.lan
> auth_param negotiate children 50 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param negotiate keep_alive on
>
> external_acl_type i-restringidos %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-restringi...@mydomain.lan
> external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
> -g i-f...@mydomain.lan
> external_acl_type i-limitado %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@mydomain.lan
>
>
>
> /ETC/HOSTS
>
> [root@proxy ~]# cat /etc/hosts
> 127.0.0.1   localhost LXC_NAME
> ::1 localhost.localnet localhost
> # --- END PVE ---
> #
> 192.168.1.222 adw-1.mydomain.lan
> 192.168.1.107 w-data2.mydomain.lan
> # --- BEGIN PVE ---
> 192.168.6.215 proxy.mydomain.lan proxy
> # --- END PVE ---
>
>
> /ETC/RESOLV.CONF
> [root@proxy ~]# cat /etc/resolv.conf 
> # --- BEGIN PVE ---
> search mydomain.lan
> nameserver 192.168.1.107
> nameserver 192.168.1.222
> # --- END PVE ---
> domain mydomain.lan
>
>
> Thanks
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Where squid deamon is stored?

[Yuri]

man find, no? :-)


18.02.2018 23:38, Peng Yu пишет:
> I don't find squid3 in /etc/init.d. Does anybody know where the deamon
> script is stored?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can cache_peer be localhost?

[Yuri]

18.02.2018 01:13, Matus UHLAR - fantomas пишет:
> On 18.02.18 00:05, Yuri wrote:
>> May be, assumed to forwarding to parent proxy(-es)?
>
> according to original post, it's different port configured on the same
> squid
> instance.
Ewww. it seems like looping.
>
>> 17.02.2018 23:22, Matus UHLAR - fantomas пишет:
>>>>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
>>>>> forever.
>>>
>>> On 17.02.18 10:45, Peng Yu wrote:
>>>> Is there a way to configure squid so that anything goes to 3128 will
>>>> directly go outside of the machine instead of going back to 3128
>>>> again, yet still let 3129 be forwarded to the local 3128 in the
>>>> round-robin fashion?
>>>
>>> what is the point to send the request to itself?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Can cache_peer be localhost?

[Yuri]

May be, assumed to forwarding to parent proxy(-es)?


17.02.2018 23:22, Matus UHLAR - fantomas пишет:
>>>  client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat
>>> forever.
>
> On 17.02.18 10:45, Peng Yu wrote:
>> Is there a way to configure squid so that anything goes to 3128 will
>> directly go outside of the machine instead of going back to 3128
>> again, yet still let 3129 be forwarded to the local 3128 in the
>> round-robin fashion?
>
> what is the point to send the request to itself?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Forward proxy: TLS connections to server

[Yuri]

IM, which is uses HTTP-similar sessions bootstrap, requires special
investigation and custom configuration in case of goes via forwarding proxy.


17.02.2018 22:58, ninadmnaik пишет:
> Thanks for the quick reply Yuri. 
>
> "Note that these are not 'https' requests. Just plain socket connections."
> Maybe this wasn't statement wasn't entirely correct. We are using the
> 'connect' method to talk to squid proxy. And squid proxy is able to connect
> to the remote xmpp server. It's just that the xmpp server supports TLS
If' we're talking about CONNECT method session initiation, it is
requires (in general) to specify additional ports on Squid, which is
permitted to use CONNECT method.

For example, in your case, port 1449.

Generally speaking, squid's default not assumes IM as clients, as by as
squid itself is not proxy for all and any protocols. So, it is requires
additional configuration for passing IM via proxy.
> connections only and thus further communication is not possible. 
>
> From the access logs:
> *1518880487.658   1449 127.0.0.1 TCP_TUNNEL/200 46 CONNECT
> fcm-xmpp.googleapis.com:5235 - HIER_DIRECT/2607:f8b0:4001:c0b::bc -
> *
>
> "Try to read https://wiki.squid-cache.org first."
> Yeah, we've been doing that and will investigate further. 
Indeed :)
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Forward proxy: TLS connections to server

[Yuri]

17.02.2018 21:44, ninadmnaik пишет:
> Hello, 
> We need to communicate with a xmpp server over TLS connections. Now, we know
> that our app can open a TLS connection to Squid. But can Squid initiate a
> TLS connection to the xmpp server? 
Only if it goes over HTTP/HTTPS port. With some difficults and often
require special configuration.
>
> Our App (TLS socket connection)---> Squid (Can this be TLS
> connection?)> XMPP server
>
> If it's possible, how to go about setting up squid for this? 
>
> Would 'ssl-bump' feature be the way to go? 
May be yes, may be no. Depends from previous. And not ssl-bump. Let's
say - peek-and-splice, and most probably splice rather than bump.
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/https_port.html
>
> Note that these are not 'https' requests. Just plain socket connections. 
Squid is not sockets proxy. It's HTTP/HTTPS/FTP proxy only.
>
> Please point us in the right direction. 
Try to read https://wiki.squid-cache.org first.
> Thanks. 
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] All 32/32 ssl_crtd processes are busy / All 35/35 negotiateauthenticator processes are busy

[Yuri]

#  TAG: sslcrtd_children
#    The maximum number of processes spawn to service ssl server.
#    The maximum this may be safely set to is 32.
#   
#    The startup= and idle= options allow some measure of skew in your
#    tuning.
#   
#        startup=N
#   
#    Sets the minimum number of processes to spawn when Squid
#    starts or reconfigures. When set to zero the first request will
#    cause spawning of the first child process to handle it.
#   
#    Starting too few children temporary slows Squid under load while it
#    tries to spawn enough additional processes to cope with traffic.
#   
#        idle=N
#   
#    Sets a minimum of how many processes Squid is to try and keep available
#    at all times. When traffic begins to rise above what the existing
#    processes can handle this many more will be spawned up to the maximum
#    configured. A minimum setting of 1 is required.
#
#        queue-size=N
#
#    Sets the maximum number of queued requests.
#    If the queued requests exceed queue size for more than 3 minutes
#    squid aborts its operation.
#    The default value is set to 2*numberofchildren.
#   
#    You must have at least one ssl_crtd process.
#Default:
# sslcrtd_children 32 startup=5 idle=1

Feel free to read squid.conf.documented.


16.02.2018 19:03, erdosain9 пишет:
> Hi.
> Im having this warning in cache.log
>
>
> 2018/02/14 15:56:55 kid1| WARNING: All 32/32 ssl_crtd processes are busy.
> 2018/02/14 15:56:55 kid1| WARNING: 32 pending requests queued
> 2018/02/14 15:56:55 kid1| WARNING: Consider increasing the number of
> ssl_crtd processes in your config file.
>
> 2018/02/14 16:07:06 kid1| WARNING: All 35/35 negotiateauthenticator
> processes are busy.
> 2018/02/14 16:07:06 kid1| WARNING: 35 pending requests queued
> 2018/02/14 16:07:06 kid1| WARNING: Consider increasing the number of
> negotiateauthenticator processes in your config file.
>
> I know how to increase the negotiate authenticator... but, how can i
> increase the ssl_crtd proceses???
>
> Thanks to all.
>
> This is my config
>
> acl sin_autenticacion src "/etc/squid/listas/sin_autenticacion.lst"
>
>
> ###Kerberos Auth with ActiveDirectory###
> auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
> HTTP/squid.mydomain@mydomain.lan
> auth_param negotiate children 35 startup=0 idle=1
> auth_param basic credentialsttl 2 hours
> auth_param negotiate keep_alive on
>
>
> external_acl_type i-restringidos %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-restringi...@mydomain.lan
> external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
> -g i-f...@mydomain.lan
> external_acl_type i-limitado %LOGIN
> /usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limit...@mydomain.lan
>
> acl i-restringidos external i-restringidos
> acl i-full external i-full
> acl i-limitado external i-limitado
>
> acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
> http_access deny ads
>
> acl youtube url_regex -i \.flv$
> acl youtube url_regex -i \.mp4$
> acl youtube url_regex -i watch?
> acl youtube url_regex -i youtube
> acl facebook url_regex -i facebook
> acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
> acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
> acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
> acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?
>
> acl restringidos dstdomain "/etc/squid/listas/restringidos.lst"
> acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"
>
> acl SSL_ports port 443
> acl SSL_ports port 4443
> acl SSL_ports port 8443
> acl SSL_ports port 8080
> acl SSL_ports port 2
> acl SSL_ports port 1
> acl SSL_ports port 2083
>
> acl Safe_ports port 631 # httpCUPS
> acl Safe_ports port 85
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 25  #
> acl Safe_ports port 587 #
> acl Safe_ports port 143 #
> acl Safe_ports port 993 #
> acl Safe_ports port 995 #
> acl Safe_ports port 465 #
> acl Safe_ports port 443 # https
> acl Safe_ports port 4443# https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 8443# httpsalt
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080# edesur y otros
> acl Safe_ports port 2199# radio
> acl CONNECT method CONNECT
>
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be 

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

If there is nothing to say on the topic - it's better to keep quiet.

I'm not talking with you. And when I need your opinion - I'll call you.


12.02.2018 14:15, Vacheslav пишет:
> Works like a charm is a stubborn phrase, never experienced that when being 
> charmed one problem is gone and replaced with numerous others, like sick 
> relatives?
>
> -Original Message-
> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On 
> Behalf Of Yuri
> Sent: Saturday, February 10, 2018 10:57 PM
> To: Alex Rousskov <rouss...@measurement-factory.com>; 
> squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid SSL db on ramdisk
>
> Yes, confirmed.
>
> When I've replaced int m; and int d; to long m; and long d; - works like 
> charm.
>
>
> 11.02.2018 01:08, Yuri пишет:
>> int m; declaration inside static bool parseBytesOptionValue(size_t * 
>> bptr, char const * value) ?
>>
>> If I set it long, as by as int d, seems ok.
>>
>>
>> 11.02.2018 01:04, Alex Rousskov пишет:
>>> On 02/10/2018 12:02 PM, Yuri wrote:
>>>> 11.02.2018 00:59, Alex Rousskov пишет:
>>>>> On 02/10/2018 10:03 AM, Yuri wrote:
>>>>>
>>>>>> What is correct syntax for -M option?
>>>>> The correct syntax is, roughly,
>>>>>
>>>>>   -M [bytes|KB|MB|GB]
>>>> Exactly with space between integer and units?
>>> Without anything between integer and units. For example: 2GB
>>>
>>> Alex.
> --
> *
> * C++20 : Bug to the future *
> *
>
>
>
>

-- 
*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Yuri]

Ah. My bad. Correctly Defence in depth:

https://en.wikipedia.org/wiki/Defense_in_depth_(computing)


11.02.2018 02:29, Yuri пишет:
> No. This reason is obviously not strong enough. As by as requirement
> configure firewalls also on servers - whenever they placed. Security in
> depth - did you hear this term?
>
>
> 11.02.2018 02:26, Peng Yu пишет:
>>> What is your reason for wanting "no restrictions"?
>> The proxied servers are behind a firewall already, which protect them
>> from any unwanted access. Is this reason strong enough to have no
>> restrictions set?
>>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to set up a reverse proxy using squid for a simplified scenario?

[Yuri]

No. This reason is obviously not strong enough. As by as requirement
configure firewalls also on servers - whenever they placed. Security in
depth - did you hear this term?


11.02.2018 02:26, Peng Yu пишет:
>> What is your reason for wanting "no restrictions"?
> The proxied servers are behind a firewall already, which protect them
> from any unwanted access. Is this reason strong enough to have no
> restrictions set?
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

Yes, confirmed.

When I've replaced int m; and int d; to long m; and long d; - works like
charm.


11.02.2018 01:08, Yuri пишет:
> int m; declaration inside static bool parseBytesOptionValue(size_t *
> bptr, char const * value) ?
>
> If I set it long, as by as int d, seems ok.
>
>
> 11.02.2018 01:04, Alex Rousskov пишет:
>> On 02/10/2018 12:02 PM, Yuri wrote:
>>> 11.02.2018 00:59, Alex Rousskov пишет:
>>>> On 02/10/2018 10:03 AM, Yuri wrote:
>>>>
>>>>> What is correct syntax for -M option?
>>>> The correct syntax is, roughly,
>>>>
>>>>   -M [bytes|KB|MB|GB]
>>> Exactly with space between integer and units?
>> Without anything between integer and units. For example: 2GB
>>
>> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

int m; declaration inside static bool parseBytesOptionValue(size_t *
bptr, char const * value) ?

If I set it long, as by as int d, seems ok.


11.02.2018 01:04, Alex Rousskov пишет:
> On 02/10/2018 12:02 PM, Yuri wrote:
>>
>> 11.02.2018 00:59, Alex Rousskov пишет:
>>> On 02/10/2018 10:03 AM, Yuri wrote:
>>>
>>>> What is correct syntax for -M option?
>>> The correct syntax is, roughly,
>>>
>>>   -M [bytes|KB|MB|GB]
>> Exactly with space between integer and units?
> Without anything between integer and units. For example: 2GB
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

11.02.2018 00:59, Alex Rousskov пишет:
> On 02/10/2018 10:03 AM, Yuri wrote:
>
>> What is correct syntax for -M option?
> The correct syntax is, roughly,
>
>   -M [bytes|KB|MB|GB]
Exactly with space between integer and units?
>
> with "bytes" as the default unit.
>
> However, you found a bug in the parsing code: The helper mishandles
> values exceeding 2147483647 bytes (on most platforms) due to a signed
> integer overflow in helper's parseBytesOptionValue().
>
> Furthermore, I have not tested it, but I suspect there is at least one
> bug in the mainline parseBytesOptionValue() code as well. Both functions
> should be rewritten (even if the second one "works"), and the correct
> format should be documented (including size limits).
>
>
>> How to correctly specify -M with 2 Gb size?
> You cannot specify that size until the above-mentioned bug is fixed.
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

One more question.

What is correct syntax for -M option? I'm just in doubt. Helper eats -M
5MB, but not -M 1024MB, however eats -M 1 GB.

root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 2GB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 2 GB
^C
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 2GB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 5MB
^C
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 5GB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 5 MB
^C
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M 1024MB
/usr/local/squid/libexec/security_file_certgen: Error when parsing -M
options value
root @ lemanruss /patch/tmp #
/usr/local/squid/libexec/security_file_certgen -s /ramdisk1/ssl_db -M
1024 MB
^C

How to correctly specify -M with 2 Gb size?


10.02.2018 22:39, Yuri пишет:
>
> 10.02.2018 22:36, Alex Rousskov пишет:
>> On 02/10/2018 09:23 AM, Yuri wrote:
>>
>>> I can set -M in according FS size, using for store SSL DB, correct?
>> Yes, -M limits the sum of sizes of all (serialized) certificates stored
>> in the helper database. The helper tries to account for the filesystem
>> block size, but I doubt its calculations are very precise.
> Tks for clarifying :)
> Got it. Will correct my configs :-)
>>
>>> dynamic_cert_mem_cache_size is http(s)_port option?
>> Yes, it is. If the needed dynamically-generated certificate is found in
>> the dynamic certificate memory cache, then Squid does not ask the helper
>> to generate that certificate. This in-Squid RAM cache stores raw (not
>> serialized) certificates. As you know, Squid does not compute the size
>> of raw (not serialized) certificates correctly, resulting in bug #4005
>> issues: https://bugs.squid-cache.org/show_bug.cgi?id=4005
> Aha, and in this case helper speed is critical and using helper storage
> on ramdisk will very useful
>> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

10.02.2018 22:36, Alex Rousskov пишет:
> On 02/10/2018 09:23 AM, Yuri wrote:
>
>> I can set -M in according FS size, using for store SSL DB, correct?
> Yes, -M limits the sum of sizes of all (serialized) certificates stored
> in the helper database. The helper tries to account for the filesystem
> block size, but I doubt its calculations are very precise.
Tks for clarifying :)
Got it. Will correct my configs :-)
>
>
>> dynamic_cert_mem_cache_size is http(s)_port option?
> Yes, it is. If the needed dynamically-generated certificate is found in
> the dynamic certificate memory cache, then Squid does not ask the helper
> to generate that certificate. This in-Squid RAM cache stores raw (not
> serialized) certificates. As you know, Squid does not compute the size
> of raw (not serialized) certificates correctly, resulting in bug #4005
> issues: https://bugs.squid-cache.org/show_bug.cgi?id=4005
Aha, and in this case helper speed is critical and using helper storage
on ramdisk will very useful
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

10.02.2018 22:18, Alex Rousskov пишет:
> On 02/10/2018 06:43 AM, Yuri wrote:
>
>> security_file_certgen uses memory cache to buffer slow
>> disk IO for certificates DB.
> It does not.
Ahhaaa, I just misunderstanding options
>
>
>> If we're put cert DB onto ramdisk (in fact,
>> in RAM), so we're can easy reduce helper -M value.
> security_file_certgen -M is the helper database size, not the
> buffer/cache size.
Ah. Got it. I.e., I can set -M in according FS size, using for store SSL
DB, correct?
>
> The buffer/cache you might be thinking about is inside Squid, not inside
> the helper. See dynamic_cert_mem_cache_size. dynamic_cert_mem_cache_size
> is not related to -M.
Tks, Alex. But wait,

dynamic_cert_mem_cache_size

is http(s)_port option?

>
>
> HTH,
>
> Alex.

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to hide client info?

[Yuri]

How Cache-Control related to hide client info?

10.02.2018 21:49, Peng Yu пишет:
> If I don't use the proxy, I will have the following.
>
> The proxied result has '"Cache-Control": "max-age=259200"'. To disable
> it, should I use ignore-cc. Could you show me how to configure squid
> to not send '"Cache-Control": "max-age=259200"'? Thanks.
>
> $ wget -qO- http://httpbin.org/get
> {
>   "args": {},
>   "headers": {
> "Accept": "*/*",
> "Accept-Encoding": "identity",
> "Connection": "close",
> "Host": "httpbin.org",
> "User-Agent": "Wget/1.16.3 (darwin13.4.0)"
>   },
>   "origin": "",
>   "url": "http://httpbin.org/get;
> }
>
>
> On Sat, Feb 10, 2018 at 9:23 AM, Yuri <yvoi...@gmail.com> wrote:
>> Opening squid.conf.documented:
>>
>> #  TAG: forwarded_foron|off|transparent|truncate|delete
>> #If set to "on", Squid will append your client's IP address
>> #in the HTTP requests it forwards. By default it looks like:
>> #
>> #X-Forwarded-For: 192.1.2.3
>> #
>> #If set to "off", it will appear as
>> #
>> #X-Forwarded-For: unknown
>> #
>> #If set to "transparent", Squid will not alter the
>> #X-Forwarded-For header in any way.
>> #
>> #If set to "delete", Squid will delete the entire
>> #X-Forwarded-For header.
>> #
>> #If set to "truncate", Squid will remove all existing
>> #X-Forwarded-For entries, and place the client IP as the sole entry.
>> #Default:
>> # forwarded_for on
>>
>>
>> 10.02.2018 21:04, Peng Yu пишет:
>>> Hi,
>>>
>>> I use squid to set a proxy. But the following output shows my local ip
>>> address besides the squid proxy ip. Is there a way to let httpbin.org
>>> only be aware of the squid_proxy but not my local ip?
>>>
>>> $ http_proxy=squid_proxy:3128 wget -qO- http://httpbin.org/get
>>> {
>>>   "args": {},
>>>   "headers": {
>>> "Accept": "*/*",
>>> "Accept-Encoding": "identity",
>>> "Cache-Control": "max-age=259200",
>>> "Connection": "close",
>>> "Host": "httpbin.org",
>>> "User-Agent": "Wget/1.16.3 (darwin13.4.0)"
>>>   },
>>>   "origin": ", ",
>>>   "url": "http://httpbin.org/get;
>>> }
>>>
>>>
>> --
>> *
>> * C++20 : Bug to the future *
>> *
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to hide client info?

[Yuri]

Opening squid.conf.documented:

#  TAG: forwarded_for    on|off|transparent|truncate|delete
#    If set to "on", Squid will append your client's IP address
#    in the HTTP requests it forwards. By default it looks like:
#
#        X-Forwarded-For: 192.1.2.3
#
#    If set to "off", it will appear as
#
#        X-Forwarded-For: unknown
#
#    If set to "transparent", Squid will not alter the
#    X-Forwarded-For header in any way.
#
#    If set to "delete", Squid will delete the entire
#    X-Forwarded-For header.
#
#    If set to "truncate", Squid will remove all existing
#    X-Forwarded-For entries, and place the client IP as the sole entry.
#Default:
# forwarded_for on


10.02.2018 21:04, Peng Yu пишет:
> Hi,
>
> I use squid to set a proxy. But the following output shows my local ip
> address besides the squid proxy ip. Is there a way to let httpbin.org
> only be aware of the squid_proxy but not my local ip?
>
> $ http_proxy=squid_proxy:3128 wget -qO- http://httpbin.org/get
> {
>   "args": {},
>   "headers": {
> "Accept": "*/*",
> "Accept-Encoding": "identity",
> "Cache-Control": "max-age=259200",
> "Connection": "close",
> "Host": "httpbin.org",
> "User-Agent": "Wget/1.16.3 (darwin13.4.0)"
>   },
>   "origin": ", ",
>   "url": "http://httpbin.org/get;
> }
>
>

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid SSL db on ramdisk

[Yuri]

10.02.2018 13:30, Amos Jeffries пишет:
> On 10/02/18 12:55, Yuri wrote:
>> Amos,
>>
>> how do you think - if I'll put SSL db (usually places in
>> /var/lib/ssl_db) on ramdisk, does this give some gain for bump performance?
>>
> I expect so, but do not use bumping myself so cannot say for certain.
Ok, will do tests.
>
>> How reasonable to do that?
>>
>> Also, I think, doing that,  I can reduce in memory cache size for
>> security_file_certgen helper.
>>
>> How do you think?
> I don't think it will have any effect on that. The size of the DB
> content does not related to *where* it is stored.
No-no. I mean, security_file_certgen uses memory cache to buffer slow
disk IO for certificates DB. If we're put cert DB onto ramdisk (in fact,
in RAM), so we're can easy reduce helper -M value. Correct?
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid SSL db on ramdisk

[Yuri]

Amos,

how do you think - if I'll put SSL db (usually places in
/var/lib/ssl_db) on ramdisk, does this give some gain for bump performance?

How reasonable to do that?

Also, I think, doing that,  I can reduce in memory cache size for
security_file_certgen helper.

How do you think?

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Facebook Messenger (Not Internet Connection->Connecting)

[Yuri]

Hard to say. Require to troubleshoot deeper. May be, configuration. May
be network. May be ISP.


10.02.2018 01:58, Hery Martin пишет:
> Hello Yuri
>
> Right now I compiled 3.5.27, and still have the same issue, so maybe
> its something related with my environment??? But... what can be?
>
>

-- 
*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Facebook Messenger (Not Internet Connection->Connecting)

[Yuri]

Works like charm on 3.5.27.


09.02.2018 23:54, Hery Martin пишет:
> Hello guys!
>
> I'm having this weird issue since 2 month ago. Don't know why when
> some body try to use Facebook Menssager (https://www.messenger.com)
> after login, you can see all your contacts and messages, but
> inmediately shown red bar with "Not Internet Connection" text. Its
> important to say that only happens using https://www.messenger.com, if
> you uses https://www.facebook.com/messages/ all works as expected.
>
> I hope that any of you can test it in your environments??? 
>
> Anyway my squid version is 3.5.12, I manage an Enterprise Network, so
> just to be sure, I had tested with a clean Squid installation on our
> virtualization cluster, and the results was the same.
>
> I also tested it without Squid, to know if was caused by my ISP
> provider, but browsing locally in the server where Squid are
> virtualized but with no proxy, thing works as expected.
>
> Tracing the request in the browser console, I found that
> URLs https://6-edge-chat.messenger.com/p?partition or any orther
> number (1-, 2-, 3-, 4-) at the beginning are trowing
> ERR_CONNECTION_CLOSED immediately and looking into squid access log
> shown as TCP_TUNNEL/200 0 CONNECT 6-edge-chat.messenger.com:443
>  - HIER_DIRECT/157.240.14.15
>  - and nothing more!
>
> This is melting my brain. So please test it before to know if you have
> the same problem
>
> Cheers!
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Macros

[Yuri]

Indeed :)

You can cover this by write good documentation and share it ;) This is
OpenSource ;) Nothing exists - except you will create by yourself ;)


09.02.2018 01:34, Alfredo Daniel Rezinovsky пишет:
>
> I tried searching in the code and still couldn't find it. But
> Challenge accepted.
>
>
> On 08/02/18 16:28, Yuri wrote:
>> This is OpenSource :) There is no documentation :) (As they say - read
>> the code to get documentation ;))
>>
>>
>> 09.02.2018 01:26, Alfredo Daniel Rezinovsky пишет:
>>> I know there is a macro ${service_name}
>>>
>>> I like to know if there are other or there's a way to parse
>>> environment variables in squid.conf.
>>>
>>> I didn't find this in the on line documentation
>>>
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Macros

[Yuri]

This is OpenSource :) There is no documentation :) (As they say - read
the code to get documentation ;))


09.02.2018 01:26, Alfredo Daniel Rezinovsky пишет:
> I know there is a macro ${service_name}
>
> I like to know if there are other or there's a way to parse
> environment variables in squid.conf.
>
> I didn't find this in the on line documentation
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Certificate Authority with SSLBump

[Yuri]

1. Using mozilla CA bundle instead of system (if exists) for squid.

2. Update mozilla CA bundle by script by cron on regular basis.

3. Have own manually maintained custom add_certs.pem list which combines
with step 2 during updates.

Thats all, folks.


08.02.2018 23:33, FredB пишет:
> Hi All,
>
> In practise how you maintain the CA files? I'm testing SSLBump with Debian 
> Jessie the package ca-certificates provides many certificates but less than 
> the latest Firefox Browser.
> How do you manage to keep all that in check? When a CA is missing you add the 
> pem in you system config or exclude the website from SSLBump?  
>
> EG: From my test https://wiki.squid-cache.org seems unknown (71) Protocol 
> error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's 
> Encrypt/CN=Let's Encrypt Authority X3
>
> Thanks
>
> Regards
> Fred
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Yuri]

Where ipfw runs? In virtual machine, or on hypervisor?


08.02.2018 05:44, setuid пишет:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> Yes, my ipfw configuration is:
>
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 6 permit ip from any to any

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Yuri]

Squid is relatively difficult to run with transparent mode on virtual
platforms due to NAT limitations on virtual platforms (this is not
squid's issue, this is issue if virtual platforms).

I'm using squid only in transparent mode (only in transparent mode)
several years on Solaris (bare metal) without any issues in HTTP/HTTPS
interception. With IPFilter. With 1-2-6-8 interfaces with different LAN
topologies. Starting from Squid 2.7, then 3.4, 3.5, 4.x and now 5.x. All
without serious problems.

But on bare-metal.

08.02.2018 05:25, setuid пишет:
> On 2/7/18 5:37 PM, Rafael Akchurin wrote:
>> How is your network configured? Your rules indicate you have 2 nics but you 
>> later say you have one..
> Originally, I started with 1 NIC (it's a VM), and added 2 more, because
> I read that pf/ipfw can't rewrite ingress packets on the same interface
> it used for egress, but I haven't tried creating a bridge and routes to
> attempt to make that work yet.
>
> The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
> routable IP bound to eth0) and the secondary NIC sits on the "backup"
> network (LAN-side) on 192.168.2.x.
>
> Let's break it down:
>
> [WAN router]
>   |-- LAN: 192.168.1.1 (wired LAN)
>   `-- WWAN: 10.0.1.1 (wireless clients)
>
> BSD VM: 192.168.1.25
>
> Ubuntu VM:
>   |-- INET: 32.215.x.x
>   `-- LAN: 192.168.2.x
>
> The WAN router is what sends traffic sent over it on :80, over to .1.25
> (BSD) to cache.
>
> Previously, I had it pointed to Squid 2.6 sitting on my NAS
> (192.168.1.20) and that would work perfectly as a transparent proxy.
>
> When I pointed the WAN router to .25 instead of .20, and upgraded the
> version of Squid by using BSD's version from ports on .25, this process
> all fell apart.
>
> So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
> requirement to get transparent proxying working with anything using
> Squid 3.x or later?
>
> Can this be done with a single NIC sitting on an Internet-facing LAN
> segment?
>
> If so, how?
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Yuri]

If you configured squid with

'--enable-ipfw-transparent'

you should use manual for ipfw configuration.

Did you used ipfw NAT configuration on same box with squid?

08.02.2018 05:14, setuid пишет:
> On 2/7/18 4:31 PM, Yuri wrote:
>> I'm not seen your configuration options for squid. Not squid.conf. Just
>> ./configure options.
> Here's what I'm building with (from 'make config' in ports tree)
>
> '--bindir=/usr/local/sbin'
> '--build=amd64-portbld-freebsd11.1'
> '--datadir=/usr/local/etc/squid'
> '--disable-arch-native'
> '--disable-ecap'
> '--disable-epoll'
> '--disable-esi'
> '--disable-ipf-transparent'
> '--disable-ipv6'
> '--disable-linux-netfilter'
> '--disable-linux-tproxy'
> '--disable-pf-transparent'
> '--disable-silent-rules'
> '--disable-snmp'
> '--disable-ssl'
> '--disable-ssl-crtd'
> '--disable-stacktraces'
> '--disable-translation'
> '--enable-auth'
> '--enable-auth-basic=DB
> '--enable-auth-digest=file'
> '--enable-auth-negotiate=none'
> '--enable-auth-ntlm=fake
> '--enable-build-info'
> '--enable-cache-digests'
> '--enable-delay-pools'
> '--enable-disk-io=DiskThreads
> '--enable-eui'
> '--enable-external-acl-helpers=file_userip
> '--enable-follow-x-forwarded-for'
> '--enable-forw-via-db'
> '--enable-htcp'
> '--enable-http-violations'
> '--enable-icap-client'
> '--enable-icmp'
> '--enable-ident-lookups'
> '--enable-ipfw-transparent'
> '--enable-kqueue'
> '--enable-loadable-modules'
> '--enable-log-daemon-helpers=file'
> '--enable-removal-policies=lru
> '--enable-security-cert-validators=fake'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-storeio=aufs
> '--enable-url-rewrite-helpers=fake'
> '--enable-wccp'
> '--enable-wccpv2'
> '--enable-zph-qos'
> '--infodir=/usr/local/info/'
> '--libexecdir=/usr/local/libexec/squid'
> '--localstatedir=/var'
> '--mandir=/usr/local/man'
> '--prefix=/usr/local'
> '--sbindir=/usr/local/sbin'
> '--sysconfdir=/usr/local/etc/squid'
> '--with-default-user=squid'
> '--with-large-files'
> '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache'
> '--without-gnutls'
> '--without-gss'
> '--without-heimdal-krb5'
> '--without-mit-krb5'
> '--without-nat-devpf'
> '--without-nettle'

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Yuri]

One stupid idiotic question.

Did you build your squid with transparent NAT support?

This is mandatory prerequisite for transparent squid.

I'm not seen your configuration options for squid. Not squid.conf. Just
./configure options.


08.02.2018 03:11, setuid пишет:
> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
>
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
>
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
>
> ==
>   07/Feb/2018:15:10:59 -0500.213  0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ==
>
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
>
> ==
>   07/Feb/2018:15:12:56 -0500.875 82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ==
>
> These were the same exact request against the same exact Squid instance.
> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
>
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ==
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ==
>
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
>
> My current environment looks like this:
>
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
>
> That router has a firewall script on it that says:
>
> ==
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
>
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ==
>
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
>
> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".
>
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
>
> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
>
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
> * https://www.benzedrine.ch/transquid.html
> *
> https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
> *
> https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
> *
> https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
> * https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
> * https://ubuntuforums.org/showthread.php?t=2210987
> *
> http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
> *
> http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
>
> I also tried asking in #squid on Freenode (dead channel), and #FreeBSD
> (helpful folks there, but they too, failed to get this working).
>
> So I'm at an impasse. Is this just 100% 

Re: [squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

[Yuri]

This irrelevant to host_verify_strict. This is effect of server side CDN
IP changes. Squid threats it as security alert.

08.02.2018 00:03, steveno пишет:
> I was using squid 3.5.20 I encountered an issue running out of File
> Descriptors on Centos7, the scebario was that sockets would be abandoned in
> a "CLOSE_WAIT" state forever until the server ran out of FD's.
> Searching I found the following BUG. 
> https://bugs.squid-cache.org/show_bug.cgi?id=4508
> This is listed as being a fix at 3.5.25, so I installed that version, once
> installed the FD problem seemed to be resolved, but now there is another
> issue "Default Value: host_verify_strict off" seems to be lost, in my access
> logs I get an number of entries:
> 2018-02-07 17:10:42  0 10.x.x.x TAG_NONE/409 3941 CONNECT
> sqs.us-west-2.amazonaws.com:443 sqs.us-west-2.amazonaws.com HIER_NONE/-
> text/html
>
> Cache logs I get:
> 2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL:
> sqs.us-west-2.amazonaws.com:443
>
> And the clients making those requests tend to see dropped connections with a
> "SSL: UNKNOWN_PROTOCOL" error.
>
> I tried setting the value "host_verify_strict off" but it did not appear to
> have any effect.
>
> It looks like this fix for the File Descriptors has broken something else.
>
> Thanks.
>
> Steven Oakley.
>
>
>
> --
> Sent from: 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid transparent with SSL interception - CA certificate problem

[Yuri]

Mobile devices, depending "OS", often uses CAs different. From system
store, from browser's store (I mean FF), and something apps will __never
use user's CA__.

This is (IMHO useless) security theathre in mobile devices manufacturers.


06.02.2018 19:30, Roberto Carna пишет:
> People, I've setup a transparent Squid proxy for WiFi clients. I'm
> using SSL interception so I had to generate a CA private certificate
> (generated from pfSense certificate manager tab).
>
> But when I add this CA private certificate to several Android an
> Iphone devices, some of the Android devices don't work correctly:
> Facebook an Instagram don't load the profiles and Mercadolibre doesn't
> open the menu. In the other Android and Iphone devices, everything
> works OK.
>
> Can this problem be related to the CA certificate (maybe I have to use
> a given digest algorithm and key lenght) or is this an Android
> intrinsec problem depending of OS version???
>
> Thanks a lot.
>
> ROBERT
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*
* C++20 : Bug to the future *
*




signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] TCP out of memory

[Yuri]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
He's just disabled icap-based service without disabling icap itself. So
- yes - this is as expected.

Vieri, bupass=1 is different thing. This permit squid to bypass
adaptation in case of overloading icap service. And irrelevant thing you
done.

27.01.2018 23:41, Alex Rousskov пишет:
> On 01/27/2018 10:33 AM, Vieri wrote: > >> I noticed that if I set bypass=1 in 
> squid.conf (regarding ICAP),
and >> if I stop the local clamd service (not the c-icap service), then
the >> clients see Squid's ERR_ICAP_FAILURE page. Is this expected? > >
Difficult to say for sure without knowing what went wrong between Squid
> and c-icap: Not all ICAP errors can be bypassed. Consider sharing a >
(link to) compressed ALL,9 cache.log collected while reproducing the >
problem using a single HTTP transaction through an otherwise idle Squid.
> > Alex. > ___ >
squid-users mailing list > squid-users@lists.squid-cache.org >
http://lists.squid-cache.org/listinfo/squid-users
- -- 
*
* C++20 : Bug to the future *
*
-BEGIN PGP SIGNATURE-
 
iQGzBAEBCAAdFiEEUAYDxOalHloZaGP7S+6Uoz43Q6cFAlpsuzEACgkQS+6Uoz43
Q6cogwv8D1lqLBtJeIMIbwgv/u6OBEtYAZbx7hAQpj4Hic8SBYsnHJdxUtHYchkC
pDFcrxPyp0b/59U26ngg5pObOHT5tynWYgH2tGp0/raJgPddD2G+xKyztvpawuz8
c1zHvUmyYhwHM96T99eTsI0r4qUq+e91krhK+6JxvSHh0CM8NnwUGycOhKBqNRHE
HGWOjXCLUf9QTw/C4QG2slpO5TJbVvKJjO+lnLyTxBZr+hFmORjbsAXMOsz83Txb
k0u4XuipQOqu3CcfLE/rSZPUX/r5YRQiV9roZdfy/IjYOdsU0+SvnO37RZLr9Z26
hKuu0OaZKGYcKtzy20lQJanIDzUOv7sDvNfqM3tWGTRNnxRD/1S3s2eFyuSZSx7/
0G4rbs/oj/Y7Ksa9mlGW02QNmjOmrUMB1iVwQu3IBWeef7WUQtgvFV+JuSGY8+q/
V605z627s6S8+fHAPzZyLGt/J0kMLWGbImOFUIIBBA+0g1yx41bUswo2feEivzzb
CwRJXfhc
=ZP4V
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] a host can not access web browsing

[Yuri]

(somebody's have too much unlimited personal time :-))


27.01.2018 03:06, Antony Stone пишет:
> On Friday 26 January 2018 at 21:54:48, Bladimir Almeida wrote:
>
>> Hi, I'm a network administrator of my company,
> I wonder how you react to emails from your users which contain so little 
> specific information as I see below.
>
>> I've been dealing with a computer that can access all the services for days,
>> except that I can not surf the Internet.
> Was it previously able to surf the Internet?
>
> If yes, when did this change?
>
> Did anything else happen on your network at the same time as this change?
>
>> The message
> Please show us the full text of the message.
>
>> the browser
> Which browser are you using?
>
>> sends me is that the server
> Which server?
>
>> is rejecting the connections,
> Is any reason given?  Any more detail at all?
>
>> however the other domain pc
> This is a Windows domain?  Not just a simple "bunch of PCs on a network doing 
> their own thing"?  Do you need to authenticate to the domain (on *any* PC, I 
> don't just mean on the one giving the problems) in order to be able to access 
> websites?
>
>> access without any problem to the web, and reinstalled the pc 2 times
> Was the PC with the problem reinstalled or reconfigured shortly before it 
> stopped being able to access websites?
>
> I'm wondering what makes you think a reinstall might resolve the problem - 
> you 
> might be right, but is there any information which leads you to believe this?
>
>> and nothing, the only thing that this pc I have to install windows xp,
>> because it works with a tool that requires that OS
> Do you have any other Windows XP machines on your network?
>
> If so, are any of those able to access websites?
>
>> Greetings, please help me.
> Please tell us where Squid fits into your question.
>
>
> Antony.
>

-- 
*
* C++20 : Bug to the future *
*

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users