Re: [squid-users] About to upgrade from 3 to 4

2018-06-10 Thread James Lay 
On Sun, 2018-06-10 at 19:55 +1200, Amos Jeffries wrote:
> On 10/06/18 02:23, James Lay wrote:
> On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:
> On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
> On 10/06/18 01:02, James Lay wrote:
> So in my config file I have:
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> However I do not see this after compiling and installing. Has this
> goneaway in 4? Thank you.
> James
> 
> It's now called security_file_certgen.
>  l#ss2.4>
> Amos
> 
> Thanks Amos...I'll read this before asking anymore questions ☺
> 
> 
> So ok...after making the changes to the config to account for
> newsecurity_file_certgen and tls_outgoing_options (thanks Amos!) I
> amgreeted with (hostname changed from real):
> FATAL: mimeLoadIcon: cannot parse internal URL:http://:0/sq
> uid-internal-static/icons/silk/image.png
> 
> There should be an error about no forward-proxy port as well.
> Squidrequires at least one port able to receive requests for those
> URLs fromclients. Port 3128 is normally that port, but you have
> repurposed it forinterception, which disqualifies it.
> The hostname in these URLs is taken from that port's IP
> addressreverse-DNS name, or the proxies public/visible hostname.
> Whichevermeets the requirement of being resolvable in DNS.
> 
> Here's my config line:
> ./configure --prefix=/opt/squid --with-openssl=/opt/libressl
> --sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd--enable-
> linux-netfilter --enable-follow-x-forwarded-for--with-large-files --
> enable-xternal-acl-helpers=none
> Missing 'e' on --enable-external-acl-helpers.
> ...
> 
> sslproxy_cert_error allow alltls_outgoing_options
> capath=/etc/ssl/certs flags=DONT_VERIFY_PEER
> Please avoid DONT_VERIFY_PEER and "allow all" for cert errors. They
> areuseless for both production AND debugging since all they do is
> hidesecurity issues from *you*.
> It is best to watch for security issues and fix them. Not just
> ignoreeverything.
> Amos___squid-users
> mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache
> .org/listinfo/squid-users

Thanks Amos...your insight always helps.  You were right on point...I
did have the no forward proxy error.  After adding an additional
http_port squid came right up...thanks again.

James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-10 Thread Amos Jeffries 
On 10/06/18 02:23, James Lay wrote:
> On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:
>> On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
>>> On 10/06/18 01:02, James Lay wrote:
>>>
>>> So in my config file I have:
>>>
>>> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
>>>
>>> However I do not see this after compiling and installing. Has this gone
>>> away in 4? Thank you.
>>>
>>> James
>>>
>>>
>>> It's now called security_file_certgen.
>>>
>>> 
>>>
>>> Amos
>>>
>>
>> Thanks Amos...I'll read this before asking anymore questions ☺
>>
>>
> 
> So ok...after making the changes to the config to account for new
> security_file_certgen and tls_outgoing_options (thanks Amos!) I am
> greeted with (hostname changed from real):
> 
> FATAL: mimeLoadIcon: cannot parse internal URL:
> http://:0/squid-internal-static/icons/silk/image.png
> 

There should be an error about no forward-proxy port as well. Squid
requires at least one port able to receive requests for those URLs from
clients. Port 3128 is normally that port, but you have repurposed it for
interception, which disqualifies it.

The hostname in these URLs is taken from that port's IP address
reverse-DNS name, or the proxies public/visible hostname. Whichever
meets the requirement of being resolvable in DNS.


> Here's my config line:
> 
> ./configure --prefix=/opt/squid --with-openssl=/opt/libressl
> --sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd
> --enable-linux-netfilter --enable-follow-x-forwarded-for
> --with-large-files --enable-xternal-acl-helpers=none

Missing 'e' on --enable-external-acl-helpers.

...
> 
> sslproxy_cert_error allow all
> tls_outgoing_options capath=/etc/ssl/certs flags=DONT_VERIFY_PEER

Please avoid DONT_VERIFY_PEER and "allow all" for cert errors. They are
useless for both production AND debugging since all they do is hide
security issues from *you*.

It is best to watch for security issues and fix them. Not just ignore
everything.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-09 Thread James Lay 
On Sat, 2018-06-09 at 07:17 -0600, James Lay wrote:
> On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
> > On 10/06/18 01:02, James Lay wrote:
> > 
> > So in my config file I have:
> > sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> > However I do not see this after compiling and installing. Has this
> > goneaway in 4? Thank you.
> > James
> > 
> > It's now called security_file_certgen.
> >  > tml#ss2.4>
> > Amos
> 
> Thanks Amos...I'll read this before asking anymore questions ☺
> 
> James
> ___squid-users mailing
> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/lis
> tinfo/squid-users

So ok...after making the changes to the config to account for
new  security_file_certgen and tls_outgoing_options (thanks Amos!) I am
greeted with (hostname changed from real):
FATAL: mimeLoadIcon: cannot parse internal URL: http://:0/squ
id-internal-static/icons/silk/image.png
Here's my config line:
./configure --prefix=/opt/squid --with-openssl=/opt/libressl --
sysconfdir=/opt/squid/etc --enable-ssl --enable-ssl-crtd --enable-
linux-netfilter --enable-follow-x-forwarded-for --with-large-files --
enable-xternal-acl-helpers=none
full config (I realize this might not be the most secure on the planet,
for now this is a dev box and I'm just testing functionality):
acl localnet src 192.168.1.0/24acl SSL_ports port 443acl Safe_ports
port 80acl Safe_ports port 443acl CONNECT method CONNECTacl
allowed_http_sites url_regex "/opt/squid/etc/http_url.txt"
http_access deny !Safe_portshttp_access deny CONNECT
!SSL_Portshttp_access allow SSL_portshttp_access allow
allowed_http_siteshttp_access deny all
acl broken_ips dst "/opt/squid/etc/broken_ips.txt"ssl_bump splice
broken_ipsacl broken_https_sites ssl::server_name_regex
"/opt/squid/etc/broken_url.txt"ssl_bump splice
broken_https_sitesssl_bump peek allacl allowed_https_sites
ssl::server_name_regex "/opt/squid/etc/http_url.txt"ssl_bump splice
allowed_https_sitesssl_bump terminate all
sslproxy_cert_error allow alltls_outgoing_options capath=/etc/ssl/certs
flags=DONT_VERIFY_PEER
sslcrtd_program /opt/squid/libexec/security_file_certgen -s
/opt/squid/var/ -M 4MBsslcrtd_children 5
http_port gateway:3128 intercepthttps_port gateway:3129 intercept ssl-
bump cert=/opt/squid/etc/certs/sslsplit_ca_cert.pem
cafile=/opt/squid/etc/certs/sslsplit_ca_cert.pem
key=/opt/squid/etc/certs/sslsplit_ca_key.pem generate-host-
certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE
logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
%ssl::>cert_subject %>Hs %___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-09 Thread James Lay 
On Sun, 2018-06-10 at 01:13 +1200, Amos Jeffries wrote:
> On 10/06/18 01:02, James Lay wrote:
> 
> So in my config file I have:
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> However I do not see this after compiling and installing. Has this
> goneaway in 4? Thank you.
> James
> 
> It's now called security_file_certgen.
>  l#ss2.4>
> Amos

Thanks Amos...I'll read this before asking anymore questions ☺

James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-09 Thread Amos Jeffries 
On 10/06/18 01:02, James Lay wrote:
> 
> So in my config file I have:
> 
> sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
> 
> However I do not see this after compiling and installing. Has this gone
> away in 4? Thank you.
> 
> James


It's now called security_file_certgen.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-09 Thread James Lay 
On Fri, 2018-06-08 at 09:36 -0600, James Lay wrote:
> On Sat, 2018-06-09 at 03:04 +1200, Amos Jeffries wrote:
> > On 09/06/18 02:33, James Lay wrote:
> > Hey all!
> > Topic says itI'm starting to look at doing an upgrade from 3 to
> > 4.Any glaring surprises? Doing a transparent forward proxy with
> > somepeek/splice for content filtering only (no decryption). Has
> > anyone gonethrough an upgrade, and how painful was it, if at all?
> > Thank you.
> > 
> > Which 3.x you are starting from is the issue.
> > From 3.5 to 4 should be the same as any of the 3.x single version
> > bumps.There is nothing special about v4 from a user perspective.
> > Amos___squid-users
> > mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cac
> > he.org/listinfo/squid-users
> 
> Thanks Amos...I'm going from 3.5.2 ☺
> 
> James
> ___squid-users mailing
> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/lis
> tinfo/squid-users

So in my config file I have:
sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
However I do not see this after compiling and installing.  Has this
gone away in 4?  Thank you.
James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-08 Thread James Lay 
On Sat, 2018-06-09 at 03:04 +1200, Amos Jeffries wrote:
> On 09/06/18 02:33, James Lay wrote:
> Hey all!
> Topic says itI'm starting to look at doing an upgrade from 3 to
> 4.Any glaring surprises? Doing a transparent forward proxy with
> somepeek/splice for content filtering only (no decryption). Has
> anyone gonethrough an upgrade, and how painful was it, if at all?
> Thank you.
> 
> Which 3.x you are starting from is the issue.
> From 3.5 to 4 should be the same as any of the 3.x single version
> bumps.There is nothing special about v4 from a user perspective.
> Amos___squid-users
> mailing listsquid-users@lists.squid-cache.orghttp://lists.squid-cache
> .org/listinfo/squid-users
> 

Thanks Amos...I'm going from 3.5.2 ☺

James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] About to upgrade from 3 to 4

2018-06-08 Thread Amos Jeffries 
On 09/06/18 02:33, James Lay wrote:
> Hey all!
> 
> Topic says itI'm starting to look at doing an upgrade from 3 to 4.
> Any glaring surprises? Doing a transparent forward proxy with some
> peek/splice for content filtering only (no decryption). Has anyone gone
> through an upgrade, and how painful was it, if at all? Thank you.
> 

Which 3.x you are starting from is the issue.

From 3.5 to 4 should be the same as any of the 3.x single version bumps.
There is nothing special about v4 from a user perspective.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] About to upgrade from 3 to 4

2018-06-08 Thread James Lay 
Hey all!

Topic says itI'm starting to look at doing an upgrade from 3 to 4. 
Any glaring surprises?  Doing a transparent forward proxy with some
peek/splice for content filtering only (no decryption).  Has anyone
gone through an upgrade, and how painful was it, if at all?  Thank you.

James___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users