Re: [squid-users] WARNING: there are more than 100 regular expressions
On 27/11/14 07:59, navari.lore...@gmail.com wrote: Consider using less REs ... is not possible. so dont worry about this WARNING message. This is just a warning, not an error. If you're aware that using lots of REs can hit hard on the CPU usage, just go for it. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'
I have several squids authenticating users using ldap_auth and it works fine. Users are located on the 'Users' OU and my config lines are: (single line) auth_param basic program /usr/lib/squid/squid_ldap_auth -P -R -b dc=myad,dc=domain -D cn=ProxyUser,cn=Users,dc=myad,dc=domain -w x -f sAMAccountName=%s -h ad.ip.addr.ess (single line) external_acl_type ldap_group children=3 ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -P -R -b dc=myad,dc=domain -D cn=ProxyUser, cn=Users,dc=myad,dc=domain -w xxx -f ((objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=Users, dc=myad,dc=domain)) -h ad.ip.addr.ess On 15/12/14 21:03, Ahmed Allzaeem wrote: Hi guys Im trying to use squid with active directory 2008 R2 as an external authentication On DC called smart.ps Create user squid and gave it delegation to the dc and put it also in the group admins in the OU=proxy -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Calculate time spent on website (per ip address)
On 10/02/15 20:23, Yuri Voinov wrote: HTTP is stateless protocol (in most cases, excluding presistant connections). So, it is impossible to determine how much time user spent on site. Only very approximately. Right? in most cases, probably not even close to the real deal ! -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] i want to block images with size more than 40 KB
On 18/03/15 08:06, Amos Jeffries wrote: On 19/03/2015 5:57 a.m., snakeeyes wrote: I need help in blocking images that has size less than 40 KB Use the Squid provided access controls to manage access to things. http://wiki.squid-cache.org/SquidFaq/SquidAcl You should know that you cannot evaluate the response size using only the request data. So to acchieve what you want, data from the reply must be considered as well, the response size for example. Images can be identified by the presence of '.jpg' or '.png' on the request URL, but images can be generated on-the-fly by scripts as well, so you wont see those extensions all the time. In that case, analyzing replies mime headers can be usefull as well, the reply mime type having 'image' is a great indication that we're receiving an image. Put all that together and you'll acchieve the rules you want to. But keep in mind that you'll probably break A LOT of sites who 'slices' images, background images, menus and all sort of things. I would call that a VERY bad idea, but can be acchieved with a few rules. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Saving memory cache to disk on reboot?
On 18/05/15 08:55, Yan Seiner wrote: The title says it all - is it possible to save the memory cache to disk on reboot? I reboot my systems weekly and I wonder if this would be any advantage. Initially, let's say that a cache can ALWAYS be lost. Sometimes it may not be desirable, but losing a cache must not create problems, the cache will simply be repopulated again and no problems should occur. Losing terabytes of cache is not be a good idea, as that amount of data would take some days to be repopulated and thus, during that time, you'll have bad hit ratios on your cache. As you say you're using memory cache, i'll assume that you're dealing with 16Gb or 32Gb of cache. We're not talking on terabytes, we're talking on few gigabytes. On that scenario, i would not worry about loosing it. Unless you're serving just a few specific pages on that cache, which is not usually the case, your hit ratio already shouldn't be too high, so loosing the cache shouldn't be a problem, it will be populated again in few hours, depending the number of clients and traffic generated by them. And my only question here is: why rebooting weekly ? Assuming you're running Linux or some Unix variant, that's absolutely unnecessary. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Migration from squid 3.1.20 to 3.4.8
On 10/06/15 06:39, Diercks, Frank (VRZ Koblenz) wrote: Hallo squid-users, i migrated our Proxy from 3.1.20 to 3.4.8. Here are the changes I made: why going to 3.4 if it's already 'old' code ? Why not going straight to 3.5 which is the current release ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Logging of 'indirect' requests, e.g. involving NAT or VPN
Em 24/06/15 15:28, Henry S. Thompson escreveu: I've searched the documentation and mailing list archives w/o success, and am not competent to read the source, so asking here: what is logged as the 'remotehost' in Squid logs when a request that has been encapsulated, as in from a machine on a local network behind a router implementing NAT, or from a machine accessing the proxy via a VPN connection? logs will show the IP address that reached squid, ie. the source address of the connection. If that was NATted, squid will never know (and thus is not able to log) the original address before the NAT. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Android
Of course you can always use 'acl aclname browser' to identify some specific agents and, using that, try to match android browsers. however, that would be basically impossible to guarantee to work 100% because softwares that calls HTTP requests can always sent different identifications and, thus, your rule will not match. And those rules would allow, also, other browsers/OSs to fake their agent-id and, forcing something that will look like an Android to you, have the access allowed without authentication. You can try, but i would say you can never have a fully 100% working and 100% fake-proof setup on that scenario. Em 12/08/15 14:09, Jorgeley Junior escreveu: Hi guys. Is there a way to work around android under squid authentication??? I could make an ACL to a range of address that my wifi router distribute to my wifi network and deny auth for them, but I'd like to identify the Android clients and specify that just them do not need authentication. Any ideas? Thanks since now -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] big files caching-only proxy
Em 22/10/15 06:08, Amos Jeffries escreveu: On 22/10/2015 7:13 a.m., Leonardo Rodrigues wrote: It sounds to me that you are not so much wanting to cache only big things, you are wanting to cache only certain sites which contain mostly big things. The best way to confgure that is with the cache directive. Just allow those sites you want, and deny all others. Then you dont have to worry about big vs small object size limits. Though why you would want to avoid caching everything that was designed to be cached is a bit mystifying. You might find better performance providing several cache_dir with different size ranges in each for optimal caching to be figured out by Squid. At first that (caching only 'big' things) was the idea, but when i look to cache instagram, that really changed. I know i dont have a good hardware (I/O limitation) and having a VERY heterogenous group of people, hits were low when caching 'everything' and, in some cases, access was even getting slower as i do have a good internet pipe. But caching windows update and other 'big things' (antivirus updates, apple updates, etc etc) still looked interesting to me. As you suggested, i further enhanced my ACLs that match 'what i want to cache' and could get it working using cache rules. I have even, in some cases, created two ACLs, one for the dstdom and other for the urlpath for matching just some extensions i want to cache. Maybe not perfect, but seems to be working fine after lowering the minimum_object_size to some few KBs. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] big files caching-only proxy
Hi, I have a running setup for proxying only 'big' files, like Windows Update, Apple Updates and some other very specific URLs. That's working just fine, no problem on that. For avoiding caching small things on the URLs i want to have big files proxied, i setup the 'minimum_object_size' for 500Kb, for example. That's doing just fine, working flawlessly. Now i'm looking for caching instagram data. That's seems easy, instagram videos are already being cached, but i really dont know how to deal with the small images and thumbnails from the timetime. If i lower too much the minimum_object size, those will be cached as well as not wanted data from the other URLs. Question is: can the minimum_object_size be paired with some ACL ? Can i have a minimum_object globally and another one for specific URLs (from an ACL) for example? i'm running squid 3.5.8. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Monitoring Squid using SNMP.
Em 20/10/15 16:26, sebastien.boulia...@cpu.ca escreveu: When I try to do a snmpwalk, I got a timeout. [root@bak ~]# snmpwalk xx:3401 -c cpuread -v 1 [root@bak ~]# Anyone monitor Squid using SNMP ? Do you experiment some issues ? You're not getting timeout, you're getting no data, which is completly different from timeout. Try giving the initial MIB number and you'll probably get the data: [root@firewall ~]# snmpwalk -v 1 -c public localhost:3401 .1.3.6.1.4.1.3495.1 SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 419756 SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 96398932 SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (77355691) 8 days, 22:52:36.91 SNMPv2-SMI::enterprises.3495.1.2.1.0 = STRING: "webmaster" SNMPv2-SMI::enterprises.3495.1.2.2.0 = STRING: "squid" SNMPv2-SMI::enterprises.3495.1.2.3.0 = STRING: "3.5.8" and to make things easier, i use to configure the SNMP daemon that runs on UDP/161 to 'proxy' requests to squid, so i dont need to worry about informing the correct port: [root@firewall snmp]# grep proxy snmpd.conf # proxying requests to squid MIB proxy -v 1 -c public localhost:3401 .1.3.6.1.4.1.3495.1 so i can 'snmpwalk' on the default udp/161 port: (note the lack of :3401 port) [root@firewall snmp]# snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.3495.1 SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 419964 SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 96359504 SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (77370521) 8 days, 22:55:05.21 -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to allow subdomains in my config.
Em 13/10/15 18:14, sebastien.boulia...@cpu.ca escreveu: cache_peer ezproxyx.reseaubiblio.ca parent 80 0 no-query originserver name=ezproxycqlm acl ezproxycqlmacl dstdomain ezproxycqlm.reseaubiblio.ca http_access allow www80 ezproxycqlmacl cache_peer_access ezproxycqlm allow www80 ezproxycqlmacl cache_peer_access ezproxycqlm deny all no guessing games would be awesome ... please post your ACL definitions as well -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_MISS/200
Em 17/11/15 20:18, Jens Kallup escreveu: Hello, what means the log ouput TCP_MISS/200 ? Error in squid config? HTTP responde code 200 means 'OK, your request was processed fine', it's the 'everything ok' return code. TCP_MISS means there was no cached answer for that query and so it was fetched from the origin server. It's definitely not an error, there's absolutely nothing wrong on seeing LOTS of those on your access.log files, as you're certainly face LOTS of 'everything ok' requests and lots of them will not be fetched from the cached objects. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] analyzing cache in and out files
Em 29/09/15 07:42, Matus UHLAR - fantomas escreveu: On 28.09.15 15:59, Leonardo Rodrigues wrote: I have a running squid that, until some weeks ago, was not doing any kind of cache, it was just used for access controle rules. Now i have enabled it for windows updateand some specificURLs caching and it's just working fine. windows updates are so badly designed that the only sane way to get them cached it running windows update server (WSUS). WSUS works for corporate environments, not for all the others. And caching Windows Update with squid is pretty trivial actually, it doesnt even need URL rewriting as other services, youtube for example, do. And it works just fine !! -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] analyzing cache in and out files
Em 29/09/15 10:46, Matus UHLAR - fantomas escreveu: hmm, when did this change? IIRC that was big problem since updates use huge files and fetch only parts of them, which squid wasn't able to cache. But i'm off for a few years, maybe M$ finally fixed that up... i'm not a squid expert, but it seems that things became much easier when squid becames fully HTTP/1.1 compliant. Caching huge files do not changed, that's needed for caching Windows Update files. Storage space, however, is becaming cheaper every year. In my setup, for example, i'm caching files up to 500Mb, i have absolutely no intention of caching ALL Windows Update files. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid cache
Em 30/09/15 16:35, Magic Link escreveu: Hi, i configure squid to use cache. It seems to work because when i did a try with a software's download, the second download is TCP_HIT in the access.log. The question i have is : why the majority of requests can't be cached (i have a lot of tcp_miss/200) ? i found that dynamic content is not cached but i don't understand.very well. That's the way internet works ... most of the traffic is dinamically generated, which in default squid configurations avoid the content to be cached. Nowadays, with the 'everything https' taking place, HTTPS is also non-cacheable (in default configurations). And by default configurations, you must understand that they are the 'SECURE' configuration. Tweaking with refresh_pattern is usually not recommended except in some specific cases in which you're completly clear that you're violating the HTTP protocol and can have problems with that. In short, the days of 20-30% byte-hits are gone and will never came back anymore. Keep your default (and secure) squid configuration, there's no need to tweak refresh_pattern unless on very specific situations that you clearly understand what you're doing. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] analyzing cache in and out files
Em 30/09/15 04:13, Matus UHLAR - fantomas escreveu:
the problem was iirc in caching partial objects
http://wiki.squid-cache.org/Features/PartialResponsesCaching
that problem could be avoided with properly setting range_offset_limit
http://www.squid-cache.org/Doc/config/range_offset_limit/
but that also means that whole files instead of just their parts are
fetched.
it's quite possible that microsoft changed the windows updates to be
smaller
files, but I don't know anything about this, so I wonder if you really do
cache windows updates, and how does the caching work related to
informations
above...
yes, i'm definitely caching windows update files !!
[root@firewall ~]# cd /var/squid/
[root@firewall squid]# for i in `find . -type f`; do strings $i | head
-3 | grep "http://;; done | grep windowsupdate | wc -l
824
and yes, i had to configure range_offset_limit:
range_offset_limit 500 MB updates
minimum_object_size 500 KB
maximum_object_size 500 MB
quick_abort_min -1
(being 'updates' the ACL with the URLs to be cached, basically
windowsupdate and avast definition updates - the second one required
further tweaks with storeid_rewrite for the CDN URLs)
from access.log, i see a lot of TCP_HIT/206 (and just a few
TCP_HIT/200), so it seems squid is able to get the fully cached file and
provide the smaller pieces requested:
[root@firewall squid]# grep "TCP_HIT/" access.log | grep windowsupdate |
wc -l
9860
[root@firewall squid]# bzcat access.log.20150927.bz2 | grep "TCP_HIT/" |
grep windowsupdate | wc -l
38584
having squid to download the WHOLE file at the very first request
(even a partial request) may be bad, but considering it will be used
later to provide the data for other requests, even partial ones, make
things a little better.
(this windowsupdate caching is running just for a few weeks, i expect
HITs to grow a little more)
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] analyzing cache in and out files
Em 28/09/15 17:55, Amos Jeffries escreveu: The store.log is the one recording what gets added and removed from cache. It is just that there are no available tools to do the analysis you are asking for. Most admin (and thus tools aimed at them) are more concerned with whether cached files are re-used (HITs and near-HITs) or not. That is recorded in the access.log and almost all analysis tools use that log in one format or another. That's i was afraid, there's no tools to analyze the data. Anyway, thanks for the answer. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] user agent
i personally hate using !acl ... it's the easiest way, in my opinion, of getting in trouble and getting things to NOT work the way you want to. i always prefeer to replace by other 4-5 'normal' rules than using !acl Em 18/09/15 06:32, joe escreveu: hi i need to have 3 useragent replace and its not working example acl brs browser -i Mozilla.*Window.* acl phone-brs browser -i Mozilla.*(Android|iPhone|iPad).* request_header_access User-Agent deny brs !phone-brs request_header_replace User-Agent Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 request_header_access User-Agent deny phone-brs !brs request_header_replace User-Agent Mozilla/5.0 (Android; iPhone; Mobile;) Gecko/18.0 -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] logging https websites
Em 09/12/15 13:11, George Hollingshead escreveu: is there a simple way to log request made to https sites. I just want to see sites visited without having to set up tunneling and all this complex stuff i'm reading about. Hoping there's a simple way, and yes, i'm a newb but smart enough to have your awesome program running; hehe If you really want a SIMPLE way, than the answer is NO, that's not possible With simply configuring the proxy on the users browsers, you'll be able to see the hostname, but not the full URL user acessing https://www.gmail.com/mail/something/INBOX will appear on the logs just as CONNECT www.gmail.com and that's how it works ... the path is only visible to the endpoints, the browser and the server, squid just carries the encripted tunnel between them, without knowing what's happening inside. is it possible to decript and see the full path on the logs, being able to filter on them and everything else ?? YES, that's ssl-bump, but that's FAR from being an easy setup ... -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] New skype version can't control by squid
Em 22/12/15 23:10, fbismc escreveu:
Hi everyone
Below is my skype control in squid.conf
#skype
acl numeric_IPs dstdom_regex
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
acl validUserAgent browser \S+
acl skypenet dstdomain .skype.com
After skype update to 7.17 ,the control is failed , I need to give a
"allowed" permission , the "allowed" means have a privilege to Internet
surfing.
How should I fix this problem , any suggestion will be a appreciated
Well ... if you need want someone to be able to help you, you can
start giving some real informations on the new skype accesses that are
failing your rules.
You have rules for user agent, IP access on port 443 and domain
skype.com. Which accesses are not getting caught by these ? What are the
new user agent used on the new skype accesses ???
Provide real information if you want real help (which of course, if
not always guaranteed on a community mailing list). But be sure that
with no real information, you wont get any useful help at all.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] HTTPS sites specifics URL
That's correct, when not using SSL-Bump feature (that's the one you're looking for), squid will only see the domain part. All the rest of the URL is crypted and visible only to the client (browser) and the server on the other side, the only two parts involved on that crypto session. To enable squid to see the whole URL and be able to do full filtering on HTTPS requests, you're looking for SSL-Bump feature. Google for it, there's a LOT of tutorials and mailing list messages on that. Em 06/02/17 12:40, Dante F. B. Colò escreveu: Hello Everyone I have a question , probably a noob one , i 'm trying to allow some https sites with specific URL's (i mean https://domain.tld/blablabla) but https sites are working only with the domain part , what i have to do to make this work ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Office 365 Support for Squid Proxy
i have a lot of customers who access Office 365 through squid proxies and have no problem at all. Office 365 is just another website, there's absolutely no need for special configurations for it to simply work. Em 12/06/17 06:05, Blason R escreveu: Hello All, If someone can confirm if squid can very well work with Office 365? If anyone has any documentation can someone please forward that to me? I do have almost around 400 Office 365 users hence wanted to know what configuration I might need for Office 365 traffic? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] retrieve amount of traffic by username
Em 06/06/17 10:45, Janis Heller escreveu: Seems like parsing would be what I need. Is the size (consumed bandwith) and the usernams (timestamp can be generated by my parser) being written to this file? Could you show me a sample output of this file? the already existing documentation is your friend :) http://wiki.squid-cache.org/SquidFaq/SquidLogs -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] minimize squid memory usage
Em 09/07/18 20:45, Gordon Hsiao escreveu: Assuming I need _absolutely_ no cache what-so-ever(to the point to change compile flags to disable that, if needed), no store-to-disk neither, i.e. no objects need to be cached at all. I just need Squid to check a few ACLs with absolutely minimal memory usage for now, what else am I missing to get that work? If you don't need everything that squid can offer, maybe using other proxy software can be a better option. There are other software, with less options, that for sure will have a smaller memory footprint. But as you just need ACL capabilities, maybe those can be enough. Have you tried checking that ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] want to change squid name
Em 01/10/18 10:08, --Ahmad-- escreveu: i just need to have something not squid to run it on linux i dont want squid so don't run squid ?!?! If someone finding that you're running squid and that's a problem to you, don't run it, period :) -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Need help blocking an specific HTTPS website
Em 04/03/2019 19:27, Felipe Arturo Polanco escreveu:
Hi,
I have been trying to block https://web.whatsapp.com/ from squid and I
have been unable to.
So far I have this:
I can block other HTTPS websites fine
I can block www.whatsapp.com <http://www.whatsapp.com> fine
I cannot block web.whatsapp.com <http://web.whatsapp.com>
I have HTTPS transparent interception enabled and I am bumping all TCP
connections, but still this one doesn't appear to get blocked by squid.
This is part of my configuration:
===
acl blockwa1 url_regex whatsapp\.com$
acl blockwa2 dstdomain .whatsapp.com <http://whatsapp.com>
acl blockwa3 ssl::server_name .whatsapp.com <http://whatsapp.com>
acl step1 at_step SslBump1
blockwa1 and blockwa2 should definitely block web.whatsapp.com ..
your rules seems right.
Can you confirm the web.whatsapp.com access are getting through
squid ? Are these accesses on your access.log with something different
than DENIED status ?
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid on openwrt: Possible to get rid of "... SECURITY ALERT: Host header forgery detected ..." msgs ?
Em 23/01/2019 06:22, reinerotto escreveu:
Running squid 4.4 on very limited device, unfortunately quite a lot of
messages: "... SECURITY ALERT: Host header forgery detected ... " show up.
Unable to eliminate real cause of this issue (even using iptables to redir
all DNS requests to one dnsmasq does not help), these annoying messages tend
to fill up cache.log, which is kept in precious RAM.
Is there an "official" method to suppress these messages ?
Or can you please give a hint, where to apply a (hopefully) simple patch ?
I have some OpenWRT boxes running squid 3.5 and cache_log simply
goes null ... i do have access log enabled, with scripts to rotate,
export to another server (where log analyzis are done) and keep just a
minimum on the box itself, as storage is a big problem on these boxes.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] GENEVE?
Em 25/08/2020 16:21, Jonas Steinberg escreveu: Is there any way to definitively confirm this? Also is this something I could submit as a feature request via github or is it too crazy or out-of-scope for the roadmap? And please never forget that if you need some feature that is not there yet, you can always sponsor the dev team to develop it :) -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] issues with sslbump and "Host header forgery detected" warnings
Em 07/11/2020 22:19, Eliezer Croitor escreveu:
Hey Leonardo,
I assume The best solution for you is a simple SNI proxy.
Squid does also that and you can try to debug this issue to make sure you
understand what is wrong.
It clearly states that Squid doesn't see this specific address:
local=216.58.222.106:443
As the domain: chromesyncpasswords-pa.googleapis.com:443 "real" destination
address.
Maybe Alex or Amos remember the exact and relevant debug_options:
https://wiki.squid-cache.org/KnowledgeBase/DebugSections
I assume section 78 would be of help.
debug_options ALL,1 78,3
Is probably enough to discover what are the DNS responses and from where these
are.
On what OS are you running this Squid?
Hi Eliezer,
I have already tracked the DNS stuff and I could confirm that squid
is resolving to a different IP address than the client is, despite both
using the same DNS server. It only happens for hosts with multiple A
addresses or CDN hostnames that changes IP very often (every 10 seconds
for example). It's not a bug in that regards, absolutely not, the client
connecting to a specific IP address and squid seeing another IP to that
hostname caught on the TLS transaction is real.
I'm running on CentOS 8 ... and after all, maybe these findings,
I'm about to realize doing this kind of interception, even without the
full decrypt part, is not trivial at all, despite it works flawlessly
(and very easily) for "regular" hostnames which translates to a single
IP and never changes it.
Will study this a little more. Thanks for your observations and
recommendations!
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] issues with sslbump and "Host header forgery detected" warnings
Em 07/11/2020 08:42, Amos Jeffries escreveu:
All we can do is minimize the occurrences (sometimes not very much).
This wiki page has all the details of why and workarounds
<https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>.
Thanks Amos, I had already find that and it has very good
information on the subject. Also found an old thread of you discussing
the security concerns on bypsasing those checks, very good information,
thanks so much :)
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] issues with sslbump and "Host header forgery detected" warnings
Hello Everyone,
I'm trying to setup sslbump for the first time (on squid-4.13) and,
at first, things seems to be working. After taking some time to
understand the new terms (splice, bump, stare, etc), seems to got things
somehow working.
Actually i'm NOT looking for complete bumping (and decrypting) the
connections. During my lab studies, I found out that simply 'splice' the
connections is enough for me. I just wanna intercept https connections
and have them logged, just the hostname, and that seems to be
acchievable without even installing my certificates on the client, as
i'm not changing anything, just 'taking a look' on the SNI values of the
connection. The connection itself remains end-to-end protected, and
that's fine to me. I just wanna have things logged. And that's working
just fine.
However, some connections are failing with the "Host header forgery
detected" warnings. Example:
2020/11/06 18:04:21 kid1| SECURITY ALERT: Host header forgery detected
on local=216.58.222.106:443 remote=10.4.1.123:39994 FD 73 flags=33
(local IP does not match any domain IP)
2020/11/06 18:04:21 kid1| SECURITY ALERT: on URL:
chromesyncpasswords-pa.googleapis.com:443
and usually a NONE/409 (Conflict) log entry is generated on those.
Refreshing once or twice and it will eventually work.
I have found several discussions on this and I can confirm it
happens on hostnames that resolvs to several different IPs or hostnames
that, somehow, keeps changing IPs (CDNs or something like that).
Clients are already using the same DNS server as the squid box, as
recommended, but problem is still happening quite a lot. For regular
hostnames who translates for a single IP address, things are 100% working.
Questions:
- without using WPAD or without configuring proxy on the client
devices, is this somehow "fixable" ? Same DNS already being used ...
- is there any chance the NONE/409 (Conflict) logs i'm seeing are
not related to this? Maybe these are just WARNINGs and not ERRORs, or
these would really cause a fail to the intercepted connection?
- any other hint on this one without having to set proxy, in any
way, on the clients? I just wanna have hostnames (and traffic generated)
logged, no need for full decrypt (bumping) of the connections.
Thanks !!!
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid caching webpages now days?
Em 01/08/2021 21:01, Amos Jeffries escreveu:
Leonardo, it sounds like your decades ago decision was before squid
gained full HTTP/1.1 caching ability. 1.0-only abilities are almost
useless today.
Are you at least still using memory cache? That is squid configured
without cache_dir but also without "cache deny" rule.
Hi Amos,
You're spot on, I clearly remember to have decided that (to stop
caching) before full HTTP/1.1 support days. I have not actually tried
memory cache for a while, but not because it wasn't working as expected
or effective, it's mainly because i'm not managing those services on
networks large enough for caching to bring real beneficts.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid caching webpages now days?
Em 31/07/2021 22:48, Periko Support escreveu: Hello guys. With today's ISP's speed increasing, does squid cache (caching web pages) now days is a good option? I have some customers that want to setup a cache server, but I have doubts about how much traffic will be save, with most of the web sites running under https. I use squid+sg acl features. But for me, caching is not a bandwidth saving tool anymore. Of course, my experience is just MY experience and others might be completly different ones :) Speaking for myself, and for some small to medium sized customer networks I manage, caching is disabled for more than a decade now. Squid is still VERY useful for applying controls and loggings, but not caching. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SQL DB squid.conf backend, who was it that asked about it?
Hi Marcelo, Is this going to be released as free and open-source software, or it's a closed project? If 1st answer, then I might be able to help! While I wouldn't call myself an squid expert, I have to admit I have some knowledge on it. And i'm also from Brazil, noticed your .com.br email address! Em 10/08/2022 13:25, marcelorodr...@graminsta.com.br escreveu: Hi Amos, It was me indeed. We have developed a squid based php application to create VPSs and deliver proxies via web panel. It is still in development, but fase 1 is working already running SQL user management, create VPSs and squid.conf auto configuration. We are heading to fase 2 to use cache pears and IPv4/IPv6 routing depends on source. Squid.conf got so complex at this point that its getting very hard to implement fase 2. Lack of deep squid knowledge is still our weak spot. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
