Re: [squid-users] deny_info URL not working
Hello, On Sat, May 11, Vilmondes Queiroz wrote: > deny_info http://example.com !authorized_ips does it works, if you add the http status code like: deny_info 307:http://example.com !authorized_ips -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles
Hello Amos, thank you for your answer! I opened a bugreport https://bugs.squid-cache.org/show_bug.cgi?id=5353 with some debug infos attached. On Thu, Mar 14, Amos Jeffries wrote: > > On 12/03/24 04:31, Dieter Bloms wrote: > > Hello, > > > > after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a > > lot > > of messages from type: > > > > ICAP_ERR_GONE/000 > > ICAP_ERR_OTHER/200 > > ICAP_ERR_OTHER/408 > > ICAP_ERR_OTHER/204 > > > > and some of our users claim about bad performance and some get "empty > > pages". > > Unfortunately it is not deterministic, the page will appear the next > > time it is called up. I can't see anything conspicuous in the cache.log. > > > > Hmm, there was > <https://github.com/squid-cache/squid/commit/4658d0fc049738c2e6cd25fc0af10e820cf4c11a> > changing message I/O in particular. The behavioural changes from that might > have impacted ICAP in some unexpected way. > > Also, if you are using SSL-Bump to enable virus scanning then > <https://github.com/squid-cache/squid/commit/debf3f17be7761ea4992864a828f42ee773dfbaf> > might also be having effects. > > HTH > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] After upgrade from squid6.6 to 6.8 we have a lot of ICAP_ERR_OTHER and ICAP_ERR_GONE messages in icap logfiles
Hello, after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a lot of messages from type: ICAP_ERR_GONE/000 ICAP_ERR_OTHER/200 ICAP_ERR_OTHER/408 ICAP_ERR_OTHER/204 and some of our users claim about bad performance and some get "empty pages". Unfortunately it is not deterministic, the page will appear the next time it is called up. I can't see anything conspicuous in the cache.log. There was no change to the virus scanner nor any change to the squid config during the upgrade. Here the icap spefific config lines from squid: --snip-- acl CONNECT method CONNECT acl withoutvirusscanner.dstnames dstdomain "/etc/squid/withoutvirusscanner.dstnames" acl audio rep_mime_type ^audio/ acl audio rep_mime_type ^video/ icap_enable on icap_preview_enable on icap_preview_size 128 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_service_failure_limit -1 icap_service_revival_delay 30 logformat icap_debug %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] New Squid prefers IPv4
Hello Rob, On Mon, Feb 05, Rob van der Putten wrote: > After upgrading Squid from 3 to 5 the percentage of IPv6 reduced from 61% to > less then 1%. > Any ideas? yes, since squid5 the happy eyeball algorithm as described in rfc 8305 is used. If your ipv4 connectivity is better than ipv6 than ipv4 is used. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] does the logging of cache.log support the log modules like daemon, syslog, udp ...
Hello, I would like to run the squid in a Kubernetes environment. I can simply send the access.log outside the container with the syslog module. I have tried it with the cache.log, but unfortunately I don't see any log entries from the cache.log. The access.log lines are transmitted: --snip-- # send the logs to rsyslog (rsyslog will forward the logs to external syslog server) access_log syslog:local1.info keyvalue cache_log syslog:local2.info --snip-- Is it possible to send the cache.logs to the syslog socket /dev/log ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] 2 year old security bugs not fixed?
Hello, I stumbled across this page https://joshua.hu/squid-security-audit-35-0days-45-exploits and wonder if all these security holes are really still there. Can someone from the developers give a status? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] trickeling support in squid as icap client
Hello, we are currently using the Squid with an ICAP virus scanner, which is capable of trickling. There are many manufacturers who support the ICAP protocol but not trickling. Therefore, in my opinion, it would make sense if squid supported trickeling as ICAP client. Then you could use any ICAP virus scanner independent from trickling support of the scanner. What do you think about the idea? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] is it possible to restrict the use of websocket for security reason?
Hello, is it possible to restrict the use of websockets for seurity reason like prevent long-lived Websocket communication or define a limit for total size of transfered payload? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] TLS client hello tls1.0 even with options "tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1"
Hello, I've enabled sslbump and configured the following outgoing tls options: tls_outgoing_options min-version=1.2 options=NO_TLSv1:NO_TLSv1_1 cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA so for me it looks like squid must not use TLS1.1 or TLS1.0. But for some web sites like https://www.europarl.europa.eu/doceo/document/LIBE-OJ-2022-12-12-1_EN.html the first request is made with an tls1.0 client hello packet. When I reload the page the proxyserver sends a tls1.2 client hello and the website is shown as expected. So what option can be used to force a minimum tls1.2 client hello package every time? Here is a link to the pcap file with both variants: https://bloms.de/download/www.europarl.europa.eu.pcap -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] does squid 5.7 support HTTP/2 protocol
Hello, does squid 5.7 support the HTTP/2.0 protocol? >From https://wiki.squid-cache.org/Features/HTTP2 it seem some work seems to be done, but not all. But sometimes the docu is outdated, so I hope it is outdated and squid does support HTTP/2 -- Regdards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 5.7: can't access https://www.ilo.org/global/lang--en/index.htm with enabled sslbump, without sslbump it works
Hello Amos, On Sat, Nov 12, Amos Jeffries wrote: > On 12/11/2022 2:49 am, Dieter Bloms wrote: > > Hello, > > > > I'm using squid 5.7 with enabled sslbump and can't reach the website > > https://www.ilo.org/global/lang--en/index.htm > > I get an error of type ERR_INVALID_RESP, but when I disable sslbump the > > webcontent is shown in the browser. > > > > Can anybody confirm this and can tell me what causes this problem ? > > TLS is complicated. SSL-Bump even more so. It is unlikely everyone else has > exactly the same things occuring, even if they have the same squid.conf > settings. > > You need to look at what the ERR_INVALID_RESP actually says in wrong with > the server response. > The check Squid cache.log. You may need to set "debug_options 11,2" to get a > trace of the HTTP messages and see what is going on. Thank you for your reply! I've increased the debuglevel, but can't find any reason, why squid reponds with ERR_INVALID_RESP. Maybe someone with more knowledge can find the reason in the cache.log. It can be found here: https://bloms.de/download/cache.log.gz -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 5.7: can't access https://www.ilo.org/global/lang--en/index.htm with enabled sslbump, without sslbump it works
Hello, I'm using squid 5.7 with enabled sslbump and can't reach the website https://www.ilo.org/global/lang--en/index.htm I get an error of type ERR_INVALID_RESP, but when I disable sslbump the webcontent is shown in the browser. Can anybody confirm this and can tell me what causes this problem ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] got error page type ERR_READ_ERROR, when a dnslabel can not be resolved
Hello Alex, thank you for the quick answer! On Mon, Oct 10, Alex Rousskov wrote: > On 10/10/22 04:05, Dieter Bloms wrote: > > > since squid 5.7 I get the error page of type ERR_READ_ERROR, when a dns > > label can not be resolved (for example https://dnslabeldoesnotexist.com/). > > I expect the error page of type ERR_DNS_FAIL instead of ERR_READ_ERROR. > > > > Can somebody confirm this behavior ? > > I cannot quickly confirm or deny that specific behavior in v5, but I > recently spotted[1] bugs/deficiencies in error relaying master/v6-based code > that result in ERR_READ_ERROR instead of ERR_DNS_FAIL or, at the very least, > ERR_CANNOT_FORWARD. Sounds like v5 needs similar fixes. > > Do you use SslBump to handle that HTTPS site? yes, sslbump is enabled on our proxy server. -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] got error page type ERR_READ_ERROR, when a dnslabel can not be resolved
Hello, since squid 5.7 I get the error page of type ERR_READ_ERROR, when a dns label can not be resolved (for example https://dnslabeldoesnotexist.com/). I expect the error page of type ERR_DNS_FAIL instead of ERR_READ_ERROR. Can somebody confirm this behavior ? -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] got many messages after upgrade from 4.16 to 5.1: assertion failed: Transients.cc:221: "old == e"
Hello, I did an upgrade from squid 4.16 and got many messages like: assertion failed: Transients.cc:221: "old == e" and it seems, that the childs crash and restart: --snip-- 2021/09/20 04:37:47 kid2| assertion failed: Transients.cc:221: "old == e" current master transaction: master368193 2021/09/20 04:37:49 kid2| Set Current Directory to /var/cache/squid 2021/09/20 04:37:49 kid2| Starting Squid Cache version 5.1 for x86_64-pc-linux-gnu... 2021/09/20 04:37:49 kid2| Service Name: squid 2021/09/20 04:37:49 kid2| Process ID 63991 2021/09/20 04:37:49 kid2| Process Roles: worker 2021/09/20 04:37:49 kid2| With 1048576 file descriptors available --snip-- This proxy hasn't enabled sslbump and we don't use any cache directory. We only cache in memory for performance reason. Is this a known issue or shall I open a bugreport ? -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Proxy Authentication optional
Hello, I want to implement user authentication (kerberos) on an already existing proxysystem without user authenticaion. But I know that there are clients, which can't do any authentication. So is it possible to configure squid, that it ask for proxy authentication credentials, but if the client can't authenticate skip this acl and go on with the next acls ? I tried something like this, but without success: --snip-- # kerberos authentication auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -s HTTP/www-proxy.mydomain -k /etc/squid/HTTP.keytab auth_param negotiate children 10 auth_param negotiate keep_alive on acl kerberosauth proxy_auth REQUIRED acl noauth_port localport 8880 acl give_access any-of kerberosauth noauth_port http_access allow give_access --snip-- -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Is it possible to force some dstdomain to ipv4 protocol without define an outgoing ip address ?
Hello, I use squid 4.15 and want to configure it to connect to some destinations via IPv4. I know about the tcp_outgoing_address option, but my outgoing ipv4 and ipv6 addresses changes every day. So is there an option like: acl myipv4onlydest dstdomain .example1.com .example2.com tcp_outgoing_protocol ipv4 myipv4onlydest -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
Hello Alex, thank yout for the fast response. On Thu, May 20, Alex Rousskov wrote: > On 5/20/21 8:12 AM, Dieter Bloms wrote: > > > I've a working setup with squid 4.14 and enabled sslbump under debian > > buster. > > But when I try destinations like https://1.1.1.1/ I get an error > > ERR_CERT_COMMON_NAME_INVALID > > > > The alternate DNS Names in the certificate of the original webserver is: > > > > X509v3 Subject Alternative Name: > > DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, > > IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP > > Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP > > Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, > > IP Address:2606:4700:4700:0:0:0:0:6400 > > > > for the client using the proxy with sslbump it looks like: > > > > X509v3 Subject Alternative Name: > > DNS:1.1.1.1 > > > > so the SAN is a DNS and not an IP Address one. > > I think is has to be something like this: > > > > X509v3 Subject Alternative Name: > > IP Address:1.1.1.1 > > > > Can someone confirm this, or may I have a mistake in my squid configuration. > > If this happens on an otherwise successful HTTP response (not an error > page), then I would suspect a Squid bug (or insufficient support for > X509v3 extensions). The chrome browser shows me this error page, but you are right it is an error page of squid with SQUID_X509_V_ERR_DOMAIN_MISMATCH. So it looks like insufficient support for X509v3 extensions I filled a bug report https://bugs.squid-cache.org/show_bug.cgi?id=5130 > > Here some sslbum related details of my config: > > > > http_port MYIP:8080 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > > http_port MYIP:8880 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > > sslcrtd_program /usr/sbin/security_file_certgen -s > > /var/cache/squid/sslcert_db -M 32MB > > sslcrtd_children 32 startup=10 idle=3 > > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > > ssl_bump peek step1 > > ssl_bump stare all > > ssl_bump bump all > > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
Hello, I've a working setup with squid 4.14 and enabled sslbump under debian buster. But when I try destinations like https://1.1.1.1/ I get an error ERR_CERT_COMMON_NAME_INVALID The alternate DNS Names in the certificate of the original webserver is: X509v3 Subject Alternative Name: DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400 for the client using the proxy with sslbump it looks like: X509v3 Subject Alternative Name: DNS:1.1.1.1 so the SAN is a DNS and not an IP Address one. I think is has to be something like this: X509v3 Subject Alternative Name: IP Address:1.1.1.1 Can someone confirm this, or may I have a mistake in my squid configuration. Here some sslbum related details of my config: http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem http_port MYIP:8880 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 ssl_bump peek step1 ssl_bump stare all ssl_bump bump all -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello Eliezer, I've tested with chrome 87.0.4280.141 and Edge 87.0.664.75. On Wed, Jan 20, Eliezer Croitoru wrote: > It's not clear if only Chromium or also a simple Chrome. > > Thanks, > Eliezer > > > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > Zoom: Coming soon > > > -Original Message- > From: squid-users On Behalf Of > Dieter Bloms > Sent: Wednesday, January 20, 2021 1:26 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] chromium based browsers don't play a video, when > sslbump is enabled > > Hello, > > I use squid 4.13 with enabled sslbump. > Chromium based browsers like chrome and edge don't play this video > https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 > The firefox browser and the old internet explorer have no problems. > > When I disable sslbumping for this destination the chromium based > browsers work as well. > > Here are some parts of my config: > > --snip-- > http_port MYIP:8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > sslcrtd_program /usr/sbin/security_file_certgen -s > /var/cache/squid/sslcert_db -M 32MB > sslcrtd_children 32 startup=10 idle=3 > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > tls_outgoing_options > cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 > > acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" > ssl_bump splice nobumping > ssl_bump bump all > --snip-- > > with wget or curl I can download the mp4 file in both cases (with and without > sslbump) > > Can anybody try to view the video in a chromium based browser with enabled > sslbump ? > > Thank you very much. > > > -- > Regards > > Dieter > > -- > I do not get viruses because I do not use MS software. > If you use Outlook then please do not put my email address in your > address-book so that WHEN you get a virus it won't use my address in the > From field. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] chromium based browsers don't play a video, when sslbump is enabled
Hello, I use squid 4.13 with enabled sslbump. Chromium based browsers like chrome and edge don't play this video https://admin.wissen-ad.de/storage/TEST/Big_Buck_Bunny_1080_10s_30MB.mp4 The firefox browser and the old internet explorer have no problems. When I disable sslbumping for this destination the chromium based browsers work as well. Here are some parts of my config: --snip-- http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 tls_outgoing_options cipher=TLSv1.2:+aRSA:+SHA384:+SHA256:+DH:-kRSA:!PSK:!eNULL:!aNULL:!DSS:!AESCCM:!CAMELLIA:!ARIA:AES256-SHA:AES128-SHA:@SECLEVEL=1 acl nobumping dstdomain "/etc/squid/nohttpsscan.domains" ssl_bump splice nobumping ssl_bump bump all --snip-- with wget or curl I can download the mp4 file in both cases (with and without sslbump) Can anybody try to view the video in a chromium based browser with enabled sslbump ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org
Hello Amos, On Thu, Jan 14, Amos Jeffries wrote: > On 13/01/21 11:27 pm, Dieter Bloms wrote: > > Hello, > > > > the wiki of squid cache project (wiki.squid-cache.org) has an incomplete > > certificate chain. > > I can't access the website with enabled sslbump and tlsv1.3 support, > > because squid isn't able to download the missing intermediate > > certificate on its own. > > What version of Squid are you using? we use squid 4.13 and it works for tls version <1.3 > These certificates generated by LetsEncrypt use the AIA mechanism which > latest Squid versions should be downloading intermediate certs as-needed. but for tls1.3 it doesn't work, because the certificate is encrypted. Please have a look at the bugreport https://bugs.squid-cache.org/show_bug.cgi?id=5067 -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Incomplete Certificate Chain for wiki.squid-cache.org
Hello, the wiki of squid cache project (wiki.squid-cache.org) has an incomplete certificate chain. I can't access the website with enabled sslbump and tlsv1.3 support, because squid isn't able to download the missing intermediate certificate on its own. The administrator of that website should add the intermediate certificate. More infos can be see here: https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid%2dcache.org -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid doesn't fetch the intermediate certificate for some sites
Hello Matus, thank you for your answer. On Tue, Jul 21, Matus UHLAR - fantomas wrote: > On 21.07.20 09:41, Dieter Bloms wrote: > > we use the sslbump feature and it works very well. > > But some sites can't be reached because of missing intermediate > > certificate. > > > > In squid.conf we have configured the following parameters: > > > > --snip-- > > # allow fetching of missing intermediate certificates > > acl fetch_intermediate_certificate transaction_initiator > > certificate-fetching > > http_access allow fetch_intermediate_certificate > > cache allow fetch_intermediate_certificate > > cache deny all > > --snip-- > > > > and fetching the intermediate certificate works for sites like: > > https://incomplete-chain.badssl.com/ > > > > but for some sites like https://mycase.cloudapps.cisco.com/ > > squid doesn't fetch the intermediate certificate and returns > > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY > > > > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA > > record. > > > > output of openssl on certificate of mycase.cloudapps.cisco.com > > --snip-- > >Authority Information Access: > >CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt > >OCSP - URI:http://ocsp.quovadisglobal.com > > --snip-- > > > > so does anybody see what's the reason, why squid doesn't download the > > intermediate certificate for mycase.cloudapps.cisco.com ? > > squid can't download certificates other than the website provides. that's not true: from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit "Squid-4 is capable of downloading missing intermediate CA certificates, like popular browsers do." > if a website does not provide valid certificate chain, it's up to the client > to produce an error. With browser, you can allow the certificate explicitly. with ssbump the browser doesn't see the origin webserver certificate, but sees the squid created one. > It is also possible that browser has the intermediace certificate > remembered. as I already wrote, we use sslbump. > testing certificate for mycase.cloudapps.cisco.com shows only one > certificate I can see: > > Certificate chain > 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = > mycase.cloudapps.cisco.com > i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL > ICA G2 > > the HydrantID SSL ICA G2 certificate seems to be missing here. > > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Windows 2000: 640 MB ought to be enough for anybody > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid doesn't fetch the intermediate certificate for some sites
Hello, we use the sslbump feature and it works very well. But some sites can't be reached because of missing intermediate certificate. In squid.conf we have configured the following parameters: --snip-- # allow fetching of missing intermediate certificates acl fetch_intermediate_certificate transaction_initiator certificate-fetching http_access allow fetch_intermediate_certificate cache allow fetch_intermediate_certificate cache deny all --snip-- and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/ but for some sites like https://mycase.cloudapps.cisco.com/ squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA record. output of openssl on certificate of mycase.cloudapps.cisco.com --snip-- Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt OCSP - URI:http://ocsp.quovadisglobal.com --snip-- so does anybody see what's the reason, why squid doesn't download the intermediate certificate for mycase.cloudapps.cisco.com ? -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] print errormessage (like %E in ERR_* pages) in squid logfile ?
Hello, more and more clients aren't browser but are programs, which call a restapi through our squid proxy. Those clients aren't able to show the errorpage (ERR_*) from proxy in case the request wasn't successful for any reason. I added %err_code and %err_detail, but %err_detail is filled with "-" sign all the time in the logfiles. For example: If the connection to a webserver fails %err_code is filled with ERR_CONNECT_FAIL, but %err_detail is filled with "-" instead of the messages "(110) Connection %timed out" Is it possible to log the error message like %E in the error pages ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] get no content for https://wiki.squid-cache.org/SquidFaq/SquidLogs
Hello, i get no contewnt for https://wiki.squid-cache.org/SquidFaq/SquidLogs. I get 504 Gaterway Timeout: --snip-- Gateway Timeout The gateway did not receive a timely response from the upstream server or application. Apache/2.4.18 (Ubuntu) Server at wiki.squid-cache.org Port 443 --snip-- -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sometimes intermediate certificates were not downloaded when using sslbump
Hello Louis, thank you for your answer. It is not my webserver. Am a user who wants to connect to the webserver. I know that the certificate chain is incomplete. As far as I know squid should be able to fetch the missing intermediate certificates on its own with the help of Authority Information Access (AIA) to get the complete list. So squid should be able to verify the server certificate even the webserver doesn't deliver the intermediate certificates. On Wed, Apr 08, L.P.H. van Belle wrote: > This is a simple one. > > The certificate chain of that website is incorrect. > As shown here : > https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de > > > Check you webserver first and correct you ciphers in your apache webserver. > > Greetz, > > Louis > > > > -Oorspronkelijk bericht- > > Van: squid-users > > [mailto:squid-users-boun...@lists.squid-cache.org] Namens Dieter Bloms > > Verzonden: woensdag 8 april 2020 13:37 > > Aan: squid-users@lists.squid-cache.org > > Onderwerp: [squid-users] sometimes intermediate certificates > > were not downloaded when using sslbump > > > > Hello, > > > > I use a self compiled squid 4.10 compiled as follow: > > > > ~# squid --version > > Squid Cache: Version 4.10 > > Service Name: squid > > > > This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal > > restrictions on distribution see > > https://www.openssl.org/source/license.html > > > > configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' > > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' > > '--localstatedir=/var' '--libexecdir=/usr/sbin' > > '--datadir=/usr/share/squid' '--mandir=/usr/share/man' > > '--with-default-user=squid' '--with-filedescriptors=131072' > > '--with-logdir=/var/log/squid' '--disable-auto-locale' > > '--disable-auth-negotiate' '--disable-auth-ntlm' > > '--disable-eui' '--disable-carp' '--disable-htcp' > > '--disable-ident-lookups' '--disable-loadable-modules' > > '--disable-translation' '--disable-wccp' '--disable-wccpv2' > > '--enable-async-io=128' '--enable-auth' > > '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP > > file' '--enable-epoll' '--enable-log-daemon-helpers=file' > > '--enable-icap-client' '--enable-inline' '--enable-snmp' > > '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' > > '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' > > '--enable-useragent-log' '--enable-large-cache-files' > > '--enable-removal-policies=lru,heap' > > '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' > > > > in squid.conf I set following acl at the very benning of acl section: > > > > # allow fetching of missing intermediate certificates > > acl fetch_intermediate_certificate transaction_initiator > > certificate-fetching > > cache allow fetch_intermediate_certificate > > cache deny all > > http_access allow fetch_intermediate_certificate > > > > and squid fetches intermediate certificates for websites > > like: https://incomplete-chain.badssl.com/ > > But squid doesn't fetch the intermediate certificates for the > > site https://www.formulare-bfinv.de/ > > and I don't know why. > > > > I checked all AiA entries in the certificates and it looks good to me. > > > > Can anybody try the site https://www.formulare-bfinv.de/ with > > enabled sslbump, > > so I can see whether my installation is broken or the > > webserver configuration isn't correct ? > > > > Thank you very much. > > > > -- > > Best regards > > > > Dieter Bloms > > > > -- > > I do not get viruses because I do not use MS software. > > If you use Outlook then please do not put my email address in your > > address-book so that WHEN you get a virus it won't use my > > address in the > > From field. > > ___ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sometimes intermediate certificates were not downloaded when using sslbump
Hello, I use a self compiled squid 4.10 compiled as follow: ~# squid --version Squid Cache: Version 4.10 Service Name: squid This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' in squid.conf I set following acl at the very benning of acl section: # allow fetching of missing intermediate certificates acl fetch_intermediate_certificate transaction_initiator certificate-fetching cache allow fetch_intermediate_certificate cache deny all http_access allow fetch_intermediate_certificate and squid fetches intermediate certificates for websites like: https://incomplete-chain.badssl.com/ But squid doesn't fetch the intermediate certificates for the site https://www.formulare-bfinv.de/ and I don't know why. I checked all AiA entries in the certificates and it looks good to me. Can anybody try the site https://www.formulare-bfinv.de/ with enabled sslbump, so I can see whether my installation is broken or the webserver configuration isn't correct ? Thank you very much. -- Best regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslbump with pkcs11 possible ?
Hello, I have a working setup with openssl, which use softhsm as pkcs11 backend. I can sign csr requests with openssl command line tool. Now I want to use this mechanism for squid ssl-bump. Is it possible to use the pkcs11 mechanism with squid and openssl ? I tried someting like: http_port MYIP:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cacert.pem key=pkcs11:id=10 tls-dh=/etc/squid/dhparams.pem but squid claims: --snip-- 2020/02/12 13:50:35| Initializing https:// proxy context 2020/02/12 13:50:35| Initializing http_port MYIP:3128 TLS contexts 2020/02/12 13:50:35| Using certificate in /etc/squid/cacert.pem 2020/02/12 13:50:35| Using certificate chain in /etc/squid/cacert.pem 2020/02/12 13:50:35| Adding issuer CA: /CN=dietershttpsca 2020/02/12 13:50:35| Using key in pkcs11:id=10 2020/02/12 13:50:35| WARNING: 'HTTP_port MYIP:3128' missing private key in 'pkcs11:id=10' 2020/02/12 13:50:35| storeDirWriteCleanLogs: Starting... 2020/02/12 13:50:35| Finished. Wrote 0 entries. 2020/02/12 13:50:35| Took 0.00 seconds ( 0.00 entries/sec). 2020/02/12 13:50:35| FATAL: No valid signing certificate configured for HTTP_port MYIP:3128 2020/02/12 13:50:35| Squid Cache (Version 4.10): Terminated abnormally. CPU Usage: 0.816 seconds = 0.812 user + 0.004 sys Maximum Resident Size: 42240 KB Page faults with physical i/o: 0 --snip-- does anybody know, whether squid supports it and if yes how to configure it ? -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] sslbump with squid 4.9 and websockets doesn't work
Hello, I use squid 4.9 with enabled sslbump and it works great for the most websites. There are some websites, which use websockets like web.whatsapp.com and can not be reached with enabled sslbump. When I exclude this destination from sslbump, I get the qrcode, which can be scanned with the smartphone. But if I've enabled sslbump, the qrcode doesn't appear and the browser seems to hang. The Debugging window of my chrome browser reports stalled access to the uri wss://web.whatsapp.com/ws Does anybody know how to enable wss support in squid, so the website can be reached even sslbump is enabled ? I know, that I can disable sslbump for his site, but there are more and more site, which uses websockets wss:// So I want to use an generic solution, without putting them one by one in a list. Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] AIA fetching in squid
Hello, On Wed, Feb 06, Yann Girardin wrote: > I am using ssl bump and it's work fine a lot of SSL sites, but some of > those are misconfigured and squid won't succeed to get the correct > certificate, and give me the following error : > SEC_ERROR_UNKNOWN_ISSUER > > Looking on the internet I understand that this is a SSL server > misconfiguration, but I know that some browser like safari, and chrome > are implementing the AIA fetching to get the missing certificates > using the information store in the authority information access of the > certificate. > > Is there a way to activate this AIA fetching in squid or do i have to > implement it myself using a helper with the sslcrtvalidator_program ? I've added these few lines: --snip-- acl fetch_intermediate_certificate transaction_initiator certificate-fetching http_access allow fetch_intermediate_certificate cache allow fetch_intermediate_certificate cache deny all --snip-- -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)
Hello,
I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
Sslbump works fine for all sides, but I can't access only one site
https://www.finanzamt.bayern.de/
and don't know the reason.
Ssllabs gives "A".
Here are the squid compile options:
--snip--
Squid Cache: Version 4.5
Service Name: squid
This binary uses OpenSSL 1.1.0j 20 Nov 2018. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-linux-gnu' '--includedir=${prefix}/include'
'--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info'
'--sysconfdir=/etc' '--libexecdir=${prefix}/lib/dv-squid4' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--prefix=/usr' '--sysconfdir=/etc/squid'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
'--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man'
'--with-default-user=squid' '--with-filedescriptors=65536'
'--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm'
'--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups'
'--disable-loadable-modules' '--disable-translation' '--disable-wccp'
'--disable-wccpv2' '--enable-async-io=128' '--enable-auth'
'--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file'
'--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client'
'--enable-inline' '--enable-snmp'
'--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking'
'--enable-storeio=ufs,aufs,rock' '--enable-referer-log'
'--enable-useragent-log' '--enable-large-cache-files'
'--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for'
'--enable-ssl-crtd' '--with-openssl' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g
-O2 -fdebug-prefix-map=/usr/src/packages/BUILD=. -fstack-protector-strong
-Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fdebug-prefix-map=/usr/src/packages/BUILD=. -fstack-protector-strong -Wformat
-Werror=format-security' --enable-ltdl-convenience
--snip--
The access.log looks like:
--snip--
1546962078.461 4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 -
HIER_DIRECT/193.34.207.31 -
1546962078.472 0 x.x.x.x NONE/500 8495 GET
https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
--snip--
no entries in cache.log
Can anybody try this site to see whether it is my local installation, or the
webserver.
Thank you very much.
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Support for DistributionPoints in the dynamic creates certificate via sslbump
Hello, we use the sslbump feature of squid, and it works very well. One of our http clients expect a CRL distribution point in the dynamic generated certificate. I've setup a http server, which delivers this crl list, but don't know how to configure squid to set this distribution point in every dynamic gererated certificate. Does anybody know whether squid support this feature ? Thank you very much. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 4.1 works great ;)
Hi, I run squid4.1 for several days in production and have to say it works pretty good. It is stable and it downloads the missing intermediate certificates automatically. Great work! Thank you very much for this version. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] can squid use dns server on random port(non-53)?
Hello, On Tue, Jun 26, Gordon Hsiao wrote: > checked the manual it seems I can only set dnsserver with a new IP, is it > possible to make squid support non-standard DNS port, e.g. 5353? maybe you can use a dns resolver like unbound, dnscache, dnsmasq, which can be configure to listen on localhost port 53, so only squid can access it via localhost and no other servers. These dns resolvers can be configure to use a non standard port like 5353 for the destination dns servers. But in the past I've never seen a dns server listening on port 5353, so maybe the setup is a little broken. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] native ftp and proxy authentication
Hello Alex, thank you for your answer! On Fri, Dec 15, Alex Rousskov wrote: > On 12/15/2017 03:53 AM, Dieter Bloms wrote: > > > I use the native ftp support of squid-4.0.22 and it works well without proxy > > authentication. > > > I want to enable the proxy authentication, but don't know how to login > > to the proxy with the native ftp client. > > Does your native FTP client support FTP proxy authentication? No it doesn't. So it would be nice to have a solution, which works with every ftp client. I think about an option in squid.conf where I can configure the login schema, like proxyuser@ftpuser@ftpserver for the user login and proxypass@ftppass for the password. > > Without proxy authentication the string ftpuser@ftpserver works fine. > > When I enable proxy-authentication, then I have to enter the proxy > > credentials, but don't know how to do it. > > "How to give FTP client credentials for proxy authentication" seems like > a question for your FTP client support forum, not squid-users. We do not > even know what FTP client you use. Did I misunderstand the question? I want a genric solution, so that every ftp client can use the ftp proxy support of squid. At the moment I have to use a commercial ftp client which doesn't have any proxy option. > > I tried "proxyuser@ftpuser@ftpserver" for username, but it doesn't work. > > IIRC, proxyuser@ftpuser@ftpserver tells Squid to go to ftpserver using > proxyuser@ftpuser as the user name/login. Yes, and it would be nice to configure squid, so squid extract the proxy authentication from this string. > > Is there any support for native ftp protocol and proxy authentication ? > > I doubt there is native FTP proxy authentication support in Squid, but > to be sure, it would be great to know how that works from the FTP client > point of view. In other words, when an FTP client supports FTP proxy > authentication, what does it send to the FTP proxy (i.e., to Squid)? It doesn't have proxy support, it only sends the USER and PASS string. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] native ftp and proxy authentication
Hello, I use the native ftp support of squid-4.0.22 and it works well without proxy authentication. I want to enable the proxy authentication, but don't know how to login to the proxy with the native ftp client. Without proxy authentication the string ftpuser@ftpserver works fine. When I enable proxy-authentication, then I have to enter the proxy credentials, but don't know how to do it. I tried "proxyuser@ftpuser@ftpserver" for username, but it doesn't work. Is there any support for native ftp protocol and proxy authentication ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] get many logentries "ACL is used in context without an ALE state. Assuming mismatch" after upgrade from 3.5 to 4.0.21 when using external helper
Hello, I used external helper with squid 3.5.xx several years without any problem. Now I tried to upgrade to squid 4.0.21 and squid seems to work fine, but I get many logentries like: --snip-- 2017/09/14 07:43:12 kid3| WARNING: blockhostsdomain ACL is used in context without an ALE state. Assuming mismatch. 2017/09/14 07:43:12 kid3| WARNING: blockhostsip ACL is used in context without an ALE state. Assuming mismatch. 2017/09/14 07:44:12 kid4| WARNING: blockhostsdomain ACL is used in context without an ALE state. Assuming mismatch. 2017/09/14 07:44:12 kid4| WARNING: blockhostsip ACL is used in context without an ALE state. Assuming mismatch. --snip-- when I switched the acls to a file list, the warnings are gone. my acls for external helpers look like: external_acl_type blockhostiptype ttl=3600 negative_ttl=3600 grace=50 children-max=10 children-startup=2 %DST /usr/bin/dnsbl-ip.pl bl acl blockhostsip external blockhostiptype external_acl_type blockhostdomaintype ttl=3600 negative_ttl=3600 grace=50 children-max=10 children-startup=2 %DST /usr/bin/dnsbl.pl dbl acl blockhostsdomain external blockhostdomaintype when I replaced to above lines with this two, the warnings are gone: acl blockhostsip dst "/etc/squid/blockhosts.ips" acl blockhostsdomain dstdomain "/etc/squid/blockhosts.domains" but I want to use the external helpers, because the lists were updated many times a day and a reconfigure of squid has an impact of 2-3 seconds. As I said before, squid works fine and checks the acls, but I get many warnings in the cache.log and don't know the cause of it. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] customize timeformat in error pages
Hello,
I want to customize the time format for %t in my error pages.
For the logfiles it is in strftime format like %{%d.%m:%Y %H:%M:%S}tl,
but when I put it in my error page templates like %{%d.%m:%Y %H:%M:%S}t,
squid doesn't consider it.
Is there any way to define the timeformat for %t in the error pages ?
Thank you very much!
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Huge amount of time_wait connections after upgrade from v2 to v3
Hi Ivan, On Tue, Jun 06, Ivan Larionov wrote: > We recently updated from squid v2 to v3 and now see huge increase in > connections in TIME_WAIT state on our squid servers (verified that this is > clients connections). I can confirm that since 3.5.22 to our ICAP scanners. with 3.5.21 we had no problems on SLES11 SP4 operating system. We did some tests with RHEL7 and we had much less TIME_WAIT. Do you use an older operation system ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] custom error pages with stylesheets doesn't work for me
Hello Alex, On Thu, May 18, Alex Rousskov wrote: > On 05/18/2017 03:17 AM, Dieter Bloms wrote: > > > I wrote some custom error pages and activated style sheets in the header of > > the error pages like: > > > > > > %l > > > > > > In the squid.conf file I set err_page_stylesheet to my stylesheet file and > > I restarted squid. > > My expectation was, that the content of this style sheet file will be > > included in the error page at the %l position. > > Your expectation was correct. > > > > But the place between and is empty. > > Does anybody know how can I insert the content of the style sheet file to > > the error pages? > > The steps you described above appear correct to me. Did you check for > errors in cache.log when starting Squid? Squid should complain if it > cannot load err_page_stylesheet but, unfortunately, Squid thinks that > you do not really care much about style and keeps running despite any > loading failures. > > Temporary renaming the stylesheet file (so that Squid cannot load it) > will help you test whether you are looking for errors in the right place. thank you for the hint. Squid had no read permission to this file. After right permissions it worked. But there was _no_ error message in the cache log file. I found the wrong permission with the help of strace command. It would be nice, when squid drop a note, that it can't read the file. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] custom error pages with stylesheets doesn't work for me
Hello, I use squid 3.5.25 compiled with following options: Squid Cache: Version 3.5.25 Service Name: squid configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=24576' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-external-acl-helpers=session' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--disable-strict-error-checking' '--with-openssl=/opt/dv-openssl1' 'CFLAGS= -O2 -fPIE -fPIC -DSQUID_USE_SSLGETCERTIFICATE_HACK=1' 'LDFLAGS= -fPIC -pie' 'CPPFLAGS= -O2 -fPIE -fPIC -DSQUID_USE_SSLGETCERTIFICATE_HACK=1' I wrote some custom error pages and activated style sheets in the header of the error pages like: %l In the squid.conf file I set err_page_stylesheet to my stylesheet file and I restarted squid. My expectation was, that the content of this style sheet file will be included in the error page at the %l position. But the place between and is empty. Does anybody know how can I insert the content of the style sheet file to the error pages ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] assertion failed: client_side.cc:819: "areAllContextsForThisConnection()" after upgrade from 3.5.8 to 3.5.11
Hello, I did an upgrade from 3.5.8 to 3.5.11 and now sometimes I get the message: assertion failed: client_side.cc:819: "areAllContextsForThisConnection()" in cache.log and squid dies. Is this a known problem or shall I create a bugreport ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid3 Support for TLS 1.1 and TLS 1.2
Hi, On Fri, Nov 06, Fullyrealized LLC wrote: > I have been trying to bolster my pfsense systems and found one > difficulty with squid3. I cant figure out how to allow for support of > tls 1.1 and 1.2. It supports tls 1 of course but the new reports from > qualys give a "C" for such. I am wondering if there is a way to add > support for the newer TLS 1.1 and 1.2 to Squid3 reverse proxy. Can > anyone help? it depends on you openssl version. If you use an old 0.9.x version tls1.1 and above is not supported. You have to use openssl 1.x.x to get support for it. -- regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hallo Marcus, On Thu, Sep 17, Marcus Kool wrote: > I just tried accessing https://banking.postbank.de/ > using Squid 3.5.8 and Chrome. > I also got the ERR_CONNECTION_CLOSED error. thank you for testing, so I think the fault is not my config. May it be a bug in squid or openssl, or maybe the webserver ? > Then I changed the Squid configuration and added ".postbank.de" in our list > of banks (acl tls_server_is_bank) to prevent bumping. ... > And tried to access https://banking.postbank.de again from Chrome and the > site works normal. ok, without sslbump the website works for me, but what is the reason that sslbump to this site doesn't work ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hello Amos, thank you for your hints. On Thu, Sep 17, Amos Jeffries wrote: > > the relevant part ist: > > > > --snip-- > > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" > > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > > generate-host-certificates=on dhparams=/etc/squid/dhparams.pem > > > Replace these... > > > ssl_bump none nodecryptdomains > > ssl_bump server-first all > > ... with: > > acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains" > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice nodecrypt > ssl_bump bump all > > Maybe also remove the nodecryptdomains ACL. Depends on whether you use > it anywhere else. I've changed my config, but same results. SSLBump works so far, only the site banking.postbank.de makes trouble. My chrome browser says "ERR_CONNECTION_CLOSED" and in the squid log looks like: --snip-- 1442473894.771 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473894.832 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.074 48 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.134 47 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.193 45 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - --snip-- here the ssl relevant part of my squid.conf --snip-- http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem ssl_bump peek step1 ssl_bump bump all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2:NO_SSLv3:ALL sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL --snip-- so it would be nice, if anybody with enabled sslbump on squid3.5.8 can do a GET Request to https://banking.postbank.de/ to see if that works. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hello Antony, On Wed, Sep 16, Antony Stone wrote: > On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote: > > > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are > > accessible via HTTPS and sslbump enable. > > But I can't get any access to the destination > > https://banking.postbank.de, which is accessible with 3.4.13. > > I use the same config for both squid versions. > > 1. What is that configuration (squid.conf without comments or blank lines, > please)? the relevant part ist: --snip-- acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem ssl_bump none nodecryptdomains ssl_bump server-first all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2:NO_SSLv3:ALL sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL sslproxy_cert_error deny all --snip-- the destination banking.postbank.de is not listed in the /etc/squid/nodecrypt.domains file with squid-3.4.13 the logs look like: --snip-- 1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET https://banking.postbank.de/rai/rai/image/pb-logo.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET https://banking.postbank.de/rai/rai/css/image/fld-input.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - HIER_DIRECT/62.153.105.15 application/x-font-woff 1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET https://banking.postbank.de/rai/rai/css/image/action-links.png - HIER_DIRECT/62.153.105.15 image/png --snip-- with squid 3.5.8 the logs look like: --snip-- 1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - --snip-- > 2. What differences do you get in the log files between the two versions when > you try to access that site? > > This information may give us something to go on in helping with your problem. > > > Regards, > > > Antony. > > -- > "Black holes are where God divided by zero." > > - Steven Wright > >Please reply to the list; > please *don't* CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] howto disable tls compression when using sslbump in squid-3.5.5 between squid and https webserver ?
Hello, I use squid 3.5.5 and use the sslbump feature. When I activate sslbump, the browsertest on www.ssllabs.com ( https://www.ssllabs.com/ssltest/viewMyClient.html ) says TLS compression is activated and insecure. I use openssl 1.0.1m on my proxyserver I tried some settings like: sslproxy_flags No_Compression but squid claims FATAL: Unknown ssl flag 'No_Compression'. Is it possible to disable TLS compression for the connection from squid to the webserver when sslbump is used ? Thank you very much. -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails
Hello Amos, On Sat, Dec 20, Amos Jeffries wrote: When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6 to ipv4 works fine, but when I do a https://ssl.ratsinfo-online.net/ squid tries ipv6 only and doesn't do a fallback to ipv4. I would be nice, if you can try it on your dial stack setup. Thank you. It takes me 10-20 sec to receive any response on the very first DNS lookup for that domain. After which all responses are quite fast for a few minutes. Then repeat with the slow lookup. Like you say it responds with 1 IPv4 and 1 IPv6. Which is not too many, and none actually failing to resolve. So DNS is reasonable even with the occasional delay. I am seeing approx 40-90% packet loss on several of the NTT.net transit hops between me and the site in IPv4. Not sure if that is related in any way related to your access path. My current colo provider blocks network measurements from end-servers (but only on v6) so I cant adequately test the v6 connectivity anymore. But your log entry indicates that probably a TCP SYN handshake did not finish over either IP version. with https squid doesn't try to connect the webserver over ipv4 (verfied with tcpdump). So I think you can test the missing failover from ipv6 to ipv4, if a connect over ipv6 isn't possible with https connection. Again with http the failover from ipv6 to ipv4 occur, only https is a problem. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails
Hello, we use squid 3.4.9 as proxy for our company with ipv4 and ipv6 dual stack. It works good, but if a destination has an A and record and the webserver isn't reachable via ipv6, squid generates an error page instead of trying a connection via ipv4. One example is the url: https://ssl.ratsinfo-online.net/pirna-ri/logon.asp where squid tries to reach the webside via the ip 2001:8d8:87c:5f00::6e:72d6, but without success, because it isn't reachable. Now I want, that squid does a fallback to ipv4 after connect_timeout, but squid returns an error page (ERR_CONNECT_FAIL) to the client. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] does squid support aia Authority Information Access ?
Hi, I use sslbump with squid 3.4.6 and it works fantasic with the most websites. But there are some sites like www.ferrari-electronic.de which don't provide the intermediate certificate. There is a authority information access extention, which defines a way the browser can download the intermediate certificate on it's own. Is there any option to enable this behavior in squid, so squid can validate a the certificate where the intermediate certificate is missing ? Thank you for your help ! -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] missing SNI support in squid makes trouble with sslbump
Hello, I use squid 3.4.5 and sslbump works great for the most big sites like google and facebook There are some destinations, which share there ip with other virual webserver, so the client gets a default certificate from the server with a wrong CN. With SNI the client get the right certificate with the correct CN. I configured ssl_bump server-first all, but to me it looks like squid doesn't do SNI and so gets the wrong certificate. Does anybody know a workaround for this problem ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] is SPDY supported by squid ?
Hi, I found http://wiki.squid-cache.org/Features/HTTP2 and I wonder if it is the actual state, that SPDY is planned for squid 3.5, or is it allready implemented in the actual version. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] caching failed tcp connects to destination ips
Hi, we use ipv4 and ipv6 tcp protocol for our outgoing interface. The most sides are accessable via ipv6, if a Record is available, so ipv6 works great in most cases. Some sides like http://www.hsp-steuer.de/ announce ipv6 records, but are not accessable via ipv6. Is it possible that squid notice this fail so that future request will go to ipv4 directly and the user doesn't have to wait for the long tcp timeout every time ? Maybe with a timestamp, so that it will be refreshed after x hours. -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] caching failed tcp connects to destination ips
Hi Amos, thank you for your quick answer. On Thu, Jul 25, Amos Jeffries wrote: On 25/07/2013 6:52 p.m., Dieter Bloms wrote: Hi, we use ipv4 and ipv6 tcp protocol for our outgoing interface. The most sides are accessable via ipv6, if a Record is available, so ipv6 works great in most cases. Some sides like http://www.hsp-steuer.de/ announce ipv6 records, but are not accessable via ipv6. Send them a bug report? I did, but the provider is resistant about this. Is it possible that squid notice this fail so that future request will go to ipv4 directly and the user doesn't have to wait for the long tcp timeout every time ? Yes it is possible and Squid already does. If you check your cachemgr ipcache report you can see this as the DNS results domain/IP mapping list OK/BAD flags on each IP address known. BAD will not be used, OK will be tried, success is always a gamble. the ipv6 adress 2001:8d8:88c:37e2:3e1b:35f0:e10:1 is not reachable on port 80, but cachemgr says: --snip-- www.hsp-steuer.de 33 1110 2( 0) 2001:8d8:88c:37e2:3e1b:35f0:e10:1-OK 82.165.11.88-OK --snip-- so is this a bug in squid, that the ipv6 address is listed as OK ? -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] use of sslpassword_program a must since squid version 3.3.5 ?
Hi Alex, On Thu, May 23, Alex Rousskov wrote: I use squid 3.3.5 with the ssl-bump feature. My private key is crypted and I want to enter the password at start time. Since 3.3.5 squid wants to execute a program even I haven't configured sslpassword_program and start squid with the -N option. --snip-- idvhttpsproxy01:~ # squid -f /etc/squid/squid.conf -NY sh: (null): command not found FATAL: No valid signing SSL certificate configured for http_port MYIP:8080 Squid Cache (Version 3.3.5): Terminated abnormally. CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys Maximum Resident Size: 21248 KB Page faults with physical i/o: 0 --snip-- when I set sslpassword_program to a program which print the password on stdout squid starts, but I want to enter the password during start of squid. Is this a bug ? Yes, I think it is. Please check whether the attached patch works when you start Squid with -N and _without_ sslpassword_program. The patch may or may not work when you start Squid without -N and with sslpassword_program. The outcome depends on whether snprintf() crashes when given a NULL pointer and on whether your sslpassword_program needs to know the name of the key file Squid is trying to load (that name will not be passed to your sslpassword_program). If you can test this scenario, please do. Please let us know what your tests show. I applied this patch against squid-3.3.5-20130521-r12565 and it works as expected. Many thanks for this patch ! Will this patch be included in the next release ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] use of sslpassword_program a must since squid version 3.3.5 ?
Hi, I use squid 3.3.5 with the ssl-bump feature. My private key is crypted and I want to enter the password at start time. Since 3.3.5 squid wants to execute a program even I haven't configured sslpassword_program and start squid with the -N option. --snip-- idvhttpsproxy01:~ # squid -f /etc/squid/squid.conf -NY sh: (null): command not found FATAL: No valid signing SSL certificate configured for http_port MYIP:8080 Squid Cache (Version 3.3.5): Terminated abnormally. CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys Maximum Resident Size: 21248 KB Page faults with physical i/o: 0 --snip-- when I set sslpassword_program to a program which print the password on stdout squid starts, but I want to enter the password during start of squid. Is this a bug ? -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] assertion failed: Checklist.cc:287: !needsAsync !matchFinished after upgrade from squid 3.2.7 to 3.3.3
Hi, I run 3.2.7 squid successfully for some weeks now. Yesterday I tried to upgrade to squid 3.3.3 and after a few minutes squid exits and I get the following messages in my cache.log: --snip-- 2013/04/09 08:44:40| Starting Squid Cache version 3.3.3 for x86_64-suse-linux-gnu... 2013/04/09 08:44:40| Process ID 24248 2013/04/09 08:44:40| Process Roles: master worker 2013/04/09 08:44:40| With 16384 file descriptors available 2013/04/09 08:44:40| Initializing IP Cache... 2013/04/09 08:44:40| DNS Socket created at [::], FD 6 2013/04/09 08:44:40| DNS Socket created at 0.0.0.0, FD 7 2013/04/09 08:44:40| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2013/04/09 08:44:40| helperOpenServers: Starting 0/5 'basic_ldap_auth' processes 2013/04/09 08:44:40| helperOpenServers: No 'basic_ldap_auth' processes needed. 2013/04/09 08:44:40| helperOpenServers: Starting 10/20 'ext_session_acl' processes 2013/04/09 08:44:40| Logfile: opening log daemon:/var/log/squid/access.log 2013/04/09 08:44:40| Logfile Daemon: opening log /var/log/squid/access.log 2013/04/09 08:44:40| Logfile: opening log stdio:/var/log/squid/blockhosts-domains.log 2013/04/09 08:44:40| Logfile: opening log stdio:/var/log/squid/blockhosts-ip.log 2013/04/09 08:44:40| Store logging disabled 2013/04/09 08:44:40| Swap maxSize 33554432 + 2097152 KB, estimated 2742429 objects 2013/04/09 08:44:40| Target number of buckets: 137121 2013/04/09 08:44:40| Using 262144 Store buckets 2013/04/09 08:44:40| Max Mem size: 2097152 KB 2013/04/09 08:44:40| Max Swap size: 33554432 KB 2013/04/09 08:44:40| Using Least Load store dir selection 2013/04/09 08:44:40| Current Directory is /var/lib/supervise/squid 2013/04/09 08:44:40| Loaded Icons. 2013/04/09 08:44:40| Sending SNMP messages from removedip:3401 2013/04/09 08:44:40| Adaptation support is on 2013/04/09 08:44:40| Loading cache_dir #0 from /var/cache/squid/rock 2013/04/09 08:44:40| Accepting HTTP Socket connections at local=127.0.0.1:8080 remote=[::] FD 34 flags=9 2013/04/09 08:44:40| Accepting HTTP Socket connections at local=removedip:8080 remote=[::] FD 35 flags=9 2013/04/09 08:44:40| Accepting SNMP messages on removedip:3401 2013/04/09 08:44:40| Configuring Parent removedip/8080/0 2013/04/09 08:44:40| Store rebuilding is 3.05% complete 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| WARNING: Ignoring malformed cache entry. 2013/04/09 08:44:40| Finished rebuilding storage from disk. 2013/04/09 08:44:40| 32767 Entries scanned 2013/04/09 08:44:40| 3 Invalid entries. 2013/04/09 08:44:40| 3 With invalid flags. 2013/04/09 08:44:40| 32755 Objects loaded. 2013/04/09 08:44:40| 0 Objects expired. 2013/04/09 08:44:40| 0 Objects cancelled. 2013/04/09 08:44:40| 0 Duplicate URLs purged. 2013/04/09 08:44:40| 0 Swapfile clashes avoided. 2013/04/09 08:44:40| Took 0.12 seconds (276287.60 objects/sec). 2013/04/09 08:44:40| Beginning Validation Procedure 2013/04/09 08:44:40| Completed Validation Procedure 2013/04/09 08:44:40| Validated 0 Entries 2013/04/09 08:44:40| store_swap_size = 33541136.00 KB 2013/04/09 08:44:41| storeLateRelease: released 0 objects 2013/04/09 08:44:46| Starting new basicauthenticator helpers... 2013/04/09 08:44:46| helperOpenServers: Starting 1/5 'basic_ldap_auth' processes 2013/04/09 08:46:50| assertion failed: Checklist.cc:287: !needsAsync !matchFinished 2013/04/09 08:46:52| Starting Squid Cache version 3.3.3 for x86_64-suse-linux-gnu... --snip-- what does assertion failed: Checklist.cc:287: !needsAsync !matchFinished mean and how can I fix this ? squid -v gives me: --snip-- squid -v Squid Cache: Version 3.3.3 configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=16384' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-wccp' '--disable-wccpv2' '--disable-translation' '--disable-auto-locale' '--disable-auth-ntlm' '--disable-auth-negotiate' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP' '--enable-auth-digest=LDAP' '--enable-epoll' '--enable-icap-client' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap'
Re: [squid-users] assertion failed: Checklist.cc:287: !needsAsync !matchFinished after upgrade from squid 3.2.7 to 3.3.3
Hello Amm, On Wed, Apr 10, Amm wrote: - Original Message - From: Dieter Bloms sq...@bloms.de To: squid-users@squid-cache.org Cc: Sent: Wednesday, 10 April 2013 3:03 PM Subject: [squid-users] assertion failed: Checklist.cc:287: !needsAsync !matchFinished after upgrade from squid 3.2.7 to 3.3.3 Hi, I run 3.2.7 squid successfully for some weeks now. Yesterday I tried to upgrade to squid 3.3.3 and after a few minutes squid exits and I get the following messages in my cache.log: --snip-- 2013/04/09 08:46:50| assertion failed: Checklist.cc:287: !needsAsync !matchFinished 2013/04/09 08:46:52| Starting Squid Cache version 3.3.3 for x86_64-suse-linux-gnu... --snip-- This is known bug in 3.3 series. Even I faced it. You can use the backported patch I have added at: http://bugs.squid-cache.org/show_bug.cgi?id=3717 Note that patch does not solve the actual bug. Patch just adds -n acl option with which you can disable DNS checks (which cause the crash) we use blacklist based on ips and domains, so I have to use PTR lookups. But thank you for the note to the bugreport. I will follow it. -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] After upgrade from 3.1 to 3.2.3 our parent virusscanner is busy
Hi, we use following constellation: clients - squid - virusscanner - internet. the virusscanner is avwebgate from avira configured as parent proxy. The load is ~400 req/s. With squid 3.1.20 we had no problems, but after upgrade to 3.2.3 our virusscanner claims it is busy after a few seconds. Does anybody know any change about connections to a parent proxy from 3.1 to 3.2 series. The releasenote doesn't mentioned ianything about this (or I can't find it). -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] After upgrade from 3.1 to 3.2.3 our parent virusscanner is busy
Hi Eliezer, On Wed, Dec 05, Eliezer Croitoru wrote: We will need more information such as squid.conf and other info. Who claims for busy? We use sles11sp2 (64bit) on HP Proliant DL380 G7 hardware with 140G Ram. The virusscanner is busy? where do you see that? etc.. yes, the virusscanner creates a http page with AVwebgate is busy message. Even with lower load (150req/s) the virusscanner generate this message. A more clear picture can help us try to help you. Please have a look at: http://downloads.bloms.de/squid.conf-3.1.20 http://downloads.bloms.de/squid.conf-3.2.3 On 12/5/2012 1:50 PM, Dieter Bloms wrote: Hi, we use following constellation: clients - squid - virusscanner - internet. the virusscanner is avwebgate from avira configured as parent proxy. The load is ~400 req/s. With squid 3.1.20 we had no problems, but after upgrade to 3.2.3 our virusscanner claims it is busy after a few seconds. Does anybody know any change about connections to a parent proxy from 3.1 to 3.2 series. The releasenote doesn't mentioned ianything about this (or I can't find it). -- Eliezer Croitoru https://www1.ngtech.co.il sip:ngt...@sip2sip.info IT consulting for Nonprofit organizations eliezer at ngtech.co.il -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] serveral workers and -N parameter possible ?
Hi, I want to run squid with several workers and when I start squid without -N option, then I see all the workers and it works as expected. But I use the daemontools from Danial Bernstein to start and monitor the proccesses. This tool requires, that the proccesses don't go in background. I think it must be possible to start the master proccess in foreground (-N option) and this master manages the workers in background. Squid does this allready with the auth and session helpers for years, so why does the -N option prevent squid from starting more workers ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] squid.conf ssl-bump error
Hi Nicolas, On Wed, Aug 08, Nicolas Michels wrote: I have squid installed with enable-ssl and enable-ssl-crtd sbin/squid -v Squid Cache: Version 3.0.STABLE26 configure options: '--enable-ssl' '--enable-ssl-crtd' But when I try to run squid I get this error: cache_cf.cc(346) squid.conf:19 unrecognized: 'ssl_bump' FATAL: Bungled squid.conf line 42: https_port 192.168.1.253:3129 transparent ssl-bump cert=/usr/local/squid/ssl.cert key=/usr/local/squid/ssl.key Squid Cache (Version 3.0.STABLE26): Terminated abnormally. CPU Usage: 0.008 seconds = 0.003 user + 0.005 sys Maximum Resident Size: 14416 KB Page faults with physical i/o: 0 When I remove ssl-bump, squid is able to start, any help? your lines look strange to me. When you add the option ssl-bump squid tells you about an unknown option 'ssl_bump' ? For me it looks like you have ssl_bump in the config file instead of ssl-bump. -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] howto define an custom error page, when icap server returns 403 HTTP Code ?
Hello, I've configured squid 3.1.16 to use the icap reqmod and my icap virus scanner scans the trafic. When my icap virusscanner founds a virus it returns an empty page with HTTP 403 statuscode like (from wireshark): --snip-- ICAP/1.0 403 Forbidden Server: Avira-WebGate/3.2.0 ISTag: 0302-08020686-070B1343 Encapsulated: null-body=0 --snip-- I had an idea to use http_reply_access parameter to define an acl and use deny_info for the error page, but I've no headerfield. Does anybody know a solution to define an custom errorpage, when the icapserver returns a 403 status code ? Thank you very much. -- Best regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] will the patch for bug #3048 apply to squid3.1 tree, or only to squid3.2 ?
Hi, I went into the problem descriped in bug #3048 http://bugs.squid-cache.org/show_bug.cgi?id=3048 The patch is commited to 3.2 branch, but not to 3.1 as far as I can see. Will the patch be applied to 3.1, too ? -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
[squid-users] Coredump after logfile entry 'assertion failed: AclProxyAuth.cc:229: authenticateUserAuthenticated(Filled(checklist)-auth_user_request) '
Hello, since an upgrade from 2.7STABLE9 to 3.1.9 I get several core dumps a day after a logentry like: assertion failed: AclProxyAuth.cc:229: authenticateUserAuthenticated(Filled(checklist)-auth_user_request) I ran the squid on a SLES11 system compiled with: Squid Cache: Version 3.1.9 configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=8192' '--with-large-files' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-wccp' '--disable-wccpv2' '--disable-ipv6' '--disable-translation' '--disable-auto-locale' '--enable-async-io=128' '--enable-auth=basic digest' '--enable-basic-auth-helpers=LDAP' '--enable-digest-auth-helpers=ldap' '--enable-epoll' '--enable-icap-client' '--enable-snmp' '--enable-storeio=aufs,ufs,diskd' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-external-acl-helpers=session' 'CFLAGS=-march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fPIE -fPIC' 'LDFLAGS=-pie' 'CXXFLAGS=-march=i586 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fPIE -fPIC -I../libltdl' --with-squid=/usr/src/packages/BUILD/squid-3.1.9 do I run in some limits or may it be a bug and I shall open a bugreport (I've some corefiles) ? -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
[squid-users] is it possible to log if a client cancels a download ?
Hello, when a user canceled a download, I can't see it in the access.log and cache.log. Is it possible to log the reason, why the download is cancled. In access.log file I see only the 200 HTTP status code. -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: [squid-users] how to find out what options squid was compiled with
Hi, On Thu, Apr 15, Yury Kuryakov wrote: Hello everybody! Can't find answer to my simple question in google and yandex: how to find out what options squid binary was compiled with? yes, squid -v -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] Is it possible to deactivate partial download ?
Hi, we use following constellation: client - squid2.7.STABLE8 - http-virusscanner (avwebgate from avira) - internet some clients like adobe updater request their updates as partial download. This makes trouble with our virusscanner. So is it possible to disable partial download requests at all ? Thank you for a hint -- Best regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] follow_x_forwarded_for
Hi, On Wed, Mar 31, Dayo Adewunmi wrote: How do I use `follow_x_forwarded_for` to allow X-Forwarded-For header for all IP's in my LAN 192.168.0.0/21. They all go through the squid proxy, 192.168.0.1. it depends on what you want. Do you have an another proxy between the clients and squid, or do you want squid to insert the X-Fordward-For Headers to the external servers (or parents) You have to use follow_x_forwarded_for, if there is an another proxy between the clients and squid like this way: acl myproxy src proxy between client and squid follow_x_forwarded_for allow myproxy acl_uses_indirect_client on # the acl matches against the real client ips delay_pool_uses_indirect_client on # optional for delay pools log_uses_indirect_client on # to get the real ips from clients in the logs if you want that squid should insert the X-Forward-For Headers, you have to use forwarded_for on I hope this helps -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] follow_x_forwarded_for
Hi, On Wed, Mar 31, Dayo Adewunmi wrote: There's no other proxy between clients and squid. I'm trying to get squid to include LAN IPs for external servers. So, for that it's forwarded_for on? Or do you mean follow_x_forwarded_for on? from squid.conf # TAG: forwarded_for on|off # If set, Squid will include your system's IP address or name # in the HTTP requests it forwards. By default it looks like # this: # # X-Forwarded-For: 192.1.2.3 # # If you disable this, it will appear as # # X-Forwarded-For: unknown # #Default: # forwarded_for on forwarded_for on -- Best regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] Is there any patch of follow_xff for squid3.0.STABLE24 ?
Hi, on the side http://squid.sourceforge.net/follow_xff/ there is a patch to follow the X-Forwarded-For ips. It is generated against the squid3 devel (I think 3.1) and doesn't apply to the squid3.0.STABLE24 source. Does anybody have a patch for the squid3.0 branch ? Thank you very much. -- Best regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] Problem with getting through squid in vmware
Hi Michael, On Mon, Feb 15, Michael Neumeier wrote: I have a Windows 7 host machine with the IP 10.255.0.0/24. On this Windows machine, I have VMWare 6 installed. In this VMWare, I am running Debian 5.0.2 32bit with squid 3.0.Stable-3+lenny2. The IP of this VM is 192.168.157.155 I think your windows host comes with an address from range 192.168.157.0/24, please very with tcpdump. You have to insert your own http_access lines before the http_access deny all line -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] Is OpenDNS efficient for squid?
Hi, On Sun, Feb 07, J. Webster wrote: Is there any problem with using opendns server as the dns_nameserver in squid? Is it slower than using the local hosts namersevrers? I have an issue with dns timeouts for 1 or 2 websites and am having to restart the dns cache (nscd) every 6 hours to flush it. I thought adding the nameservers to the squid.conf would bypass this issue. you can savely disable nscd. I had some trouble with nscd till I disabled it. I think you don't get any performance issues. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] cache_peer selection
Hi, On Wed, Jan 27, Soporte Técnico AlemNet wrote: How can i make cache_peer selection for blocks of ip of my network ? Example. 192.168.0.xxx i want to use cache_peer 172.16.1.1 192.168.1.xxx i want to use cache_peer 172.16.1.2 192.168.1.xxx i want to use DIRECT this has to be done in the browser (not proxy). A proxy.pac file may help you. Have a look at http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] Re: How to configure squid for ftp traffic.
Hi, On Tue, Dec 22, Matus UHLAR - fantomas wrote: On 08.12.09 14:30, Ali Ahsan wrote: Does forx provide authentication against ldap.Like we use in squid user must authenticate before using proxy. the FTP protocol does not support proxying, so you can't use proxy authentication. You only can use external authentication there. that is not really true, because you can provide the information in a regular ftp session like: Username: proxyusern...@ftpserverusername@externalftpserver Password: proxyp...@ftpserverpass The proxy suite is able to authenticate against an ldap server. Please have a look at: ftp://ftp.suse.com/pub/projects/proxy-suite/src/ -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] HowTo: Downtime Message
Hi, On Thu, Dec 10, Arnold, Christian wrote: I had to create a new machine which hosts our squid proxy. This new machine is available under another IP than the last one. I sent out a newsletter to all the users that they have to change the proxy settings, but still some of them are using the old one. Now I would like to display a message with instruction on how to change the proxy and deny all internet usage over that proxy. How can I display some kind of downtime message via a squid proxy? It is better to announce the new ip addresse via the old dns name, so all users don't have to change their configuration. You can define a custom deny_info page with html content. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
Re: [squid-users] dikd - FATAL error
Hi, On Tue, Aug 18, Muhammad Sharfuddin wrote: squid -z FATAL: Bungled squid.conf line 3: cache_dir diskd /var/cache/squid 4096 16 256 64 72 Squid Cache (Version 2.7.STABLE5): Terminated abnormally. what should I do ? where I am doing the mistake ? the line should look something like this: cache_dir diskd /var/cache/squid 15360 16 256 Q1=256 Q2=288 -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] compact the swap.state without restarting and rotating the logfiles ?
Hi, I use squid 2.7.STABLE6 and let the logrotate mechanism roting the logfiles. After renameing the logfiles I call a squid -k reconfigure, so squid can open new logfiles. But the swap.state is growing and growing. When I restart squid, or when I do a squid -k logrotate, then the swap.state gets smaller, but with a squid -k logrotate I get many logfile.[0-9] files, which I don't want. So is there a command line option to let squid compact the swap.state file without logfile rotation and without restarting squid ? Thank you very much. -- Best regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgppMfUfqQE1Y.pgp Description: PGP signature
Re: [squid-users] restart url_redirector processe when it dies
Hi Amos, On Sun, Mar 15, Amos Jeffries wrote: I use an url_rewrite_program, which seems to die after about 40 requests. Squid starts 15 processes, which are enough, but after some time one process after another die and at the end all processes where gone. Is it possible to let squid restart an url_rewrite_program, when it dies ? What version of Squid are you using that does not do this restart automatically? Squid only dies when ALL helpers for a needed service are dying too fast to recover quickly. I use squid 2.7.STABLE6. I've 15 processes running, when I kill 2 of them, I see only 13 of 15 processes running in the cache manager menu. like: --snip from cache manager menu -- Redirector Statistics: program: /usr/local/bin/webcatredir number running: 13 of 15 requests sent: 2482 replies received: 2481 queue length: 0 avg service time: 3.33 msec --snip-- for me it looks like the 2 killed processes will not be started, or does it take some time ? --snip from squid -v Squid Cache: Version 2.7.STABLE6 configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--disable-carp' '--disable-htcp' '--disable-icap-client' '--disable-ident-lookups' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth=basic digest' '--enable-basic-auth-helpers=LDAP' '--enable-digest-auth-helpers=ldap' '--enable-default-err-language=German_Datev' '--enable-err-languages=German' '--enable-snmp' '--enable-storeio=aufs,ufs,diskd,null' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=8192' '--with-large-files' '--with-pthreads' '--with-aio' --snip-- -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] restart url_redirector processe when it dies
Hi, I use an url_rewrite_program, which seems to die after about 40 requests. Squid starts 15 processes, which are enough, but after some time one process after another die and at the end all processes where gone. Is it possible to let squid restart an url_rewrite_program, when it dies ? -- Kind regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] different headers for HTTP/407 answers in 2.7.STABLE6 and 3.0.STABLE9 confuses a commercial software
Hi, we have a commercial software, which provides the credentials to the squid proxy, when we run the 3.0.STABLE9, but doesn't, when we run 2.7.STABLE6. When we run 2.7.STABLE6, the client does the requests without credentials, even when squid answers with 407 HTTP code. the only difference I see are different header entries in the answer from squid like Mime-Version, Proxy-Connection and Via: 3.0.STABLE9: HTTP/1.0 407 Proxy Authentication Required Server: squid Mime-Version: 1.0 Date: Wed, 25 Feb 2009 15:15:20 GMT Content-Type: text/html Content-Length: 2021 Expires: Wed, 25 Feb 2009 15:15:20 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Basic realm=Proxy-Server X-Cache: MISS from FQDN Via: 1.0 FQDN (squid) Proxy-Connection: close 2.7.STABLE6: HTTP/1.0 407 Proxy Authentication Required Server: squid Date: Wed, 25 Feb 2009 15:16:04 GMT Content-Type: text/html Content-Length: 2048 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Basic realm=Proxy-Server X-Cache: MISS from FQDN Via: 1.0 FQDN:8080 (squid) Connection: close so it is possible to configure 2.7.STABLE6 that it returns the same heades like 3.0.STABLE9 does ? Thank you very much. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgprI3O4723BJ.pgp Description: PGP signature
Re: [squid-users] IMAP support
Hi, On Wed, Nov 12, julian julian wrote: Ok, I'm using thunderbird and set the proxy manually, but when I try to conect I get an error, should I make some special config in squid? as Amos said, squid is an http proxy. You are looking for an imap proxy like: http://www.imapproxy.org/ -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgp7oyeBF7gvt.pgp Description: PGP signature
Re: [squid-users] CONNECT errors with 2.7.STABLE2-2
Hi Ralf, On Fri, Jul 04, Ralf Hildebrandt wrote: ignore_expect_100 on I added this. Let's see how it goes. 2.6.x behaved differently in this regard? yes and 3.0 behaves differnt, too. I had the same problem with 2.7 so I switched to 3.0 -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpGr1AVvGaes.pgp Description: PGP signature
Re: [squid-users] squid virus problem
Hi, On Sun, Apr 20, Anil Saini wrote: generating 100s of request in a sec. . is that some virus problem with the users(172.16.18.38)..machine or some other problem 1208689937.821 0 172.16.18.38 TCP_DENIED/403 1479 OPTIONS http://127.0.0.6/ - NONE/- text/html 1208689937.858 0 it is difficult to say. I think a virus didn't try to get a destination via a proxy server. Maybe there is a wrong configured program. Every program should access the network 127.0.0.0/8 directly and not over a proxy. You should look at the client config to look which program initiate this conection and configure it correctly. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpQOdQt7NPRw.pgp Description: PGP signature
Re: [squid-users] ACLs and localhost
Hi, On Tue, Mar 25, paul cooper wrote: so is this login stored in the cache somewhere ? I need to flush the cache when i change user ? squid caches the authentication results, I think the default is 2h. Please have a look for the keywords in your default squid.conf: max_user_ip and credentialsttl -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgp1h3HNziJ2Z.pgp Description: PGP signature
Re: [squid-users] No great results after 2 weeks with squid
Hi, On Mon, Dec 17, Carlos Lima wrote: So my questions are: - Should Squid be taking only in consideration for large environments with hundreds or even thousands of people accessing web?! no, it can also be used in small enviroment. - In these days a proxy like Squid for caching purposes is more a have to have or a must to have when for almost every site proxy's are skipped and the wan speed access are increasing every day now!? you can configure user-, time-, source-, or destination acl, and you have a application gateway (it is more than only a packet filter like a cisco firewall. Btw.: I think you should set cache_dir to some GB, to cache more than 100MB of data to the disk cache, which is the default. Please update to the last stable release, 2.6.STABLE6 isa little outdated (from december last year). -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgp2g6CZAWuj8.pgp Description: PGP signature
Re: RE: [squid-users] Force Squid
Hi, On Mon, Dec 17, Nikolas wrote: I am not using squidclient, is there any way to overcome this? Thanks a lot telnet, netcat, ..., make your own programm. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpvBHsudQr48.pgp Description: PGP signature
Re: RE: [squid-users] Squid error Zero Sized Reply
Hi, what does tcpdump say ? tcpdump -n -i outgoinginterface -s 0 -w /tmp/outdump you can view the dump with wireshark. On Wed, Aug 15, Mehmet, Levent (Accenture) wrote: Hi The company hosting the site have confirmed they are not having the problem with any other client, apart from us: Is there any tweaking with memory or something I need to do to get this working ? -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: 14 August 2007 11:01 To: Mehmet, Levent (Accenture) Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid error Zero Sized Reply On tis, 2007-08-14 at 08:39 +0100, Mehmet, Levent (Accenture) wrote: Does anyone know how I can resolve this error message: ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://eudract.eudra.org/eudracts/uploadXML.do? The following error was encountered: * Zero Sized Reply Squid did not receive any data for this request. This error means that the web server closed the connection without sending a response. It's very hard to say why the web server does this, and the question is best directed to the ones responsible for the site. Regards Henrik This email and any files transmitted with it are confidential. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this email is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received.Incoming and outgoing email messages are routinely monitored for compliance with the Department of Healths policy on the use of electronic communications. For more information on the Department of Healths email policy, click http://www.dh.gov.uk/DHTermsAndConditions/fs/en?CONTENT_ID=4110945chk=x1C3Zw The original of this email was scanned for viruses by the Government Secure Intranet Anti-Virus service supplied by CableWireless in partnership with MessageLabs. (CCTM Certificate Number 2006/04/0007.) On leaving the GSi this email was certified virus free. Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: [squid-users] still having performance issues
Hi, On Wed, Aug 08, Scott B. Anderson wrote: The squid server is the lan router and the client default gateway so any network issues would show up when proxy is off. I'm at a loss. This is 2.6STABLE_13 on Fedora core 5 kernel 2.6.17-1.2174_FC5. This became a problem only after switching from a 4x2MB cable modem connection with static ip addresses to the new 10x10Mbps fiber connection with a full 32 static addresses in a /24. what mtu size does the fiber connection have ? maybe you could set the mtu size of your outgoing interface from squidserver to a smaller value like 512Byte. In the past we had a performance problem through a vpn connection and solved it with a smaller mtu size, so no fragmentation has to be done. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: [squid-users] squid+ldap
Hi, On Fri, Jun 15, pauloric wrote: a) squid:~# /usr/lib/squid/ldap_auth -b dc=xxx,dc=com,dc=br -f uid= % s -h 130.0.150.2 pauloric pauloric OK that's good. squid# tail -f /var/log/squid/access.log| grep 130.0.150.2 1181911584.377 8 130.0.150.2 TCP_DENIED/407 1832 GET http://www.terra.com.br/ - NONE/- text/html 1181911865.372 22 130.0.150.2 TCP_DENIED/407 1832 GET http://www.terra.com.br/ pauloric NONE/- text/html for me it looks like your browser dosn't send any authentication information. Please make a dump of you network trafic (tcpdump) and look for a line like Proxy-Authorization: x. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: [squid-users] squid behind another proxy
Hi, On Sat, May 19, lucas coudures wrote: I got from some how-to a rule called cache-per and i set the followings option: cache_peer xxx.xxx.xxx.xxx parent 3128 0 default no-query (I seted the 3128 port in the NTLM as well) did you have a line like: never_direct allow all to tell squid, it shall get all pages via the peers and not directly ? -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: RE: [squid-users] Unable to download files over 2GB of size
Hi, On Wed, May 16, Sathyan, Arjonan wrote: I don't think this is an MSIE6 bug, since I am able to download the same DVD ISO file without using Squid. (i.e., if directly connected to internet) This issue arises only when downloading through Squid Proxy... the internet explorer has a different behaviour, if you configure a proxy or not. We had some issues with https sides with authentication and a proxy, and the wrong behaviour came from internet explorer. Please try some different browsers and then you will see, that the internet explorer has the most bugs, bugs, bugs -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. signature.asc Description: Digital signature
Re: [squid-users] Need To Limit the Use of CONNECT
Hi, On Mon, Jan 29, Vadim Pushkin wrote: I would like to limit the use of CONNECT within my squid.conf to just a few sites, for now the sites defined by the ACL App-Port-80. I am considering doing this like this: # Access to App-Port-80 uses port 80 for CONNECT acl App-Port-80 dst 192.168.111.1 acl SSL_ports port 443 563 acl CONNECT method CONNECT acl all src 0.0.0.0/0 no_cache deny QUERY http_access deny !Safe_ports http_access allow CONNECT App-Port-80 http_access deny CONNECT !SSL_ports you have no acl for QUERY, Safe_ports, so I removed them from my example. if you want only the CONNECT methode to port 80 and 443 for dest 192.168.111.1, then you have to do the following: acl App-Port-80 dst 192.168.111.1 acl SSL_ports port 80 443 acl CONNECT method CONNECT http_access allow CONNECT App-Port-80 SSL_ports http_access deny all -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpxk51UFTLxi.pgp Description: PGP signature
Re: [squid-users] Throughput slower, when data is in cache instead geting it from the webserver
Hi, On Mon, Jul 24, Steven wrote: I had a similar problem under Linux where cache hits were really slow on a server that was not busy. Switching to aufs fixed the problem for me (ie just replace the word diskd with aufs on the cache_dir line). I've tried it on my test system and yes, the throughput is higher now, when the data comes from cache instead get it from webserver. I will replace diskd with aufs on the production servers tomorrow. Thank you very much for your hint ! -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpH41AyZUZmt.pgp Description: PGP signature
Re: [squid-users] DNS Long timeout problem
Hi, On Fri, Mar 17, Jonathan Pauli wrote: Is this a DNS timeout issue that can be changed in the squid config? login to your squid box and type host hostname, and replace hostname with the one witch timed out. If this take a long time you have to correct your DNS config. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpTt8W04mJEy.pgp Description: PGP signature
Re: [squid-users] Re: my CPPUNIT is broken... ;-) ?
Hi, On Fri, Mar 17, Linda W wrote: Based off SuSE9.3 with some updates; linux kernel 2.6.15.5 on pentium3; gcc=3.3.5 (20050117); glibc=2.3.4-23.4 Did you install some packages from other source ? SuSE9.3 came with 2.6.11 kernel. --snip-- ftp pwd 257 /pub/linux/suse/ftp.suse.com/suse/i386/update/9.3/rpm/i586 is current directory. ftp ls kernel-default-2.6.11.4-21.11.i586.rpm 227 Entering Passive Mode (134,76,11,100,192,75) 150 Opening ASCII mode data connection for /bin/ls. -rw-r--r--1 emoenke ftp 16984881 Feb 14 12:13 kernel-default-2.6.11.4-21.11.i586.rpm 226 Transfer complete. ftp --snip-- Maybe you have a mixed some other packages from SUSE9.3 and SUSE10.0, too. Try to compile it on a fresh SUSE9.3 installation. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpEwFMbaAWuM.pgp Description: PGP signature
Re: [squid-users] SOS with squid_ldap_auth !!
Hi, On Fri, Jan 13, Meyerovich Aleksandr EB_NY wrote: Are there any debugging switches for squid_ldap_auth to get something more descriptive than ERR? what's about dumping the tcp connection with tcpdump -n -i interface -s 0 -w /tmp/tcpdump.ldap port 389 and have a look with ethereal. -- Gru� Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpmjc2gWVYQB.pgp Description: PGP signature
Re: [squid-users] how to disable caching in squid
Hi Paul, On Tue, Dec 20, Paul Matthews wrote: just i'm working on getting squid1 == DG == squid2 and wondering, how do i disable caching in squid1? it is documented in the configurationfile (section cache_peer): --snip-- #use 'proxy-only' to specify objects fetched #from this cache should not be saved locally. --snip-- when you use this option on squid1, it will not save any objects from squid2. -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgpgdLuTDERmp.pgp Description: PGP signature
