[squid-users] acl limit
Hi,Lists, I plan to use "acl isp-xxx dst" to define tons of route prefix over 27,000 items. Does it reasonable? Regards Simon
[squid-users] Does Squid send connection information of client and server to c-icap?
Hi, Does squid send client and server IPs and ports to c-icap when sending request or response to it? Regards, MSH
Re: [squid-users] acl limit
On 21/08/2014 7:16 p.m., k simon wrote: > Hi,Lists, > >I plan to use "acl isp-xxx dst" to define tons of route prefix over > 27,000 items. Does it reasonable? Squid should be able to handle it, but its probably best to aggregate the ranges first to minimize the work necessary per-request. Squid takes start-end/mask syntax which can range across odd numbers of CIDR boundaries. So a clean CIDR prefix listing has potentially far more entries than strictly necessary for Squid config files. Amos
Re: [squid-users] Does Squid send connection information of client and server to c-icap?
On 21/08/2014 7:48 p.m., m.shahverdi wrote: > Hi, > Does squid send client and server IPs and ports to c-icap when sending > request or response to it? Why would those be relevant? ICAP is for content filtering, not packet routing. Squid-3.2 and later send custom annotation headers with whatever has been configured. http://www.squid-cache.org/Doc/config/adaptation_meta/ http://www.squid-cache.org/Doc/config/adaptation_send_client_ip/ http://www.squid-cache.org/Doc/config/adaptation_masterx_shared_names/ Amos
Re: [squid-users] acl limit
Thanks, Amos. Simon 于 14-8-21 16:19, Amos Jeffries 写道: On 21/08/2014 7:16 p.m., k simon wrote: Hi,Lists, I plan to use "acl isp-xxx dst" to define tons of route prefix over 27,000 items. Does it reasonable? Squid should be able to handle it, but its probably best to aggregate the ranges first to minimize the work necessary per-request. Squid takes start-end/mask syntax which can range across odd numbers of CIDR boundaries. So a clean CIDR prefix listing has potentially far more entries than strictly necessary for Squid config files. Amos
[squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT. I had asked this question on ecap but I was suggest to raise this query here. Thanks, Jatin
[squid-users] kerberos_ldap_group stopped working with subdomains
Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain "ERROR: Error during setup of Kerberos credential cache" in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_13729 support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Did not find a principal in keytab for domain SOUTH.EXAMPLE.ORG. support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Keytab entry has principal: HTTP/proxy.example@example.org support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found trusted principal name: HTTP/proxy.example@example.org support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Got no principal name support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache support_member.cc(124): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: User ptimofeev is not member of group@domain OCS-DenyInternet-G@NULL kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: ERR
[squid-users] Re: kerberos_ldap_group stopped working with subdomains
Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev : > Hi! > Please, help. > I've been using squid 3.3.11 on FreeBSD 10 for a year. > I have AD and kerberos authentification. Squid checks DenyInternet > group membership through kerberos_ldap_group. My domain example.org > has subdomains like south.example.org, west.example.org, etc. All > users use proxy.example.org. > Everything works fine. Here is config: > > auth_param negotiate program > /usr/local/libexec/squid/negotiate_kerberos_auth -s > HTTP/proxy.example@example.org > auth_param negotiate children 100 startup=30 idle=5 > auth_param negotiate keep_alive > > external_acl_type no_inet_users ttl=3600 negative_ttl=3600 > children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN > /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g > DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass > > Now I'm tring to migrate to squid 3.4.6. Same config. > I've encountered with problem that kerberos_ldap_group stopped working > with subdomain users like u...@south.example.org while it still works > with u...@example.org. > In general it started to complain "ERROR: Error during setup of > Kerberos credential cache" in cache.log. > When I turn on the debug I'm getting this: > > > kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: INFO: Got User: ptimofeev Domain: > SOUTH.EXAMPLE.ORG > support_member.cc(55): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: User domain loop: group@domain > OCS-DenyInternet-G@NULL > support_member.cc(83): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Default domain loop: group@domain > OCS-DenyInternet-G@NULL > support_member.cc(111): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Default group loop: group@domain > OCS-DenyInternet-G@NULL > support_member.cc(113): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL > support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Setup Kerberos credential cache > support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Get default keytab file name > support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Got default keytab file name > /usr/local/etc/squid/squid.keytab > support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Get principal name from keytab > /usr/local/etc/squid/squid.keytab > support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG > support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG > support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG > support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG > support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG > support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Set credential cache to > MEMORY:squid_ldap_13729 > support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Did not find a principal in keytab for > domain SOUTH.EXAMPLE.ORG. > support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Try to get principal of trusted domain. > support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Keytab entry has principal: > HTTP/proxy.example@example.org > support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Found trusted principal name: > HTTP/proxy.example@example.org > support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: Got no principal name > support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: ERROR: Error during setup of Kerberos credential > cache > support_member.cc(124): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: INFO: User ptimofeev is not member of > group@domain OCS-DenyInternet-G@NULL > kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53| > kerberos_ldap_group: DEBUG: ERR
[squid-users] problem with squid-users maillist
Hello, Due to DMARC policy of several domains some mail is blocked (see an example below). I suppose maillist software ( ezmlm ) needs some tuning, it must forward email to list with own sender address ( @squid-cache.org ). An example: -- Return-Path: <> Received: (qmail 8574 invoked for bounce); 9 Aug 2014 15:48:22 - Date: 9 Aug 2014 15:48:22 - From: mailer-dae...@squid-cache.org To: squid-users-return-1235...@squid-cache.org Subject: failure notice Hi. This is the qmail-send program at squid-cache.org. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : 74.125.142.27 failed after I sent the message. Remote host said: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC 550 5.7.1 initiative. o17si27260806icl.100 - gsmtp -- -- Regards, Oleg
[squid-users] Re: kerberos_ldap_group stopped working with subdomains
That's how squid's 3.4.6 helper works with usern...@example.org kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG support_member.cc(55): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.example@example.org support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_45620 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.example@example.org support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.ORG support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc1.example.org support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc2.example.org etc and no problems. 2014-08-21 14:54 GMT+04:00 Pavel Timofeev : > Group name in config is OCS-DenyInternet-G of course. > > 2014-08-21 14:48 GMT+04:00 Pavel Timofeev : >> Hi! >> Please, help. >> I've been using squid 3.3.11 on FreeBSD 10 for a year. >> I have AD and kerberos authentification. Squid checks DenyInternet >> group membership through kerberos_ldap_group. My domain example.org >> has subdomains like south.example.org, west.example.org, etc. All >> users use proxy.example.org. >> Everything works fine. Here is config: >> >> auth_param negotiate program >> /usr/local/libexec/squid/negotiate_kerberos_auth -s >> HTTP/proxy.example@example.org >> auth_param negotiate children 100 startup=30 idle=5 >> auth_param negotiate keep_alive >> >> external_acl_type no_inet_users ttl=3600 negative_ttl=3600 >> children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN >> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g >> DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass >> >> Now I'm tring to migrate to squid 3.4.6. Same config. >> I've encountered with problem that kerberos_ldap_group stopped working >> with subdomain users like u...@south.example.org while it still works >> with u...@example.org. >> In general it started to complain "ERROR: Error during setup of >> Kerberos credential cache" in cache.log. >> When I turn on the debug I'm getting this: >> >> >> kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: INFO: Got User: ptimofeev Domain: >> SOUTH.EXAMPLE.ORG >> support_member.cc(55): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: User domain loop: group@domain >> OCS-DenyInternet-G@NULL >> support_member.cc(83): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: Default domain loop: group@domain >> OCS-DenyInternet-G@NULL >> support_member.cc(111): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: Default group loop: group@domain >> OCS-DenyInternet-G@NULL >> support_member.cc(113): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL >> support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: Setup Kerberos credential cache >> support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: Get default keytab file name >> support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53| >> kerberos_ldap_group: DEBUG: Got default keytab file name >> /usr/local/etc/squid/squid.keytab >> support_krb5.cc(110): pid=13729 :2014/08/21 13:58:5
RE: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello Jatin, May be this (for ICAP not for eCap) describes your issue - http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked Raf From: Jatin Bhasin Sent: Thursday, August 21, 2014 12:47 PM To: squid-users@squid-cache.org Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] Poor cache
Hi, I have just update to the latest version, and the results are clear: cat /var/log/squid/access.log | awk '{print $4}' | sort | uniq -c | sort -rn 486561 TCP_MISS/200 89612 TCP_MISS/304 52123 TCP_MEM_HIT/200 40408 TCP_MISS/206 36267 TCP_MISS/302 20904 TCP_MISS/204 12246 TCP_IMS_HIT/304 12171 TCP_MISS/404 10533 TCP_MISS/301 9145 TCP_MISS/000 6004 TCP_OFFLINE_HIT/200 .. It's said that MISS/301, MISS/303 are not cacheable without special instructions. What are those SPECIAL instructions? On 21 August 2014 00:46, Amos Jeffries wrote: > On 21/08/2014 6:05 a.m., Délsio Cabá wrote: >> Hi, >> Using version: Squid Cache: Version 3.1.10 (Centos RPM) >> > > Ah. The version itself is probably most of the prooblem. > > 3.1 does not cache traffic with Cache-Control:no-cache, which these days > consists of a large percentage (30-40) of all traffic. That is resolved > in 3.2 and later, along with better caching of private and authenticated > traffic. > > You can find details of newer CentOS RPM packages from Eliezer at > http://wiki.squid-cache.org/KnowledgeBase/CentOS > > Amos >
[squid-users] Re: Individual delay pools and youtube
You are very right Antony! > 1. are all the youtube videos which go over-limit HTTPS connections? Yes! > 2. can the client go over-limit with any other URL provided it's HTTPS? Yes! So... is there any thing to do in order to limit the bandwidth of clients downloading/viewing videos over htpps? If not possible in squid, I accept any other ways. Thank you very much! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Individual-delay-pools-and-youtube-tp4667291p4667319.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Poor cache
On 21/08/2014 11:56 p.m., Délsio Cabá wrote: > Hi, > > I have just update to the latest version, and the results are clear: > cat /var/log/squid/access.log | awk '{print $4}' | sort | uniq -c | sort -rn > 486561 TCP_MISS/200 > 89612 TCP_MISS/304 > 52123 TCP_MEM_HIT/200 > 40408 TCP_MISS/206 > 36267 TCP_MISS/302 > 20904 TCP_MISS/204 > 12246 TCP_IMS_HIT/304 > 12171 TCP_MISS/404 > 10533 TCP_MISS/301 >9145 TCP_MISS/000 >6004 TCP_OFFLINE_HIT/200 > .. > > It's said that MISS/301, MISS/303 are not cacheable without special > instructions. > > What are those SPECIAL instructions? http://tools.ietf.org/html/rfc7234#section-3 301 is a status code defined as cacheable by default. 303 depends on the other conditions. Amos
RE: [squid-users] https://weather.yahoo.com redirect loop
Don't kill the messenger :) I agree, but had to remove forwarded for and via or I faced blocking and weirdness with several of the services I use. I won't name names cause I don't really want to pursue the debate. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, August 20, 2014 9:39 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] https://weather.yahoo.com redirect loop On 21/08/2014 2:23 p.m., Lawrence Pingree wrote: > No, I mean they are intentionally blocking with a configured policy, > its not a bug. :) They have signatures that match Via headers and > forwarded for headers to determine that it's squid. This is because > many hackers are using bounces off open squid proxies to launch web > attacks. > That still sounds like a bug. Blocking on squid existence makes as much sense as blocking all traffic with UA header containing "MSIE" on grounds that 90% of web attacks come with that agent string. The content inside those headers is also context specific, signature matching will not work beyond a simple proxy/maybe-proxy determination (which does not even determine non-proxy!). A proposal came up in the IETF a few weeks ago that HTTPS traffic containing Via header should be blocked on sight by all servers. It got booted out on these grounds: * the "bad guys" are not sending Via. * what Via do exist are being sent by "good guys" who obey the specs but are othewise literally forced (by law or previous TLS based attacks) to MITM the HTTPS in order to increase security checking on that traffic (ie. AV scanning). Therefore, the existence of Via is actually a sign of *good* health in the traffic and a useful tool for finding culprits behind the well behaved proxies. Rejecting or blocking based on its existence just increases the ratio of nasty traffic which makes it through. While simultaneously forcing the "good guys" to become indistinguishable from "bad guys". Only the "bad guys" get any actual benefit out of the situation. Basically "via off" is a bad idea, and broken services (intentional or otherwise) which force it to be used are worse than terrible. Amos
Re: [squid-users] Re: Individual delay pools and youtube
On 22/08/2014 12:24 a.m., fpap wrote: > You are very right Antony! > >> 1. are all the youtube videos which go over-limit HTTPS connections? > Yes! > >> 2. can the client go over-limit with any other URL provided it's HTTPS? > Yes! > > So... is there any thing to do in order to limit the bandwidth of clients > downloading/viewing videos over htpps? If not possible in squid, I accept > any other ways. > > Thank you very much! I recommend you use the operating system QoS functionality. They are more fine grained than Squid delay_pools. Squid can provide TOS markings on connections to servers via tcp_outgoing_tos for those controls to work with. Amos
[squid-users] Re: Individual delay pools and youtube
Amos Jeffries wrote > On 22/08/2014 12:24 a.m., fpap wrote: >> You are very right Antony! >> >>> 1. are all the youtube videos which go over-limit HTTPS connections? >> Yes! >> >>> 2. can the client go over-limit with any other URL provided it's HTTPS? >> Yes! >> >> So... is there any thing to do in order to limit the bandwidth of clients >> downloading/viewing videos over htpps? If not possible in squid, I accept >> any other ways. >> >> Thank you very much! > > > I recommend you use the operating system QoS functionality. They are > more fine grained than Squid delay_pools. Squid can provide TOS markings > on connections to servers via tcp_outgoing_tos for those controls to > work with. > > Amos Thanks a lot!!! Any recommended reading on the matter? Greetings -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Individual-delay-pools-and-youtube-tp4667291p4667323.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: squid_kerb_ldap issues
Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
[squid-users] Re: server failover/backup
"This appears to be a client (192.168.0.125) connecting to what it thinks is a regular forward-proxy port: http_port 3128 or http_port 192.168.0.1:3128 " Like i said the clients get the ip and port thru dhcp, thats correct behaivour in my eyes. "This above shows Squid receiving various requests for blizzard.com domains and relaying them to the web server at 192.168.0.4. Do you actually have a blizzard.com web server running at 192.168.0.4 ? I dont think so. " This is correct. At 192.168.0.4 is a nginx reverse proxy for caching games like steam, origin... and ofc blizzard games. [if i disable squid it works] "It seems to me that you are mixing the HTTP traffic modes up. " I dont know what you mean. Like i said i dont use this server as a nat, its just a normal server connected to our router. Clients get proxy thru .pac file via dhcp. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667325.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] problem with squid-users maillist
On Thu, 2014-08-21 at 15:02 +0400, Oleg Motienko wrote: > Hello, > > Due to DMARC policy of several domains some mail is blocked (see an > example below). > > I suppose maillist software ( ezmlm ) needs some tuning, it must > forward email to list with own sender address ( @squid-cache.org ). > I don't see a response so I'll have a go. I run DKIM on several sites. A lot of DKIM implementations are thoroughly screwed up. 1) Many sites have bad DNS DKIM/DMARC content (CostCo was one). 2) Many sites use small, 512-bit keys even though the RFCs and NIST explicitly have words written on this subject. Implementations like OpenDKIM, by default, reject messages signed with keys less than 1024 bits. 3) From a DMARC perspective, which is why people are moving to SPF and DKIM, the reporting email address in DNS either does not exist or is encoded improperly. 4) Some email is not properly signed. But the problem here is email lists. Squid is not alone. The FreeBSD lists have the same problem. Section 3 of RFC-6377 has a few words on mail lists. This probably applies: In general, absent a general movement by MLM developers and operators toward more DKIM-friendly practices, an MLM subscriber cannot expect signatures applied before the message was processed by the MLM to be valid on delivery to a Receiver. Such an evolution is not expected in the short term due to general development and deployment inertia. Moreover, even if an MLM currently passes messages unmodified such that Author signatures validate, it is possible that a configuration change or software upgrade to that MLM will cause that no longer to be true. Patches exist for resenders to strip existing DKIM signatures and add a new, valid signature. The argument against doing this is load. In my case, I use a 2048 bit key and process 60k outgoing messages a day. My mailers do a lot of other work including anti-spam/anti-virus processing with two-to-three MILTERs. Based on my load graphs for the last 4-6 weeks of running DKIM/DMARC against the prior months, there is NO significant load increase. In fact, the additional load is little more than additional noise. Currently, as a receiver you are forced to insert exceptions, if you can. The problem is these exception lists can get fairly lengthy and quickly become unmanageable. It is better if resenders simply patch their implementations. > An example: > > -- > > Return-Path: <> > Received: (qmail 8574 invoked for bounce); 9 Aug 2014 15:48:22 - > Date: 9 Aug 2014 15:48:22 - > From: mailer-dae...@squid-cache.org > To: squid-users-return-1235...@squid-cache.org > Subject: failure notice > > Hi. This is the qmail-send program at squid-cache.org. > I'm afraid I wasn't able to deliver your message to the following addresses. > This is a permanent error; I've given up. Sorry it didn't work out. > > : > 74.125.142.27 failed after I sent the message. > Remote host said: 550-5.7.1 Unauthenticated email from yahoo.com is > not accepted due to domain's > 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if > 550-5.7.1 this was a legitimate mail. Please visit > 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC > 550 5.7.1 initiative. o17si27260806icl.100 - gsmtp > > -- >
[squid-users] Re: squid_kerb_ldap issues
Hi Scott, So from what see in your first log you have a user MYSUER with a domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. squid_kerb_ldap tries to authenticate to the domain MYDOMAIN using the keytab but does not find any entry for MYDOMAIN in the keytab. Then squid_kerb_ldap tries to find an entry in the keytab of a domain which trusts MYDOMAIN and fails. It seems there is no Kerberos trust between MYDOMAIN and SUBDOMAIN.DOMAIN.COM. The second log looks better, but the password stored in the keytab for SQUIDPROXY-K$ is incorrect (Preauthentication failed). Markus "Scott Finlon" wrote in message news:d01b8481.36d86%scott.fin...@scranton.edu... Hi All, I have squid_kerb_auth working and authenticating via my key tab file. However, when trying to lock it down to users that are in a group in AD, I¹m seeing a weird issue. I put my sanitized output here: http://pastebin.com/wGc3RC0h But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it gives a referral error. So seeing that, I tried to use my full domain as the default domain, like this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it gives a Preauthentication failed error and doesn¹t even make it in to AD, full output here: http://pastebin.com/Gk1ci0nt That makes me think it¹s an issue with the key tab file, but it works appropriately with kerb auth just not kerb ldap. Any ideas? I am going to try and make a key tab file with ktpass instead of msktutil and see if that has any affect. Thanks, -Scott
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, Yes, that is the same scenario what I have been experiencing but when I call function (x->blockVirgin()) from my ecap adapter then squid does print the "access denied page" which is one of my squid error pages. So as I see that squid does complete the SSL handshake and then paints the "access denied page" which works fine. But if I try to paint a custom message then squid does not complete the handshake and just continues to paint the blockpage which then is rejected by the browser (as browser is expecting a proper handshake before receiving any response data). May be this is a bug in squid or I am not doing it right, but it would be great if somebody can suggest if I am doing something wrong. Thanks, Jatin On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin wrote: > Hello Jatin, > > May be this (for ICAP not for eCap) describes your issue - > http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked > > Raf > > From: Jatin Bhasin > Sent: Thursday, August 21, 2014 12:47 PM > To: squid-users@squid-cache.org > Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does > not work > > When I see a CONNECT request in my eCap adapter then if I call > function blockVirgin then I see a squid ACCESS DENIED page which is > good. > > But if instead of calling blockVirgin if I generate a CUSTOM response > message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build > response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 > then it fails. > > Although the same code (request satisfaction) works if I build a > custom response for a GET request. > > Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, I wanted to block a particular website based on CONNECT request because I am not bumping (decrypting) the site. But now I have realised that if I do not dump the site then there is no way I can paint a custom message on the browser. So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? acl no_ssl_interception dstdomain .888.com ssl_bump none no_ssl_interception ssl_bump client-first all Thanks, Jatin On Fri, Aug 22, 2014 at 9:59 AM, Jatin Bhasin wrote: > Hello, > > Yes, that is the same scenario what I have been experiencing but when > I call function (x->blockVirgin()) from my ecap adapter then > squid does print the "access denied page" which is one of my squid > error pages. So as I see that squid does complete the SSL handshake > and then paints the "access denied page" which works fine. > > > > But if I try to paint a custom message then squid does not complete > the handshake and just continues to paint the blockpage which then is > rejected by the browser (as browser is expecting a proper handshake > before receiving any response data). > > May be this is a bug in squid or I am not doing it right, but it would > be great if somebody can suggest if I am doing something wrong. > > > Thanks, > Jatin > > On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin > wrote: >> Hello Jatin, >> >> May be this (for ICAP not for eCap) describes your issue - >> http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked >> >> Raf >> >> From: Jatin Bhasin >> Sent: Thursday, August 21, 2014 12:47 PM >> To: squid-users@squid-cache.org >> Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response >> does not work >> >> When I see a CONNECT request in my eCap adapter then if I call >> function blockVirgin then I see a squid ACCESS DENIED page which is >> good. >> >> But if instead of calling blockVirgin if I generate a CUSTOM response >> message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build >> response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 >> then it fails. >> >> Although the same code (request satisfaction) works if I build a >> custom response for a GET request. >> >> Please suggest how can I achieve CUSTOM response for a CONNECT.