[squid-users] acl limit

[k simon]

Hi,Lists,

   I plan to  use "acl isp-xxx dst" to define tons of route prefix over
27,000 items. Does it reasonable?


Regards
Simon

[squid-users] Does Squid send connection information of client and server to c-icap?

[m . shahverdi]

Hi,
Does squid send client and server IPs and ports to c-icap when sending 
request or response to it?


Regards,
MSH

Re: [squid-users] acl limit

[Amos Jeffries]

On 21/08/2014 7:16 p.m., k simon wrote:
> Hi,Lists,
> 
>I plan to  use "acl isp-xxx dst" to define tons of route prefix over
> 27,000 items. Does it reasonable?

Squid should be able to handle it, but its probably best to aggregate
the ranges first to minimize the work necessary per-request.

Squid takes start-end/mask syntax which can range across odd numbers of
CIDR boundaries. So a clean CIDR prefix listing has potentially far more
entries than strictly necessary for Squid config files.

Amos

Re: [squid-users] Does Squid send connection information of client and server to c-icap?

[Amos Jeffries]

On 21/08/2014 7:48 p.m., m.shahverdi wrote:
> Hi,
> Does squid send client and server IPs and ports to c-icap when sending
> request or response to it?

Why would those be relevant? ICAP is for content filtering, not packet
routing.

Squid-3.2 and later send custom annotation headers with whatever has
been configured.
 http://www.squid-cache.org/Doc/config/adaptation_meta/
 http://www.squid-cache.org/Doc/config/adaptation_send_client_ip/
 http://www.squid-cache.org/Doc/config/adaptation_masterx_shared_names/

Amos

Re: [squid-users] acl limit

[k simon]

Thanks, Amos.

Simon

于 14-8-21 16:19, Amos Jeffries 写道:

On 21/08/2014 7:16 p.m., k simon wrote:

Hi,Lists,

I plan to  use "acl isp-xxx dst" to define tons of route prefix over
27,000 items. Does it reasonable?


Squid should be able to handle it, but its probably best to aggregate
the ranges first to minimize the work necessary per-request.

Squid takes start-end/mask syntax which can range across odd numbers of
CIDR boundaries. So a clean CIDR prefix listing has potentially far more
entries than strictly necessary for Squid config files.

Amos

[squid-users] blockVirgin Works for CONNECT but Custom Response does not work

[Jatin Bhasin]

Hello,

When I see a CONNECT request in my eCap adapter then if I call
function blockVirgin then I see a squid ACCESS DENIED page which is
good.

But if instead of calling blockVirgin if I generate a CUSTOM response
message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build
response based on FAQ https://answers.launchpad.net/ecap/+faq/2516
then it fails.

Although the same code (request satisfaction) works if I build a
custom response for a GET request.

Please suggest how can I achieve CUSTOM response for a CONNECT.

I had asked this question on ecap but I was suggest to raise this query here.


Thanks,
Jatin

[squid-users] kerberos_ldap_group stopped working with subdomains

[Pavel Timofeev]

Hi!
Please, help.
I've been using squid 3.3.11 on FreeBSD 10 for a year.
I have AD and kerberos authentification. Squid checks DenyInternet
group membership through kerberos_ldap_group. My domain example.org
has subdomains like south.example.org, west.example.org, etc. All
users use proxy.example.org.
Everything works fine. Here is config:

auth_param negotiate program
/usr/local/libexec/squid/negotiate_kerberos_auth -s
HTTP/proxy.example@example.org
auth_param negotiate children 100 startup=30 idle=5
auth_param negotiate keep_alive

external_acl_type no_inet_users ttl=3600 negative_ttl=3600
children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
/usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass

Now I'm tring to migrate to squid 3.4.6. Same config.
I've encountered with problem that kerberos_ldap_group stopped working
with subdomain users like u...@south.example.org while it still works
with u...@example.org.
In general it started to complain "ERROR: Error during setup of
Kerberos credential cache" in cache.log.
When I turn on the debug I'm getting this:


kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
SOUTH.EXAMPLE.ORG
support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: User domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Default domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Default group loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Set credential cache to
MEMORY:squid_ldap_13729
support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Did not find a principal in keytab for
domain SOUTH.EXAMPLE.ORG.
support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Keytab entry has principal:
HTTP/proxy.example@example.org
support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Found trusted principal name:
HTTP/proxy.example@example.org
support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: Got no principal name
support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: ERROR: Error during setup of Kerberos credential
cache
support_member.cc(124): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: INFO: User ptimofeev is not member of
group@domain OCS-DenyInternet-G@NULL
kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53|
kerberos_ldap_group: DEBUG: ERR

[squid-users] Re: kerberos_ldap_group stopped working with subdomains

[Pavel Timofeev]

Group name in config is OCS-DenyInternet-G of course.

2014-08-21 14:48 GMT+04:00 Pavel Timofeev :
> Hi!
> Please, help.
> I've been using squid 3.3.11 on FreeBSD 10 for a year.
> I have AD and kerberos authentification. Squid checks DenyInternet
> group membership through kerberos_ldap_group. My domain example.org
> has subdomains like south.example.org, west.example.org, etc. All
> users use proxy.example.org.
> Everything works fine. Here is config:
>
> auth_param negotiate program
> /usr/local/libexec/squid/negotiate_kerberos_auth -s
> HTTP/proxy.example@example.org
> auth_param negotiate children 100 startup=30 idle=5
> auth_param negotiate keep_alive
>
> external_acl_type no_inet_users ttl=3600 negative_ttl=3600
> children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
> DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass
>
> Now I'm tring to migrate to squid 3.4.6. Same config.
> I've encountered with problem that kerberos_ldap_group stopped working
> with subdomain users like u...@south.example.org while it still works
> with u...@example.org.
> In general it started to complain "ERROR: Error during setup of
> Kerberos credential cache" in cache.log.
> When I turn on the debug I'm getting this:
>
>
> kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
> SOUTH.EXAMPLE.ORG
> support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: User domain loop: group@domain
> OCS-DenyInternet-G@NULL
> support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Default domain loop: group@domain
> OCS-DenyInternet-G@NULL
> support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Default group loop: group@domain
> OCS-DenyInternet-G@NULL
> support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
> support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
> support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Get default keytab file name
> support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Got default keytab file name
> /usr/local/etc/squid/squid.keytab
> support_krb5.cc(110): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Get principal name from keytab
> /usr/local/etc/squid/squid.keytab
> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
> support_krb5.cc(119): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
> support_krb5.cc(174): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Set credential cache to
> MEMORY:squid_ldap_13729
> support_krb5.cc(186): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Did not find a principal in keytab for
> domain SOUTH.EXAMPLE.ORG.
> support_krb5.cc(187): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Try to get principal of trusted domain.
> support_krb5.cc(201): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Keytab entry has principal:
> HTTP/proxy.example@example.org
> support_krb5.cc(247): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Found trusted principal name:
> HTTP/proxy.example@example.org
> support_krb5.cc(315): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: Got no principal name
> support_ldap.cc(806): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: ERROR: Error during setup of Kerberos credential
> cache
> support_member.cc(124): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: INFO: User ptimofeev is not member of
> group@domain OCS-DenyInternet-G@NULL
> kerberos_ldap_group.cc(407): pid=13729 :2014/08/21 13:58:53|
> kerberos_ldap_group: DEBUG: ERR

[squid-users] problem with squid-users maillist

[Oleg Motienko]

Hello,

Due to DMARC policy of several domains some mail is blocked (see an
example below).

I suppose maillist software ( ezmlm ) needs some tuning, it must
forward email to list with own sender address ( @squid-cache.org ).

An example:

--

Return-Path: <>
Received: (qmail 8574 invoked for bounce); 9 Aug 2014 15:48:22 -
Date: 9 Aug 2014 15:48:22 -
From: mailer-dae...@squid-cache.org
To: squid-users-return-1235...@squid-cache.org
Subject: failure notice

Hi. This is the qmail-send program at squid-cache.org.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
74.125.142.27 failed after I sent the message.
Remote host said: 550-5.7.1 Unauthenticated email from yahoo.com is
not accepted due to domain's
550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if
550-5.7.1 this was a legitimate mail. Please visit
550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC
550 5.7.1 initiative. o17si27260806icl.100 - gsmtp

--

-- 
Regards,
Oleg

[squid-users] Re: kerberos_ldap_group stopped working with subdomains

[Pavel Timofeev]

That's how squid's 3.4.6 helper works with usern...@example.org

kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG
support_member.cc(55): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: User domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(83): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Default domain loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(111): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Default group loop: group@domain
OCS-DenyInternet-G@NULL
support_member.cc(113): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Get default keytab file name
support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Got default keytab file name
/usr/local/etc/squid/squid.keytab
support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Get principal name from keytab
/usr/local/etc/squid/squid.keytab
support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG
support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Found principal name:
HTTP/proxy.example@example.org
support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Set credential cache to
MEMORY:squid_ldap_45620
support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy.example@example.org
support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Stored credentials
support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Initialise ldap connection
support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain
EXAMPLE.ORG
support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
to dc1.example.org
support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30|
kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record
to dc2.example.org

etc and no problems.





2014-08-21 14:54 GMT+04:00 Pavel Timofeev :
> Group name in config is OCS-DenyInternet-G of course.
>
> 2014-08-21 14:48 GMT+04:00 Pavel Timofeev :
>> Hi!
>> Please, help.
>> I've been using squid 3.3.11 on FreeBSD 10 for a year.
>> I have AD and kerberos authentification. Squid checks DenyInternet
>> group membership through kerberos_ldap_group. My domain example.org
>> has subdomains like south.example.org, west.example.org, etc. All
>> users use proxy.example.org.
>> Everything works fine. Here is config:
>>
>> auth_param negotiate program
>> /usr/local/libexec/squid/negotiate_kerberos_auth -s
>> HTTP/proxy.example@example.org
>> auth_param negotiate children 100 startup=30 idle=5
>> auth_param negotiate keep_alive
>>
>> external_acl_type no_inet_users ttl=3600 negative_ttl=3600
>> children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN
>> /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g
>> DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass
>>
>> Now I'm tring to migrate to squid 3.4.6. Same config.
>> I've encountered with problem that kerberos_ldap_group stopped working
>> with subdomain users like u...@south.example.org while it still works
>> with u...@example.org.
>> In general it started to complain "ERROR: Error during setup of
>> Kerberos credential cache" in cache.log.
>> When I turn on the debug I'm getting this:
>>
>>
>> kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: INFO: Got User: ptimofeev Domain:
>> SOUTH.EXAMPLE.ORG
>> support_member.cc(55): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: User domain loop: group@domain
>> OCS-DenyInternet-G@NULL
>> support_member.cc(83): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: Default domain loop: group@domain
>> OCS-DenyInternet-G@NULL
>> support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: Default group loop: group@domain
>> OCS-DenyInternet-G@NULL
>> support_member.cc(113): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL
>> support_ldap.cc(801): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: Setup Kerberos credential cache
>> support_krb5.cc(90): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: Get default keytab file name
>> support_krb5.cc(96): pid=13729 :2014/08/21 13:58:53|
>> kerberos_ldap_group: DEBUG: Got default keytab file name
>> /usr/local/etc/squid/squid.keytab
>> support_krb5.cc(110): pid=13729 :2014/08/21 13:58:5

RE: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work

[Rafael Akchurin]

Hello Jatin,

May be this (for ICAP not for eCap) describes your issue - 
http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked

Raf

From: Jatin Bhasin 
Sent: Thursday, August 21, 2014 12:47 PM
To: squid-users@squid-cache.org
Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does 
not work

When I see a CONNECT request in my eCap adapter then if I call
function blockVirgin then I see a squid ACCESS DENIED page which is
good.

But if instead of calling blockVirgin if I generate a CUSTOM response
message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build
response based on FAQ https://answers.launchpad.net/ecap/+faq/2516
then it fails.

Although the same code (request satisfaction) works if I build a
custom response for a GET request.

Please suggest how can I achieve CUSTOM response for a CONNECT.

Re: [squid-users] Poor cache

[Délsio Cabá]

Hi,

I have just update to the latest version, and the results are clear:
cat  /var/log/squid/access.log  | awk '{print $4}' | sort | uniq -c | sort -rn
 486561 TCP_MISS/200
  89612 TCP_MISS/304
  52123 TCP_MEM_HIT/200
  40408 TCP_MISS/206
  36267 TCP_MISS/302
  20904 TCP_MISS/204
  12246 TCP_IMS_HIT/304
  12171 TCP_MISS/404
  10533 TCP_MISS/301
   9145 TCP_MISS/000
   6004 TCP_OFFLINE_HIT/200
..

It's said that MISS/301, MISS/303 are not cacheable without special
instructions.

What are those SPECIAL instructions?


On 21 August 2014 00:46, Amos Jeffries  wrote:
> On 21/08/2014 6:05 a.m., Délsio Cabá wrote:
>> Hi,
>> Using version: Squid Cache: Version 3.1.10  (Centos RPM)
>>
>
> Ah. The version itself is probably most of the prooblem.
>
> 3.1 does not cache traffic with Cache-Control:no-cache, which these days
> consists of a large percentage (30-40) of all traffic. That is resolved
> in 3.2 and later, along with better caching of private and authenticated
> traffic.
>
> You can find details of newer CentOS RPM packages from Eliezer at
> http://wiki.squid-cache.org/KnowledgeBase/CentOS
>
> Amos
>

[squid-users] Re: Individual delay pools and youtube

[fpap]

You are very right Antony!

> 1. are all the youtube videos which go over-limit HTTPS connections?
Yes!

> 2. can the client go over-limit with any other URL provided it's HTTPS? 
Yes!

So... is there any thing to do in order to limit the bandwidth of clients
downloading/viewing videos over htpps? If not possible in squid, I accept
any other ways.

Thank you very much!



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Individual-delay-pools-and-youtube-tp4667291p4667319.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] Poor cache

[Amos Jeffries]

On 21/08/2014 11:56 p.m., Délsio Cabá wrote:
> Hi,
> 
> I have just update to the latest version, and the results are clear:
> cat  /var/log/squid/access.log  | awk '{print $4}' | sort | uniq -c | sort -rn
>  486561 TCP_MISS/200
>   89612 TCP_MISS/304
>   52123 TCP_MEM_HIT/200
>   40408 TCP_MISS/206
>   36267 TCP_MISS/302
>   20904 TCP_MISS/204
>   12246 TCP_IMS_HIT/304
>   12171 TCP_MISS/404
>   10533 TCP_MISS/301
>9145 TCP_MISS/000
>6004 TCP_OFFLINE_HIT/200
> ..
> 
> It's said that MISS/301, MISS/303 are not cacheable without special
> instructions.
> 
> What are those SPECIAL instructions?

http://tools.ietf.org/html/rfc7234#section-3

301 is a status code defined as cacheable by default.
303 depends on the other conditions.

Amos

RE: [squid-users] https://weather.yahoo.com redirect loop

[Lawrence Pingree]

Don't kill the messenger :) I agree, but had to remove forwarded for and via or 
I faced blocking and weirdness with several of the services I use. I won't name 
names cause I don't really want to pursue the debate. 

-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Wednesday, August 20, 2014 9:39 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] https://weather.yahoo.com redirect loop

On 21/08/2014 2:23 p.m., Lawrence Pingree wrote:
> No, I mean they are intentionally blocking with a configured policy, 
> its not a bug. :) They have signatures that match Via headers and 
> forwarded for headers to determine that it's squid. This is because 
> many hackers are using bounces off open squid proxies to launch web 
> attacks.
> 

That still sounds like a bug. Blocking on squid existence makes as much sense 
as blocking all traffic with UA header containing "MSIE" on grounds that 90% of 
web attacks come with that agent string.
The content inside those headers is also context specific, signature matching 
will not work beyond a simple proxy/maybe-proxy determination (which does not 
even determine non-proxy!).


A proposal came up in the IETF a few weeks ago that HTTPS traffic containing 
Via header should be blocked on sight by all servers. It got booted out on 
these grounds:

* the "bad guys" are not sending Via.

* what Via do exist are being sent by "good guys" who obey the specs but are 
othewise literally forced (by law or previous TLS based attacks) to MITM the 
HTTPS in order to increase security checking on that traffic (ie. AV scanning).

Therefore, the existence of Via is actually a sign of *good* health in the 
traffic and a useful tool for finding culprits behind the well behaved proxies.
 Rejecting or blocking based on its existence just increases the ratio of nasty 
traffic which makes it through. While simultaneously forcing the "good guys" to 
become indistinguishable from "bad guys". Only the "bad guys" get any actual 
benefit out of the situation.


Basically "via off" is a bad idea, and broken services (intentional or
otherwise) which force it to be used are worse than terrible.

Amos

Re: [squid-users] Re: Individual delay pools and youtube

[Amos Jeffries]

On 22/08/2014 12:24 a.m., fpap wrote:
> You are very right Antony!
> 
>> 1. are all the youtube videos which go over-limit HTTPS connections?
> Yes!
> 
>> 2. can the client go over-limit with any other URL provided it's HTTPS? 
> Yes!
> 
> So... is there any thing to do in order to limit the bandwidth of clients
> downloading/viewing videos over htpps? If not possible in squid, I accept
> any other ways.
> 
> Thank you very much!


I recommend you use the operating system QoS functionality. They are
more fine grained than Squid delay_pools. Squid can provide TOS markings
on connections to servers via tcp_outgoing_tos for those controls to
work with.

Amos

[squid-users] Re: Individual delay pools and youtube

[fpap]

Amos Jeffries wrote
> On 22/08/2014 12:24 a.m., fpap wrote:
>> You are very right Antony!
>> 
>>> 1. are all the youtube videos which go over-limit HTTPS connections?
>> Yes!
>> 
>>> 2. can the client go over-limit with any other URL provided it's HTTPS? 
>> Yes!
>> 
>> So... is there any thing to do in order to limit the bandwidth of clients
>> downloading/viewing videos over htpps? If not possible in squid, I accept
>> any other ways.
>> 
>> Thank you very much!
> 
> 
> I recommend you use the operating system QoS functionality. They are
> more fine grained than Squid delay_pools. Squid can provide TOS markings
> on connections to servers via tcp_outgoing_tos for those controls to
> work with.
> 
> Amos


Thanks a lot!!! Any recommended reading on the matter?

Greetings



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Individual-delay-pools-and-youtube-tp4667291p4667323.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Re: squid_kerb_ldap issues

[Scott Finlon]

Hi All,


I have squid_kerb_auth working and authenticating via my key tab file.
However, when trying to lock it down to users that are in a group in AD,
I¹m seeing a weird issue.
I put my sanitized output here: http://pastebin.com/wGc3RC0h
But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind
path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
gives a referral error.

So seeing that, I tried to use my full domain as the default domain, like
this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it
gives a Preauthentication failed error and doesn¹t even make it in to AD,
full output here: http://pastebin.com/Gk1ci0nt

That makes me think it¹s an issue with the key tab file, but it works
appropriately with kerb auth just not kerb ldap. Any ideas?
I am going to try and make a key tab file with ktpass instead of msktutil
and see if that has any affect.
Thanks,
-Scott

[squid-users] Re: server failover/backup

[nuhll]

"This appears to be a client (192.168.0.125) connecting to what it thinks 
is a regular forward-proxy port: 
  http_port 3128 
or 
  http_port 192.168.0.1:3128 "

Like i said the clients get the ip and port thru dhcp, thats correct
behaivour in my eyes.

"This above shows Squid receiving various requests for blizzard.com 
domains and relaying them to the web server at 192.168.0.4. 

Do you actually have a blizzard.com web server running at 192.168.0.4  ? 
 I dont think so. "

This is correct. At 192.168.0.4 is a nginx reverse proxy for caching games
like steam, origin... and ofc blizzard games. [if i disable squid it works]

"It seems to me that you are mixing the HTTP traffic modes up. "
I dont know what you mean. Like i said i dont use this server as a nat, its
just a normal server connected to our router. Clients get proxy thru .pac
file via dhcp.







--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/ONLY-Cache-certain-Websites-tp4667121p4667325.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] problem with squid-users maillist

[Dennis Glatting]

On Thu, 2014-08-21 at 15:02 +0400, Oleg Motienko wrote:
> Hello,
> 
> Due to DMARC policy of several domains some mail is blocked (see an
> example below).
> 
> I suppose maillist software ( ezmlm ) needs some tuning, it must
> forward email to list with own sender address ( @squid-cache.org ).
> 

I don't see a response so I'll have a go. I run DKIM on several sites.

A lot of DKIM implementations are thoroughly screwed up. 

1) Many sites have bad DNS DKIM/DMARC content (CostCo was one).

2) Many sites use small, 512-bit keys even though the RFCs 
   and NIST explicitly have words written on this subject. 
   Implementations like OpenDKIM, by default, reject messages 
   signed with keys less than 1024 bits.

3) From a DMARC perspective, which is why people are moving 
   to SPF and DKIM, the reporting email address in DNS either 
   does not exist or is encoded improperly.

4) Some email is not properly signed.

But the problem here is email lists. Squid is not alone. The FreeBSD
lists have the same problem. Section 3 of RFC-6377 has a few words on
mail lists. This probably applies:

   In general, absent a general movement by MLM developers and operators
   toward more DKIM-friendly practices, an MLM subscriber cannot expect
   signatures applied before the message was processed by the MLM to be
   valid on delivery to a Receiver.  Such an evolution is not expected
   in the short term due to general development and deployment inertia.
   Moreover, even if an MLM currently passes messages unmodified such
   that Author signatures validate, it is possible that a configuration
   change or software upgrade to that MLM will cause that no longer to
   be true.

Patches exist for resenders to strip existing DKIM signatures and add a
new, valid signature. The argument against doing this is load. In my
case, I use a 2048 bit key and process 60k outgoing messages a day. My
mailers do a lot of other work including anti-spam/anti-virus processing
with  two-to-three MILTERs. Based on my load graphs for the last 4-6
weeks of running DKIM/DMARC against the prior months, there is NO
significant load increase. In fact, the additional load is little more
than additional noise. 

Currently, as a receiver you are forced to insert exceptions, if you
can. The problem is these exception lists can get fairly lengthy and
quickly become unmanageable. It is better if resenders simply patch
their implementations.





> An example:
> 
> --
> 
> Return-Path: <>
> Received: (qmail 8574 invoked for bounce); 9 Aug 2014 15:48:22 -
> Date: 9 Aug 2014 15:48:22 -
> From: mailer-dae...@squid-cache.org
> To: squid-users-return-1235...@squid-cache.org
> Subject: failure notice
> 
> Hi. This is the qmail-send program at squid-cache.org.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
> 
> :
> 74.125.142.27 failed after I sent the message.
> Remote host said: 550-5.7.1 Unauthenticated email from yahoo.com is
> not accepted due to domain's
> 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if
> 550-5.7.1 this was a legitimate mail. Please visit
> 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC
> 550 5.7.1 initiative. o17si27260806icl.100 - gsmtp
> 
> --
> 

[squid-users] Re: squid_kerb_ldap issues

[Markus Moeller]

Hi Scott,

  So from what see in your first log you have a user MYSUER with a 
domain/realm MYDOMAIN, but squid belongs to SUBDOMAIN.DOMAIN.COM. 
squid_kerb_ldap tries to authenticate to  the domain MYDOMAIN  using the 
keytab but does not find any entry for MYDOMAIN in the keytab.   Then 
squid_kerb_ldap tries to find an entry in the keytab of a domain which 
trusts MYDOMAIN and fails.  It seems there is no Kerberos trust between 
MYDOMAIN and SUBDOMAIN.DOMAIN.COM.


 The second log looks better, but the password stored in the keytab for 
SQUIDPROXY-K$ is incorrect (Preauthentication failed).



Markus

"Scott Finlon"  wrote in message 
news:d01b8481.36d86%scott.fin...@scranton.edu...


Hi All,


I have squid_kerb_auth working and authenticating via my key tab file.
However, when trying to lock it down to users that are in a group in AD,
I¹m seeing a weird issue.
I put my sanitized output here: http://pastebin.com/wGc3RC0h
But basically if I use this "./squid_kerb_ldap -d -g proxy_allow -D
MYDOMAIN² it is able to auth to AD and eventually attempts to use a bind
path of dc=MYDOMAIN instead of dc=MYDOMAIN,dc=DOMAIN,dc=COM, and then it
gives a referral error.

So seeing that, I tried to use my full domain as the default domain, like
this "./squid_kerb_ldap -d -g proxy_allow -D MYDOMAIN.MYDOMAIN.COM² it
gives a Preauthentication failed error and doesn¹t even make it in to AD,
full output here: http://pastebin.com/Gk1ci0nt

That makes me think it¹s an issue with the key tab file, but it works
appropriately with kerb auth just not kerb ldap. Any ideas?
I am going to try and make a key tab file with ktpass instead of msktutil
and see if that has any affect.
Thanks,
-Scott

Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work

[Jatin Bhasin]

Hello,

Yes, that is the same scenario what I have been experiencing but when
I call function  (x->blockVirgin()) from my ecap adapter then
squid does print the "access denied page" which is one of my squid
error pages. So as I see that squid does complete the SSL handshake
and then paints the "access denied page" which works fine.



But if I try to paint a custom message then squid does not complete
the handshake and just continues to paint the blockpage which then is
rejected by the browser (as browser is expecting a proper handshake
before receiving any response data).

May be this is a bug in squid or I am not doing it right, but it would
be great if somebody can suggest if I am doing something wrong.


Thanks,
Jatin

On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin
 wrote:
> Hello Jatin,
>
> May be this (for ICAP not for eCap) describes your issue - 
> http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked
>
> Raf
> 
> From: Jatin Bhasin 
> Sent: Thursday, August 21, 2014 12:47 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does 
> not work
>
> When I see a CONNECT request in my eCap adapter then if I call
> function blockVirgin then I see a squid ACCESS DENIED page which is
> good.
>
> But if instead of calling blockVirgin if I generate a CUSTOM response
> message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build
> response based on FAQ https://answers.launchpad.net/ecap/+faq/2516
> then it fails.
>
> Although the same code (request satisfaction) works if I build a
> custom response for a GET request.
>
> Please suggest how can I achieve CUSTOM response for a CONNECT.

Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work

[Jatin Bhasin]

Hello,

I wanted to block a particular website based on CONNECT request
because I am not bumping (decrypting)  the site. But now I have
realised that if I do not dump the site then there is no way I can
paint a custom message on the browser.

So, can somebody suggest me if there is a way to pass a flag to squid
from ecap adapter to decrypt a site regardless of what ACL says. For
example if I have an acl as below which says do not decrypt
www.888.com but If my ecap adapter could pass a message to squid
asking it to decrypt www.888.com (for that session only) and ignore
the below acl.
Is it possible?

acl no_ssl_interception dstdomain .888.com
ssl_bump none no_ssl_interception
ssl_bump client-first all

Thanks,
Jatin


On Fri, Aug 22, 2014 at 9:59 AM, Jatin Bhasin  wrote:
> Hello,
>
> Yes, that is the same scenario what I have been experiencing but when
> I call function  (x->blockVirgin()) from my ecap adapter then
> squid does print the "access denied page" which is one of my squid
> error pages. So as I see that squid does complete the SSL handshake
> and then paints the "access denied page" which works fine.
>
>
>
> But if I try to paint a custom message then squid does not complete
> the handshake and just continues to paint the blockpage which then is
> rejected by the browser (as browser is expecting a proper handshake
> before receiving any response data).
>
> May be this is a bug in squid or I am not doing it right, but it would
> be great if somebody can suggest if I am doing something wrong.
>
>
> Thanks,
> Jatin
>
> On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin
>  wrote:
>> Hello Jatin,
>>
>> May be this (for ICAP not for eCap) describes your issue - 
>> http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked
>>
>> Raf
>> 
>> From: Jatin Bhasin 
>> Sent: Thursday, August 21, 2014 12:47 PM
>> To: squid-users@squid-cache.org
>> Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response 
>> does not work
>>
>> When I see a CONNECT request in my eCap adapter then if I call
>> function blockVirgin then I see a squid ACCESS DENIED page which is
>> good.
>>
>> But if instead of calling blockVirgin if I generate a CUSTOM response
>> message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build
>> response based on FAQ https://answers.launchpad.net/ecap/+faq/2516
>> then it fails.
>>
>> Although the same code (request satisfaction) works if I build a
>> custom response for a GET request.
>>
>> Please suggest how can I achieve CUSTOM response for a CONNECT.