Re: [squid-users] Only checking URLs via Squid for SSL
The same effect will happen in a case that the Common Name on the certificate is invalid and includes all sorts of unrecognized characters such as *. Eliezer On 08/24/2014 02:29 PM, Amos Jeffries wrote: If the browser does not trust the signing CA it will warn. Amos
Re: [squid-users] Re: kerberos_ldap_group stopped working with subdomains
Hi Markus! I can't because all problems that I described and all of that pieces of logs I provided are from squid 3.4. Squid 3.3 works good, squid 3.4 doesn't. That's the problem. 2014-08-24 18:14 GMT+04:00 Markus Moeller hua...@moeller.plus.com: Hi Pavel, Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed ? Markus Pavel Timofeev wrote in message news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=dd8...@mail.gmail.com... That's how squid's 3.4.6 helper works with usern...@example.org kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG support_member.cc(55): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.example@example.org support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_45620 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.example@example.org support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.ORG support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc1.example.org support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc2.example.org etc and no problems. 2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com: Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com: Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Found group@domain
[squid-users] Debugging Kerberos Handshake
Good morning all. I have been trying to get Kerberos with nltm fall back working for a couple of days with limited success, and was wondering how to debug the Kerberos end of things. I can see a token getting to the server, running ktutil against the keytab shows all expected spns, running strace against the squid process seems to show squid using the expected keytab, I am at a loss! Thanks Jay -- The only difference between saints and sinners is that every saint has a past while every sinner has a future. — Oscar Wilde
[squid-users] Re: Squid not listening on any port
I would first eliminate the following warnings: 2014/08/25 09:21:04| Warning: empty ACL: acl blockfiles urlpath_regex -i /etc/squid/local/bad/blockfiles 2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log' 2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/store.log' and allow cache.log. There might be some more info. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-not-listening-on-any-port-tp4667004p4667375.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: Squid not listening on any port
babajaga wrote I would first eliminate the following warnings: 2014/08/25 09:21:04| Warning: empty ACL: acl blockfiles urlpath_regex -i /etc/squid/local/bad/blockfiles 2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log' 2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/store.log' OK I'll check that. babajaga wrote and allow cache.log. There might be some more info. It says: /2014/08/25 09:19:42| Current Directory is /root 2014/08/25 09:19:42| Starting Squid Cache version 3.4.6 for x86_64-unknown-linux-gnu... 2014/08/25 09:19:42| Process ID 30020 2014/08/25 09:19:42| Process Roles: master worker 2014/08/25 09:19:42| With 4096 file descriptors available 2014/08/25 09:19:42| Initializing IP Cache... 2014/08/25 09:19:42| DNS Socket created at 0.0.0.0, FD 6 2014/08/25 09:19:42| Adding nameserver 10.11.1.11 from squid.conf 2014/08/25 09:19:42| Adding nameserver 10.11.1.12 from squid.conf 2014/08/25 09:19:42| helperOpenServers: Starting 0/100 'squidGuard' processes 2014/08/25 09:19:42| helperOpenServers: No 'squidGuard' processes needed. 2014/08/25 09:19:42| Logfile: opening log /var/log/squid/access.log 2014/08/25 09:19:42| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log' 2014/08/25 09:19:42| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2014/08/25 09:19:42| Logfile: opening log /var/log/squid/store.log 2014/08/25 09:19:42| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/store.log' 2014/08/25 09:19:42| Swap maxSize 210944000 + 2097152 KB, estimated 16387780 objects 2014/08/25 09:19:42| Target number of buckets: 819389 2014/08/25 09:19:42| Using 1048576 Store buckets 2014/08/25 09:19:42| Max Mem size: 2097152 KB 2014/08/25 09:19:42| Max Swap size: 210944000 KB 2014/08/25 09:19:42| Rebuilding storage in /cache2/squid (dirty log) 2014/08/25 09:19:42| Rebuilding storage in /cache3/squid (dirty log) 2014/08/25 09:19:42| Rebuilding storage in /cache4/squid (dirty log) 2014/08/25 09:19:42| Using Least Load store dir selection 2014/08/25 09:19:42| Current Directory is /root 2014/08/25 09:19:42| Finished loading MIME types and icons. 2014/08/25 09:19:42| HTCP Disabled. 2014/08/25 09:19:42| pinger: Initialising ICMP pinger ... 2014/08/25 09:19:42| pinger: ICMP socket opened. 2014/08/25 09:19:42| Pinger exiting. 2014/08/25 09:21:04| Current Directory is /root 2014/08/25 09:21:04| Starting Squid Cache version 3.4.6 for x86_64-unknown-linux-gnu... 2014/08/25 09:21:04| Process ID 30031 2014/08/25 09:21:04| Process Roles: master worker 2014/08/25 09:21:04| With 4096 file descriptors available 2014/08/25 09:21:04| Initializing IP Cache... 2014/08/25 09:21:04| DNS Socket created at 0.0.0.0, FD 6 2014/08/25 09:21:04| Adding nameserver 10.11.1.11 from squid.conf 2014/08/25 09:21:04| Adding nameserver 10.11.1.12 from squid.conf 2014/08/25 09:21:04| helperOpenServers: Starting 0/100 'squidGuard' processes 2014/08/25 09:21:04| helperOpenServers: No 'squidGuard' processes needed. 2014/08/25 09:21:04| Logfile: opening log /var/log/squid/access.log 2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log' 2014/08/25 09:21:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2014/08/25 09:21:04| Logfile: opening log /var/log/squid/store.log 2014/08/25 09:21:04| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/store.log' 2014/08/25 09:21:04| Swap maxSize 210944000 + 2097152 KB, estimated 16387780 objects 2014/08/25 09:21:04| Target number of buckets: 819389 2014/08/25 09:21:04| Using 1048576 Store buckets 2014/08/25 09:21:04| Max Mem size: 2097152 KB 2014/08/25 09:21:04| Max Swap size: 210944000 KB 2014/08/25 09:21:04| Rebuilding storage in /cache2/squid (dirty log) 2014/08/25 09:21:04| Rebuilding storage in /cache3/squid (dirty log) 2014/08/25 09:21:04| Rebuilding storage in /cache4/squid (dirty log) 2014/08/25 09:21:04| Using Least Load store dir selection 2014/08/25 09:21:04| Current Directory is /root 2014/08/25 09:21:04| Finished loading MIME types and icons. 2014/08/25 09:21:04| HTCP Disabled. 2014/08/25 09:21:04| pinger: Initialising ICMP pinger ... 2014/08/25 09:21:04| pinger: ICMP socket opened. 2014/08/25 09:21:04| Pinger exiting. / thanks -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-not-listening-on-any-port-tp4667004p4667376.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Anybody using squid on openWRT ?
If you're talking about caching, then you're absolutely correct. If you're using squid just for filtering and policies enforcment, as i'm doing, than even a small box like the routerboards i'm using (32Mb RAM and 64Mb flash disk) is enough for a 30-40 stations network. squid needs a bit of tweaking for running on those but, once you mastered that, is works absolutely fine. I even have it doing authentication on Windows ADs through ldap authenticators ! On 22/08/14 15:16, Lawrence Pingree wrote: Plus a wifi device is severely underpowered and lacks sufficient memory and storage for squid to provide any real benefit (IMHO). -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] RE: Anybody using squid on openWRT ?
Didnt noticed any slowness at all when loading www.spiegel.de through Squid 2.7S9 on a OpenWRT box. I'm using OpenWRT revision r42161, compiled from scratch. The page fully loaded in about 7-8 seconds. Could be faster, but i wouldnt call that the 'extremely slowness' you mentioned. I'm using Google DNSs 8.8.8.8 and 8.8.4.4 as the DNSs for the OpenWRT box and thus for squid. I did not find meetrics.de accesses on the log, but i found meetrics.net which loads just fine. Log from my access here is: (tried to paste it here but mailing list rejected it because the message got bigger than 50k) http://pastebin.com/zPat4EJz On 22/08/14 10:22, babajaga wrote: @James: For details of my problems, pls ref. here: http://squid-web-proxy-cache.1019090.n4.nabble.com/Very-slow-site-via-squid-td4667243.html Not shure, that it is really squid. Effect is slow loading of objects from ad-servers. As I have an open-mesh AP, 64MB RAM, my squid2.7 does memory-only caching, and some ACLs + forwarding some traffic to another upstream proxy on the web. One very slow page is here: www.spiegel.de It calls *.meetrics.de , which loads veeery slow So, in case you can confirm/deny slow response times to this site, I need to look somewhere else for the bug. Which would be great help, already. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
[squid-users] does squid support aia Authority Information Access ?
Hi, I use sslbump with squid 3.4.6 and it works fantasic with the most websites. But there are some sites like www.ferrari-electronic.de which don't provide the intermediate certificate. There is a authority information access extention, which defines a way the browser can download the intermediate certificate on it's own. Is there any option to enable this behavior in squid, so squid can validate a the certificate where the intermediate certificate is missing ? Thank you for your help ! -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
[squid-users] Re: kerberos_ldap_group stopped working with subdomains
Hi Pavel, Can you remove line 263 from support_krb5.cc and recompile ? It is fixed in the trunk for 3.5. The line is safe_free(principal_name); Regards Markus Pavel Timofeev wrote in message news:CAAoTqfuJ2MGiPbV7fO4zR4SzKSWpy0Q=_ii8w8yevmbub_q...@mail.gmail.com... Hi Markus! I can't because all problems that I described and all of that pieces of logs I provided are from squid 3.4. Squid 3.3 works good, squid 3.4 doesn't. That's the problem. 2014-08-24 18:14 GMT+04:00 Markus Moeller hua...@moeller.plus.com: Hi Pavel, Can you use 3.4 then instead of 3.3 as it seems to have the problem fixed ? Markus Pavel Timofeev wrote in message news:CAAoTqftctS7GJfiS-k+RgN1uMkyujE_RdOFsZyBYFU1=dd8...@mail.gmail.com... That's how squid's 3.4.6 helper works with usern...@example.org kerberos_ldap_group.cc(372): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: INFO: Got User: username Domain: EXAMPLE.ORG support_member.cc(55): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Default group loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(113): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found group@domain OCS-DenyInternet-G@NULL support_ldap.cc(801): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Setup Kerberos credential cache support_krb5.cc(90): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get default keytab file name support_krb5.cc(96): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got default keytab file name /usr/local/etc/squid/squid.keytab support_krb5.cc(110): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Get principal name from keytab /usr/local/etc/squid/squid.keytab support_krb5.cc(119): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Keytab entry has realm name: EXAMPLE.ORG support_krb5.cc(133): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Found principal name: HTTP/proxy.example@example.org support_krb5.cc(174): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Set credential cache to MEMORY:squid_ldap_45620 support_krb5.cc(270): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Got principal name HTTP/proxy.example@example.org support_krb5.cc(313): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Stored credentials support_ldap.cc(830): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Initialise ldap connection support_ldap.cc(836): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Canonicalise ldap server name for domain EXAMPLE.ORG support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc1.example.org support_resolv.cc(373): pid=45620 :2014/08/21 14:27:30| kerberos_ldap_group: DEBUG: Resolved SRV _ldap._tcp.EXAMPLE.ORG record to dc2.example.org etc and no problems. 2014-08-21 14:54 GMT+04:00 Pavel Timofeev tim...@gmail.com: Group name in config is OCS-DenyInternet-G of course. 2014-08-21 14:48 GMT+04:00 Pavel Timofeev tim...@gmail.com: Hi! Please, help. I've been using squid 3.3.11 on FreeBSD 10 for a year. I have AD and kerberos authentification. Squid checks DenyInternet group membership through kerberos_ldap_group. My domain example.org has subdomains like south.example.org, west.example.org, etc. All users use proxy.example.org. Everything works fine. Here is config: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.example@example.org auth_param negotiate children 100 startup=30 idle=5 auth_param negotiate keep_alive external_acl_type no_inet_users ttl=3600 negative_ttl=3600 children-max=100 children-startup=30 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -d -a -g DenyInternet -m 64 -D EXAMPLE.ORG -u squid -p itsPass Now I'm tring to migrate to squid 3.4.6. Same config. I've encountered with problem that kerberos_ldap_group stopped working with subdomain users like u...@south.example.org while it still works with u...@example.org. In general it started to complain ERROR: Error during setup of Kerberos credential cache in cache.log. When I turn on the debug I'm getting this: kerberos_ldap_group.cc(372): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: INFO: Got User: ptimofeev Domain: SOUTH.EXAMPLE.ORG support_member.cc(55): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: User domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(83): pid=13729 :2014/08/21 13:58:53| kerberos_ldap_group: DEBUG: Default domain loop: group@domain OCS-DenyInternet-G@NULL support_member.cc(111): pid=13729 :2014/08/21 13:58:53|
[squid-users] FW: squid 3.3.10 always gives TCP_MISS for SSL requests
Dear All, I have lately installed squid 3.3.11 on Centos 6.5 x86_64 system. I have configured it as a transparent SSL_BUMP proxy. All is working well I can browse all SSL websites successfully after I have imported my generated CA file. The problem is that no matter how many times I request the SSL websites I always get a TCP_MISS in the squid access log. Among other websites I am trying to cache yahoo.com, facebook and youtube but most websites are always being served directly from source nothing is being served for the squid proxy. Please find below my configuration files. I deeply value any help on this matter. Squid setup settings: Squid Cache: Version 3.3.11 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-zph-qos' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=65535' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' squid.conf file: acl snmppublic snmp_community public acl bamboe src 10.128.135.0/24 #uncomment noway url, if necessary. #acl noway url_regex -i /etc/squid/noway acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 1935 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #http_access deny noway http_access allow manager localhost http_access allow bamboe http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost htcp_access deny all miss_access allow all # NETWORK OPTIONS http_port 8080 http_port 8082 intercept https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/myconfigure.pem key=/etc/squid/myconfigure.pem ssl_bump server-first all always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB sslcrtd_children 5 hierarchy_stoplist cgi-bin ? .js .jsp mivo.tv 192.168.10.29 192.168.10.30 static.videoku.tv acl QUERY urlpath_regex cgi-bin \? .js .jsp 192.168.10.29 192.168.10.30 youtube.com indowebster.com static.videoku.tv no_cache deny QUERY # MEMORY CACHE OPTIONS cache_mem 6000 MB maximum_object_size_in_memory 16 KB memory_replacement_policy heap GDSF # DISK CACHE OPTIONS cache_replacement_policy heap LFUDA cache_dir aufs /cache1 30 64 256 store_dir_select_algorithm least-load minimum_object_size 16 KB maximum_object_size 2 GB cache_swap_low 97 cache_swap_high 99 #LOGFILE OPTIONS access_log stdio:/var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none cache_swap_log /cache1/swap.state logfile_rotate 5 log_icp_queries off buffered_logs off #OPTIONS FOR TUNING THE CACHE refresh_pattern -i \.swf$ 20160 80% 20160 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth refresh_pattern -i \.gif$ 20160 80% 20160 override-expire
[squid-users] ident authentication problem
I am using the latest 3.4 build and a config that looks like: ident_lookup_access allow localnet ident_lookup_access deny all ident_timeout 5 seconds acl password_required proxy_auth REQUIRED acl ident_required ident REQUIRED http_access allow localnet ident_required ident_unrestricted_group http_access allow localnet ident_required unrestricted_sites http_access_deny localnet ident_required http_access allow localnet password_required password_unrestricted_group http_access allow localnet password_required unrestricted_sites http_access_deny The idea is that ident will be used, and if ident can't be used, proxy auth (ntlm) will be used. The problem is that for users who ident successfully but are not in the ident_unrestricted_group / password_unrestricted_group (both the same windows group), they get a 407 response and a password prompt, instead of an access denied. I can work around this by putting: deny_info 403:ERR_ACCESS_DENIED ident_required just before the identd deny, but it seems like a hack. Am I doing something wrong or could this be a bug? Also, are there any implementations of ident that are a bit more useful? Such a thing would: . have a single TCP connection between squid and the client (preferably client initiated), kept alive for a reasonable time . authenticate the identd server itself (identd is not really considered secure) . allow squid to specify all aspects of the connection (ident expects the lookup to come from the destination, which isn't true if you are doing transparent proxying, although easy to patch squid to fake the source) Thanks James
RE: [squid-users] Anybody using squid on openWRT ?
Gotcha. Agreed. -Original Message- From: Leonardo Rodrigues [mailto:leolis...@solutti.com.br] Sent: Monday, August 25, 2014 10:58 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Anybody using squid on openWRT ? If you're talking about caching, then you're absolutely correct. If you're using squid just for filtering and policies enforcment, as i'm doing, than even a small box like the routerboards i'm using (32Mb RAM and 64Mb flash disk) is enough for a 30-40 stations network. squid needs a bit of tweaking for running on those but, once you mastered that, is works absolutely fine. I even have it doing authentication on Windows ADs through ldap authenticators ! On 22/08/14 15:16, Lawrence Pingree wrote: Plus a wifi device is severely underpowered and lacks sufficient memory and storage for squid to provide any real benefit (IMHO). -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] FW: squid 3.3.10 always gives TCP_MISS for SSL requests
On 26/08/2014 12:11 p.m., Ragheb Rustom wrote:
Dear All,
I have lately installed squid 3.3.11 on Centos 6.5 x86_64 system. I have
configured it as a transparent SSL_BUMP proxy. All is working well I can
browse all SSL websites successfully after I have imported my generated CA
file. The problem is that no matter how many times I request the SSL
websites I always get a TCP_MISS in the squid access log. Among other
websites I am trying to cache yahoo.com, facebook and youtube but most
websites are always being served directly from source nothing is being
served for the squid proxy. Please find below my configuration files. I
deeply value any help on this matter.
For a start configure this and re-check:
strip_query_terms off
That will allow your logs to show the full URL Squid is considering for
cache HIT/MISS. You may find that a few hundred seemingly identical log
entris are in fact highly variable in the query string portion. Such
requests cannot be combined/HIT.
squid.conf file:
acl snmppublic snmp_community public
acl bamboe src 10.128.135.0/24
#uncomment noway url, if necessary.
#acl noway url_regex -i /etc/squid/noway
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 1935 # http acl Safe_ports port 21 #
ftp acl Safe_ports port 443 # https acl Safe_ports port 70
# gopher acl Safe_ports port 210 # wais acl Safe_ports port
1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http acl Safe_ports port 591 #
filemaker acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access deny noway
http_access allow manager localhost
http_access allow bamboe
http_access deny manager
The above http_access bits...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
... should be in here.
http_access allow localhost
htcp_access deny all
miss_access allow all
That is the default, you should get faster operation removing
miss_access entirely.
# NETWORK OPTIONS
http_port 8080
http_port 8082 intercept
https_port 8081 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB cert=/etc/squid/myconfigure.pem
key=/etc/squid/myconfigure.pem ssl_bump server-first all always_direct allow
all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER
Avoid DONT_VERIFY_PEER as much as possible. It is considered harmful
for security. Also usually unnecessary if the machines trusted CA
certificates are setup properly and up to date.
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
sslcrtd_children 5 hierarchy_stoplist cgi-bin ? .js .jsp mivo.tv
192.168.10.29 192.168.10.30 static.videoku.tv acl QUERY urlpath_regex
cgi-bin \? .js .jsp 192.168.10.29 192.168.10.30 youtube.com indowebster.com
static.videoku.tv no_cache deny QUERY
Aha!
no_cache deny QEURY
The no_ part is obsolete syntax. What this line actually does is force
all URLs with a query string ('?') to never be cached.
This is the source of your MISS log entries. Remove it to get at least a
chance at some HITs.
Also, hierachy_stoplist is not useful in your configuration. You can
probably remove it entirely. If your squid complains when its missing,
set it to the default:
hierarchy_stoplist /cgi-bin/ \?
# MEMORY CACHE OPTIONS
cache_mem 6000 MB
maximum_object_size_in_memory 16 KB
memory_replacement_policy heap GDSF
# DISK CACHE OPTIONS
cache_replacement_policy heap LFUDA
cache_dir aufs /cache1 30 64 256
store_dir_select_algorithm least-load
minimum_object_size 16 KB
maximum_object_size 2 GB
Put these global default min/max size limits above the cache_dir lines.
Recent but outdated Squid like yoru 3.3 had a bug where the
maximum_object_size is ignored if configured after cache_dir. Position
for it does not normally matter, so placing it first always works and
avoids needless annoyance.
cache_swap_low 97
cache_swap_high 99
#LOGFILE OPTIONS
access_log stdio:/var/log/squid/access.log cache_log
/var/log/squid/cache.log cache_store_log none cache_swap_log
/cache1/swap.state logfile_rotate 5 log_icp_queries off buffered_logs off
#OPTIONS FOR TUNING THE CACHE
Since Squid-3.2 some of the override and ignore options have changed.
* ignore-no-cache is obsolete. Traffic with Cache-Control:no-cache will
be cached properly by default.
- remove this option from your config file.
* combining reload-into-ims and ignore-reload is harmful.
- ignore-reload makes Squid either HIT or MISS, rendering the
revalidate CLIENT_REFRSH performance optimizations enabled by
reload-into-ims useless.
* ignore-private is harmful. Traffic with Cache-Control:private has
mandatory revalidation. What can be cached will be cached properly by
default, this option only causes all private data to be stored - it is
never used from cache.
- remove this option from your config
RE: [squid-users] FW: squid 3.3.10 always gives TCP_MISS for SSL requests
I'm not sure if this is right or not, but wouldn't your refresh patterns need to have the ignore-private to cache ssl? Amos may know better, but I don't see that option specified in your All Files refresh_patterns. -Original Message- From: Ragheb Rustom [mailto:rag...@smartelecom.org] Sent: Monday, August 25, 2014 5:12 PM To: squid-users@squid-cache.org Subject: [squid-users] FW: squid 3.3.10 always gives TCP_MISS for SSL requests Dear All, I have lately installed squid 3.3.11 on Centos 6.5 x86_64 system. I have configured it as a transparent SSL_BUMP proxy. All is working well I can browse all SSL websites successfully after I have imported my generated CA file. The problem is that no matter how many times I request the SSL websites I always get a TCP_MISS in the squid access log. Among other websites I am trying to cache yahoo.com, facebook and youtube but most websites are always being served directly from source nothing is being served for the squid proxy. Please find below my configuration files. I deeply value any help on this matter. Squid setup settings: Squid Cache: Version 3.3.11 configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-zph-qos' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=65535' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' squid.conf file: acl snmppublic snmp_community public acl bamboe src 10.128.135.0/24 #uncomment noway url, if necessary. #acl noway url_regex -i /etc/squid/noway acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 1935 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #http_access deny noway http_access allow manager localhost http_access allow bamboe http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost htcp_access deny all miss_access allow all # NETWORK OPTIONS http_port 8080 http_port 8082 intercept https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/myconfigure.pem key=/etc/squid/myconfigure.pem ssl_bump server-first all always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB sslcrtd_children 5 hierarchy_stoplist cgi-bin ? .js .jsp mivo.tv 192.168.10.29 192.168.10.30 static.videoku.tv acl QUERY urlpath_regex cgi-bin \? .js .jsp 192.168.10.29 192.168.10.30 youtube.com indowebster.com static.videoku.tv no_cache deny QUERY # MEMORY CACHE OPTIONS cache_mem 6000 MB maximum_object_size_in_memory 16 KB memory_replacement_policy heap GDSF # DISK CACHE OPTIONS cache_replacement_policy heap LFUDA cache_dir aufs /cache1 30 64 256 store_dir_select_algorithm least-load minimum_object_size 16 KB maximum_object_size 2 GB cache_swap_low 97 cache_swap_high 99 #LOGFILE
Re: [squid-users] FW: squid 3.3.10 always gives TCP_MISS for SSL requests
On 26/08/2014 3:29 p.m., Lawrence Pingree wrote: I'm not sure if this is right or not, but wouldn't your refresh patterns need to have the ignore-private to cache ssl? Amos may know better, but I don't see that option specified in your All Files refresh_patterns. HTTPS is not particularly private in the HTTP sense. It is just regular HTTP traffic wrapped in underlying transport security encryption. It does have a security scope difference from HTTP as to though due to that encryption. That scope difference is handled by the URL scheme portion. For example Squid must not and will not HIT on a http:// URL in cache for https:// request of otherwise identical URL, and vice versa. From the administrative viewpoint there is a higher risk with HTTPS of application designers breaking things and making vulnerable software simply by not understanding the above. There is high pressure to get privacy protection right with insecure http:// but weak for secure https:// on things like OAuth traffic and eCommerce checkout pages where they should have sent Cache-Control:private or no-store regardless. Amos
