cess deny all
# if no other ACL applies, allow
http_reply_access allow all
This is it. I commented out all other ACL's for allow/deny we had in place for
our custom rules. Still unable to browse local via hostname, IP works fine
again.
-Original Message-
From: squid-users On
Behalf
unused mechanisms in Squid.
As such this is a callout to see how much use there is for this feature.
DO you need ESI in Squid? Yes or No.
Speak Now, or face regrets at upgrade time.
Thank You
Amos
___
squid-dev mailing list
squid-dev
unused mechanisms in Squid.
As such this is a callout to see how much use there is for this feature.
DO you need ESI in Squid? Yes or No.
Speak Now, or face regrets at upgrade time.
Thank You
Amos
___
squid-users mailing list
squid-users
On 6/09/24 03:56, Piana, Josh wrote:
Hello Amos,
While the comments did say that it was just the 10.46.11.0 range, I don't think there's
any other ACL forcing that. I tried adding the the two internal sites that are being
blocked by their IP, restarted Squid, and tested. Still bei
ect.
2) The CONNECT request has zero dots in the "domain" name. Which means
the /etc/resolv.conf settings other than nameserver apply to the
hostname during lookup.
==> Please supply your /etc/resolv.conf contents.
HTH
Amos
___
squid-us
Might be worth checking if you still need to custom build.
Debian now provides a "squid-openssl" package.
Amos
On 22/08/24 01:37, David Touzeau wrote:
Configure:
./configure --prefix=/usr --build=x86_64-linux-gnu --includedir=/include
--mandir=/share/man --infodir=/
I rarely use ‘then’ for anything other than reordering arguments for a pipeline. I find that I end up having the same code that is in the ‘then’ in multiple place and leads me to create a function, with an intention revealing name, instead of using ‘then.’The new functions lead to more readable and
ng port 80 and port 443 to the right one.
IIRC, your IPv6 NAT rule may need changing.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
Debian/12 (aka "Bookworm") provides the package "squid-openssl" with the
SSL-Bump feature enabled. It is a drop-in replacement for the "squid"
package.
Cheers
Amos
On 31/07/24 03:11, John Mok wrote:
Hi Nishant,
Yes, I did rebuild the package with
--with-
On 30/07/24 08:47, Jonathan Lee wrote:
I did not know that I had the option set to disable Squid ICMP pinger
pinger helper is not releted.
What I meant was that you need to ensure ICMPv6 protocol is enabled and
working on your network. That is usually a firewall issue.
If it is blocked, th
tunnels are used.
Also, check the MSS and MTU values.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
vant squid_*.deb package (except some few essential OS
packages which should exist everywhere).
libcppunit-dev has been listed as a squid dependency for many years. So
I would not be surprised if some ancient Ubuntu (circa 2010 or such)
showed this behaviour, but certainly not the one you have
any. It is not clear which (or another) is happening for you.
Please be aware that Squid-5 are no longer supported and has quite a
number of security issues that have been fixed in later releases.
Current Squid release is v6.10. If you are able to upgrade, please
23 at 1:30 PM Darin Amos wrote:
> Hi All!
>
> I posted on the community slack channel and was referred to this mailing
> list. I think it would be helpful if the ContinuousFileReaderOperator was
> made a public class and not removed in Flink 2.0 (or to have an equivalent
> crea
ot;(3) Destination Unreachable" packet.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
On 12/07/24 10:10, Alex Rousskov wrote:
On 2024-07-11 17:03, Amos Jeffries wrote:
On 11/07/24 00:49, Alex Rousskov wrote:
On 2024-07-09 18:25, Fiehe, Christoph wrote:
I hope that somebody has an idea, what I am doing wrong.
AFAICT from the debugging log, it is your parent proxy that
On 13/07/24 04:16, Jonathan Lee wrote:
tested with removal of IP and port failed If I leave port I get this
2024/07/12 09:15:17| Processing: http_port :3128 intercept
No ":" before thr port number.
Amos
___
squid-users mailing list
s
nfiguration of the web server
running it. And,
Then tool requests to Squid are restricted by your http_access rules
for what requests can be made of the proxy. And,
Then the access to individual manager reports is controlled by
cachemgr_passwd directive in Squid.
Cheers
Amos
__
Squid. Please share
HTTP headers of the response in question.
FYI, those can be obtained by configuring squid.conf with
debug_options 11,2
Cheers
Amos
2. TCP_MISS_ABORTED/502 errors may delete a being-cached response. These
can be bogus errors (essentially Squid logging bugs) or real
W for the port range 3128-3129
worries me. AFAIK that should only be for 3128 and a separate rule
somewhere else to drop the intercepted port 3129 traffic pre-NAT.
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.
icular is the "mangle" table rule.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
may (or not) have
side-effects on storage of the response. But still no problem exactly -
clients can do what they want.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
onfiguring your
child Squid to use that instead.
HTH,
Alex.
P.S. Unlike Amos, I do not see serious conceptual problems with
rewriting request target scheme (as a temporary compatibility measure).
It may not always work, for various reasons, but it does not necessarily
make things worse (an
les/css/fox-news/article-new.rs.css9; 'accept-encoding="gzip,%20deflate,%20br,%20zstd"'
11.07.2024 11:36:49 clientProcessHit: Vary object loop!
11.07.2024 11:36:49 varyEvaluateMatch: Oops. Not a Vary match on second
attempt,
'https://static.foxnews.com/static/str
ss lines:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
see <https://wiki.squid-cache.org/Releases/Squid-5> for the ACL details
if you need them too.
Amos
__
On 12/07/24 05:27, Jonathan Lee wrote:
Thanks what about the password is it set with@ or -p where would I place that?
Neither. It is set with -W .
Amos
Sent from my iPhone
On Jul 11, 2024, at 10:17, Amos Jeffries wrote:
It is very relevant. As Matus already mentioned, both -U and -W
nt: squidclient/6.10
Accept: */*
Authorization: Basic YWRtaW46Y2FjaGVtZ3JfcGFzc3dvcmQ=
Connection: close
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
: You can direct all the archive traffic to a cache_peer
with port 443 and "originserver tls" flags.
YMMV, caveat emptor.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
basic_ncsa_auth /etc/squid/passwords
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
ors
acl HTTP proto HTTP
deny_info 302:https://%>rd%rp HTTP
http_access deny HTTP
http_access allow src_networks
...
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
tps://github.com/squid-cache/squid/pull/919>
github.com <https://github.com/squid-cache/squid/pull/919>
As of this writing, that work is a Draft for design review. It still
needs a lot of protocol support added before it can be used for more
than debugging experiments
On 14/06/24 20:43, NgTech LTD wrote:
Hey Amis,
Ok, so with the tools we have available, can we take this case and maybe
write a brief summary of changes between the squid features versions?
That what the Release Notes are.
Cheers
Amos
___
squid
"infinite scrolling" for delivery.
Accept-Ranges tells the server that it does not have to re-deliver the
entire JSON dataset for the scrolling part in full, every few seconds.
That header is defined by
<https://www.rfc-editor.org/rfc/rfc9110#name-accept-ranges>
HTH
Amos
On
tified
* run with new version
... look at all logged "NOTICE", "UPGRADE" etc, and the Release Notes
new feature additions to work on operational improvements possible with
the new version.
HTH
Amos
On 10/06/24 19:43, ngtech1ltd wrote:
@Alex and @Amos, can you try to he
Hi Ronny,
This is the Squid users mailing list. You would be better served
contacting the Samba help channels for this problem.
Cheers
Amos
On 8/06/24 23:05, Ronny Preiss wrote:
Hi Everybody,
Does someone know where this comes from and how to solve it? I've
changed nothing for
e
acl auth_users proxy_auth REQUIRED
with
http_access deny !auth_users
before the second external_acl (for authenticated requests)?
No. It is to ensure that "missing credentials" are treated differently
than "bad credentials". Specifically that any auth challenge resp
"cache deny all" to prevent anything being stored.
You should be able to remove the above line entirely.
access_log daemon:/var/log/squid/useragent.log useragent
visible_hostname proxy.abc.com
cache deny all
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
med.
... and after that, the external ACL that takes the username as well as
the other info.
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
IIRC there is at least one SSL-Bump permutation which does server name
vs IP validation (in a way, not explicitly). But that particular code
path is not always taken and the SSL-Bump logic does not go out of its
way to lookup missing details. So likely y
On 29/05/24 21:09, Samuel Thibault wrote:
Hello,
It was becoming more and more a concern (gstreamer build-depends on
rustc nowadays). At last, the rustc compiler becomes available :D
Thanks to Vedant's GSoC work last summer, and then waiting for Debian to
catch with upstream releases, eventuall
onfigure
a log like this:
access_log daemon:/var/log/squid/access.log referrer
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
We sew this behavior too but at LTP's master branch (ff13d67503a0) and
on top SUSE SLES OS.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059103
Title:
ubuntu_ltp: fs testsuite causing tainted kern
NTLM authenticated transaction.
Then
15) locate a server that can be used
16) send the request on to the found server
That is MUCH better for performance.
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid
deny_info lines is the name
of the one that is to be adjusted when it is used for a "deny" action
by, for example, "http_access deny".
acl authorized_ips src ...
deny_info 307:http://example.com authorized_ips
http_access d
to retrieve the «permissions»
of the user and apply the ACL on squid.
Please explain/clarify what **exactly** a "permission" is in your design?
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid
On 7/05/24 07:59, Piana, Josh wrote:
Amos,
You raise a good point about Kerberos! I was not aware that Squid supported
this method. Yes - I think we would preferably use this method, especially
because this looks like it's much easier to setup and still checks all the
boxes we nee
[ please keep responses on-list to assist any others who encounter the
same issues in future ]
On 4/05/24 08:51, Piana, Josh wrote:
Hey Amos,
Thank you so much for getting back to me so quickly!
To answer your question about NTLM, I meant to say NTLMv2. We're trying to
become compliant
ection was opened, to after it fails. At least several seconds
before and after.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
unts? I ask because I
see IPA trying all the discovered domains and I know for a fact that those
users/groups are not in those domains.
Thanks,
Amos
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 4/05/24 09:48, Emre Oksum wrote:
Hi Amos,
>FTR, "debug_options ALL" alone is invalid syntax and will not change
>from the default cache.log output
Yes, you were right! I was surely missing on that one. I changed
debug_options ALL to debug_options ALL 5 and now, I found th
ns was ALL in my
squid.conf.
Sure, "ALL" sections.
But what display level:
0 (critical only)?
1 (important)?
2 (protocol trace)?
3-6 (debugs)?
9 (raw I/O data traces)?
FTR, "debug_options ALL" alone is invalid syntax and will not change
from the defa
paste the output of "squid -v" run on both the old CentOS
machine and on the new RHEL.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
ctivity is better than
your IPv6 connectivity. Later Squid use various "Happy Eyeballs"
implementations for the server selection.
You can usually work around this by configuring the DNS server specified
by dns_nameservers to only deliver IPv6 results when a mixed set are
available.
HTH
A
ady active connections. Only for new
connections as they are setup.
For example; CONNECT tunnel and/or HTTPS connections might start on
Monday and stay open and used until Friday.
HTH
Amos
On 30/04/24 04:54, Jonathan Lee wrote:
Squid -k parse also does not fail with use of the time ACL
Sent from
On 24/04/24 17:27, Jonathan Lee wrote:
Hello fellow Squid users I wanted to ask a quick question for use with
termination would http access for cache still work with this type of setup and
custom refresh patterns?
I think it would terminate all but the clients and if they use the cache it
wou
in keytab but cannot decrypt ticket; }}
<https://wiki.articatech.com/proxy-service/troubleshooting/gss-cannot-decrypt-ticket>
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
and it logging is not the issue - Squid
cannot log something it cannot see. TLS support has quieted down in
recent times, but not stopped.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/li
ot enforced by 'time` ACL. Once a
transaction is allowed to start, it can continue until completion - be
that milliseconds or days later.
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
access than the old URL
based mechanism (which still exists, just deprecated).
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
d.
The rest of your questions are about container management and Windows
configuration. Which are kind of off-topic.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
OpenSSL is not verbose enough to explain the actual
problem in an easily understood way.
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
o allow that depending on what your desired
TLS/SSL settings in squid.conf are.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
do have direct proxy (and thus manager) access via the
192.168.1.1:3128 so this URL should work:
http://192.168.1.1:3128/squid-internal-mgr/menu
.. or substitute the raw-IP for the visible_hostname setting **if** that
hostname actually resolves to
+aRSA+RC4" it would be a bit simpler/easier to read
the config by removing that cipher and just relying on the "!RC4".
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
feature instead for those URLs. It does a better job of
balancing the caching risk vs ratio gains, even though outwardly it can
appear to have less HITs.
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org
onds
ignore_unknown_nameservers on
pipeline_prefetch 100
#acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump'
#ssl_bump bump SSLIntercept
You already have an earlier "http_access deny all". The below lines do
nothin
I had the same problem which I solved by putting up a digipeater which can be
heard by IGate stations around the area. When I get close to the house, the
digipeater takes over and relays my signal further out via that 50’ mast that
is needed. Hihi
Mike
KG4NDS
From: BVARC On Behalf Of K5BOU vi
usable.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
patch to fix this issue.
You need to fix or stop using the software which is adding BWS (bad
whitespace) to the protocol syntax fixed.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
This inflammatory post is not relevant to Squid.
Please do not followup to this thread.
Cheers
Amos Jeffries
The Squid Software Foundation
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid
All of the below suggestions are VERY good. I would like to also add that you
should turn on that radio, tune into a QSO and just listen for a bit. Then
another and another... The idea is to get an idea of the lingo and pace of the
conversation. That with the extra education you will get fro
/O in particular. The behavioural changes from that
might have impacted ICAP in some unexpected way.
Also, if you are using SSL-Bump to enable virus scanning then
<https://github.com/squid-cache/squid/commit/debf3f17be7761ea4992864a828f42ee773dfbaf>
might also be
add Accept-Encoding gzip,deflate
Is there a more gentle way of doing it?
You could use q-value to prohibit it instead.
Replace both the above lines with just this one:
request_header_add Accept-Encoding br;q=0
HTH
Amos
___
squid-users mailing list
s
c 20.20.30.0/21
acl parent_proxy_exclude dst 20.20.30.0/21
acl parent_proxy_exclude_ST0100 dst 20.20.30.222/22
always_direct allow parent_proxy_exclude_ST0100
acl servicenet dst 172.28.4.0/24
always_direct allow parent_proxy_exclude
always_direct allow servicenet
HTH
Amos
___
__
Squid Proxy Cache Security Update Advisory SQUID-2024:1
__
Advisory ID: | SQUID-2024:1
Date: | Mar 4, 2024
Summary: | Denial of Serv
__
Squid Proxy Cache Security Update Advisory SQUID-2024:2
__
Advisory ID: | SQUID-2024:2
Date: | Feb 15, 2024
Summary: | Denial of Ser
__
Squid Proxy Cache Security Update Advisory SQUID-2024:1
__
Advisory ID: | SQUID-2024:1
Date: | Mar 4, 2024
Summary: | Denial of Serv
__
Squid Proxy Cache Security Update Advisory SQUID-2023:11
__
Advisory ID: | SQUID-2023:11
Date: | Jan 24, 2024
Summary: | Denial of Ser
__
Squid Proxy Cache Security Update Advisory SQUID-2023:10
__
Advisory ID: | SQUID-2023:10
Date: | Dec 10, 2023
Summary: | Denial of Ser
__
Squid Proxy Cache Security Update Advisory SQUID-2024:2
__
Advisory ID: | SQUID-2024:2
Date: | Feb 15, 2024
Summary: | Denial of Ser
__
Squid Proxy Cache Security Update Advisory SQUID-2023:11
__
Advisory ID: | SQUID-2023:11
Date: | Jan 24, 2024
Summary: | Denial of Ser
__
Squid Proxy Cache Security Update Advisory SQUID-2023:10
__
Advisory ID: | SQUID-2023:10
Date: | Dec 10, 2023
Summary: | Denial of Ser
These Squid are configured to listen like:
http_port 3128
Ensure that the machine/server the 4th Squid is running on has its
http(s)_port line matching the other three machines port value.
At this point do not care about the "mode" or options later in the line.
Your issue is solely
vious system.
Regards,
Amos
--
Etherlab-users mailing list
Etherlab-users@etherlab.org
https://lists.etherlab.org/mailman/listinfo/etherlab-users
been a while since I tested it, but IIRC with miss_access a
"deny_info" line may be used to change the default 403 error status into
another in the 200-599 status range. Which includes redirects,
retry-after, empty responses, and template pages respon
Excellent news.
Thank you for the feedback on the solution.
Cheers
Amos
On 22/02/24 10:14, Miha Miha wrote:
Hi Amos,
It took me some time to check and verify.
I'm posting my findings here just to complete the thread.
Regarding this one:
On 8/02/24 02:19, Miha Miha wrote:
Hi Fran
Contact emailseui-sang@samsung.com
ExplainerNone
Specificationhttps://drafts.csswg.org/cssom/#the-cssimportrule-interface
Summary
Allow CSSImportRule.styleSheet to be nullable. The styleSheet attribute in
CSSImportRule can be null if there is no associated CSS style sheet.
Blink component
On 16/02/24 15:30, Eternal Dreamer wrote:
Hi!
When I'm trying to send curl request with provided basic
proxy-authorization credentials through my proxy I see Segment Violation
error in my logs and empty reply from server. Command is:
curl -v --proxy-basic --proxy-user login:password --proxy
ht
langpack/>
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
d to
build the container as-needed.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
g: key B268E706FF5CF463: 1 duplicate signature removed
gpg: key B268E706FF5CF463: 4 signatures not checked due to missing keys
gpg: /tmp/squid/trustdb.gpg: trustdb created
gpg: key B268E706FF5CF463: public key "Amos Jeffries
" imported
gpg: key 4250AB432402F2F8: 1 signature not checked
ag was set.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
Hello Hugh,
I would be interested in either system, provided that they also have a VGA Out.
Otherwise, I'd be interested in the 780.
Thank You,
Amos
Sent from my android device.
-Original Message-
From: "D. Hugh Redelmeier via talk"
To: GTALUG Talk
Cc: "D. Hu
won't be useful
anyway :) better wait for the buildd to actually have started, rather
than getting bad press because nothing seems to be happening.
Samuel
On that topic, how are things going with the buildd?
Is there a TODO list we can track and try to assist with?
Amos
On 1/02/24 11:22, Miha Miha wrote:
On 10/01/24 12:18, Miha Miha wrote:
Release note of latest Squid 6.6 says: "...not deemed ready for
production use..." For comparison Squid 5.1 was 'ready'. When v6 is
expected to be ready for prod systems?
On Fri, Jan 12, 2024 at 3
Thanks for the notice.
This appears to be a github issue that has been occuring to many other
projects for at least 5hrs now. For now we can only hope that it gets
resolved soon
Cheers
Amos
On 30/01/24 01:50, Adam Majer wrote:
Hi,
http://www.squid-cache.org/Versions/v6/ lists security
. Work
is needed to rebase the branch on current Squid and re-test it. Nobody
is working on that at present, so no ETA is available.
HTH
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-dev
erences in the response headers per-visitor.
These cannot be cached, and Squid does not know how to correctly
generate for those headers. So having Squid auto-respond is not a good idea.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid
.squid-cache.org/SquidFaq/BugReporting#full-debug-output).
Be aware this list does not permit large posts so please provide a link
to download in your reply not attachment.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
it now.
Squid 6 is production ready.
Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
1 - 100 of 8826 matches
Mail list logo