Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Alex Rousskov
On 04/21/2016 03:26 PM, Odhiambo Washington wrote: > On 21 April 2016 at 23:14, Alex Rousskov wrote: > Logging aside, your latest random configuration is equivalent to > [...] not intercepting SSL at all, which brings > us back to the old question: What do you want Squid to do? > If

Re: [squid-users] Extraneous question regarding SSL interception

2016-04-21 Thread Alex Rousskov
On 04/21/2016 03:53 PM, Antony Stone wrote: > Any chance of getting it added to the Squid documentation for newbies, so > they > have a better concept of what these terms mean and where they apply? Please do! Alex. ___ squid-users mailing list

Re: [squid-users] Extraneous question regarding SSL interception

2016-04-21 Thread Antony Stone
On Thursday 21 April 2016 at 22:53:35, Alex Rousskov wrote a good explanation of SSL bumping. > On 04/21/2016 02:22 PM, Antony Stone wrote: > > Forgive me if this is answered in the documentation somewhere (but please > > point me at it if so, because I haven't been able to find it), but where >

Re: [squid-users] Extraneous question regarding SSL interception

2016-04-21 Thread Odhiambo Washington
Yes! That SSL _Bump_ name! Thanks for explaining the origins. On 23:53, Thu, Apr 21, 2016 Alex Rousskov wrote: > On 04/21/2016 02:22 PM, Antony Stone wrote: > > > Forgive me if this is answered in the documentation somewhere (but please > > point me at it if

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Odhiambo Washington
On 21 April 2016 at 23:14, Alex Rousskov wrote: > On 04/21/2016 01:59 PM, Odhiambo Washington wrote: > > On 21 April 2016 at 22:04, Amos Jeffries wrote: > > > > On 22/04/2016 6:20 a.m., Odhiambo Washington wrote: > > > I have now changed to

Re: [squid-users] Extraneous question regarding SSL interception

2016-04-21 Thread Alex Rousskov
On 04/21/2016 02:22 PM, Antony Stone wrote: > Forgive me if this is answered in the documentation somewhere (but please > point me at it if so, because I haven't been able to find it), but where do > the > terms "bump", "peek", "splice" and "stare" come from? "splice" comes from a standard

Re: [squid-users] Is it possible to log request's proxy hostname in the access log?

2016-04-21 Thread Ser de Bronce
Thank you for immediate answer, Antony. Best Regards, Sergey 2016-04-21 23:26 GMT+03:00 Antony Stone : > On Thursday 21 April 2016 at 22:21:15, Ser de Bronce wrote: > > > I have a squid server that can be accessed from multiple subdomains. > > For example,

Re: [squid-users] Is it possible to log request's proxy hostname in the access log?

2016-04-21 Thread Antony Stone
On Thursday 21 April 2016 at 22:21:15, Ser de Bronce wrote: > I have a squid server that can be accessed from multiple subdomains. > For example, user A does a proxy request on "aaa.myproxy.com" and user B on > "bbb.myproxy.com" > Is it possible to log which subdomain was requested by the user?

[squid-users] Extraneous question regarding SSL interception

2016-04-21 Thread Antony Stone
Hi. Forgive me if this is answered in the documentation somewhere (but please point me at it if so, because I haven't been able to find it), but where do the terms "bump", "peek", "splice" and "stare" come from? Personally I don't find them particularly intuitive to comprehend, in terms of

[squid-users] Is it possible to log request's proxy hostname in the access log?

2016-04-21 Thread Ser de Bronce
Hi there, Maybe someone already knows any solution: I have a squid server that can be accessed from multiple subdomains. For example, user A does a proxy request on "aaa.myproxy.com" and user B on "bbb.myproxy.com" Is it possible to log which subdomain was requested by the user? Best Regards,

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Alex Rousskov
On 04/21/2016 01:59 PM, Odhiambo Washington wrote: > On 21 April 2016 at 22:04, Amos Jeffries wrote: > > On 22/04/2016 6:20 a.m., Odhiambo Washington wrote: > > I have now changed to *configurations suggested specifically for your > use > > case, on this email thread* :) > > acl

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Odhiambo Washington
On 21 April 2016 at 22:04, Amos Jeffries wrote: > On 22/04/2016 6:20 a.m., Odhiambo Washington wrote: > > Hi Alex, > > > > I have now changed to *configurations suggested specifically for your use > > case, on this email thread* :) > > > > > > > > acl no_ssl_interception

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Amos Jeffries
On 22/04/2016 6:20 a.m., Odhiambo Washington wrote: > Hi Alex, > > I have now changed to *configurations suggested specifically for your use > case, on this email thread* :) > > > > acl no_ssl_interception ssl::server_name > "/usr/local/etc/squid/ssl_bump_broken_sites.txt" > ssl_bump splice

Re: [squid-users] Squid-4.0.9 and FreeBSD 9.3 / FreeBSD-10.3

2016-04-21 Thread Amos Jeffries
On 22/04/2016 6:12 a.m., Odhiambo Washington wrote: > Hi Amos, > > I have just now succeeded in compiling squid-4.0.9 on FreeBSD 10.3 and I'm > even able to run it. > The server I am testing on serves about 20 users. It's been successfully > running 3.5.x (upgraded to 3.5.17 today). > > On my

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Alex Rousskov
On 04/21/2016 08:12 AM, Odhiambo Washington wrote: > acl no_ssl_interception ssl::server_name ... > ssl_bump splice no_ssl_interception > ssl_bump stare step2 > ssl_bump splice all You are mixing splice and stare now. There are two groups of actions: * peek and then splice * stare and then

Re: [squid-users] Cert authority invalid failures.

2016-04-21 Thread Amos Jeffries
On 22/04/2016 2:36 a.m., Markey, Bruce wrote: > acl internal src 192.168.200.0/21 > acl wireless src 192.168.100.0/23 > > acl Safe_ports port 80 > acl Safe_ports port 443 > acl SSL_ports port 443 > acl CONNECT method CONNECT > > acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl" > acl

Re: [squid-users] Squid 3.5.9 Problems with Teamviewer

2016-04-21 Thread epytir
Hey Amons, thanks for your replay. The line /usr/lib/squid3/negotiate_kerberos_auth -r -s GSS_C_NO_NA$ there only missing the 2 letters ME sorry for that. I will build a test server with the newest squid version and config changes. >I log squid in database and every connect i see is not

Re: [squid-users] Cert authority invalid failures.

2016-04-21 Thread Markey, Bruce
acl internal src 192.168.200.0/21 acl wireless src 192.168.100.0/23 acl Safe_ports port 80 acl Safe_ports port 443 acl SSL_ports port 443 acl CONNECT method CONNECT acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl" acl prime dstdomain -i "/etc/squid3/acls/squid-prime.acl" acl ips dst

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Odhiambo Washington
On 21 April 2016 at 16:48, Alex Rousskov wrote: > On 04/21/2016 07:18 AM, Odhiambo Washington wrote: > > Is is expected that using ssl_bump results into high CPU usage all the > > time? > > Your question is impossible to answer in general: The CPU usage levels

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Alex Rousskov
On 04/21/2016 07:18 AM, Odhiambo Washington wrote: > Is is expected that using ssl_bump results into high CPU usage all the > time? Your question is impossible to answer in general: The CPU usage levels depend on the amount of Squid traffic, the portion of SSL traffic in the overall traffic mix,

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Odhiambo Washington
I will put the splice explicitly and observe. Without ssl_bump I never saw such cpu usage with squid. However, lemme watch and also listen to feedback.. On 21 April 2016 at 16:34, Amos Jeffries wrote: > On 22/04/2016 1:18 a.m., Odhiambo Washington wrote: > > Is is

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Amos Jeffries
On 22/04/2016 1:18 a.m., Odhiambo Washington wrote: > Is is expected that using ssl_bump results into high CPU usage all the > time? > Encryption adds CPU overhead, but how much depends on what your normal use was. I dont think any of us have a good rule-of-thumb or educated guess yet because

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Yuri Voinov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not necessary. May be bottleneck in OS. 21.04.16 19:25, Odhiambo Washington пишет: > So, what could possibly be wrong with my setup, that squid consumes so much > CPU? > > On 21 April 2016 at 16:22, Yuri Voinov

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Odhiambo Washington
So, what could possibly be wrong with my setup, that squid consumes so much CPU? On 21 April 2016 at 16:22, Yuri Voinov wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > It must not be. My most active setup has 3% CPU all time dirung peak hours. > > Typical

Re: [squid-users] Squid 3.5.9 Problems with Teamviewer

2016-04-21 Thread Amos Jeffries
On 21/04/2016 3:39 a.m., epytir wrote: > Hey Squid Users, > > Sorry for my bad english im learning it currently. > > I got a little problem with my squid proxy. > I installed it with ufdbguard and squidclamav and everything works fine. > > The users login with kerberos ntlm or normal username

Re: [squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Yuri Voinov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It must not be. My most active setup has 3% CPU all time dirung peak hours. Typical view: https://i1.someimage.com/NzM1erI.png 21.04.16 19:18, Odhiambo Washington пишет: > Is is expected that using ssl_bump results into high CPU usage all the

[squid-users] High CPU Usage with ssl_bump

2016-04-21 Thread Odhiambo Washington
Is is expected that using ssl_bump results into high CPU usage all the time? This is squid-3.5.17 That is what I am seeing: last pid: 26673; load averages: 2.24, 2.00, 2.10 up 0+03:47:56 16:08:30 160 processes: 2 running, 157 sleeping, 1 zombie CPU: 86.1% user, 0.0% nice,

Re: [squid-users] Cert authority invalid failures.

2016-04-21 Thread Amos Jeffries
On 21/04/2016 8:18 a.m., Markey, Bruce wrote: > I'm curious as to why this is happening. > > Proxy was implemented last week and since then I've been dealing with all the > sites that don't work. Not a problem, knew it was going to happen. I'd like > to understand why the following is

[squid-users] [squid-announce] [ADVISORY SQUID-2016:6 Multiple issues in ESI processing.

2016-04-21 Thread Amos Jeffries
__ Squid Proxy Cache Security Update Advisory SQUID-2016:6 __ Advisory ID:SQUID-2016:6 Date: April 20, 2016 Summary:Multiple issues in

[squid-users] [squid-announce] [ADVISORY] SQUID-2016:5 Buffer overflow in cachemgr.cgi

2016-04-21 Thread Amos Jeffries
__ Squid Proxy Cache Security Update Advisory SQUID-2016:5 __ Advisory ID:SQUID-2016:5 Date: April 20, 2016 Summary:

[squid-users] [squid-announce] Squid 3.5.17 is available

2016-04-21 Thread Amos Jeffries
The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.17 release! This release is a security and bug fix release resolving several vulnerabilities and issues found in the prior Squid releases. The major changes to be aware of: * SQUID-2016:5 - Buffer

Re: [squid-users] squid 2.7/lusca not work with web auth IIS

2016-04-21 Thread Amos Jeffries
On 21/04/2016 1:51 p.m., zodyo wrote: > anybody here? im newbie and need some advice here, or how to bypass some > sites with auth > Lusca is not Squid. It is a fork by Xenion with quite a few changes. You will need to contact there about support. ... or upgrade to a Squid-3 version we provide