Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 08/02/18 12:44, setuid wrote: > On 2/7/18 6:36 PM, Yuri wrote: >> Did you used ipfw NAT configuration on same box with squid? > > Yes, my ipfw configuration is: > > $cmd 00700 deny ip from any to any dst-port 3128 via em0 > $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Where ipfw runs? In virtual machine, or on hypervisor? 08.02.2018 05:44, setuid пишет: > On 2/7/18 6:36 PM, Yuri wrote: >> Did you used ipfw NAT configuration on same box with squid? > Yes, my ipfw configuration is: > > $cmd 00700 deny ip from any to any dst-port 3128 via em0 > $cmd 00800 fwd

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 2/7/18 6:36 PM, Yuri wrote: > Did you used ipfw NAT configuration on same box with squid? Yes, my ipfw configuration is: $cmd 00700 deny ip from any to any dst-port 3128 via em0 $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0 $cmd 00820 allow ip from any to any dst-port

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Squid is relatively difficult to run with transparent mode on virtual platforms due to NAT limitations on virtual platforms (this is not squid's issue, this is issue if virtual platforms). I'm using squid only in transparent mode (only in transparent mode) several years on Solaris (bare metal)

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

If you configured squid with '--enable-ipfw-transparent' you should use manual for ipfw configuration. Did you used ipfw NAT configuration on same box with squid? 08.02.2018 05:14, setuid пишет: > On 2/7/18 4:31 PM, Yuri wrote: >> I'm not seen your configuration options for squid. Not

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 2/7/18 5:37 PM, Rafael Akchurin wrote: > How is your network configured? Your rules indicate you have 2 nics but you > later say you have one.. Originally, I started with 1 NIC (it's a VM), and added 2 more, because I read that pf/ipfw can't rewrite ingress packets on the same interface it

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 2/7/18 4:31 PM, Yuri wrote: > I'm not seen your configuration options for squid. Not squid.conf. Just > ./configure options. Here's what I'm building with (from 'make config' in ports tree) '--bindir=/usr/local/sbin' '--build=amd64-portbld-freebsd11.1' '--datadir=/usr/local/etc/squid'

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Thats strange. How is your network configured? Your rules indicate you have 2 nics but you later say you have one.. Best regards, Rafael Akchurin > Op 7 feb. 2018 om 23:31 heeft setuid het volgende > geschreven: > >> On 02/07/2018 04:38 PM, Rafael Akchurin wrote: >> If you

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 02/07/2018 04:38 PM, Rafael Akchurin wrote: > If you do not mind looking at other tutorials - these are what we have in the > test lab. > https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html I can confirm that the instructions in this tutorial results in the same exact

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

No unfortunately nothing like this is in our lab for FreeBSD - but default Squid package in pfSense runs transparently without issues I have heard (or with other issues than you have). Best regards, Rafael Akchurin Diladele B.V. -Original Message- From: setuid [mailto:set...@gmail.com]

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 02/07/2018 04:38 PM, Rafael Akchurin wrote: > If you do not mind looking at other tutorials - these are what we have in the test lab. > https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html > https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html Thanks

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Hello setuid, If you do not mind looking at other tutorials - these are what we have in the test lab. https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html First one for Squid running on the gateway and

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

One stupid idiotic question. Did you build your squid with transparent NAT support? This is mandatory prerequisite for transparent squid. I'm not seen your configuration options for squid. Not squid.conf. Just ./configure options. 08.02.2018 03:11, setuid пишет: > I'll start with the

Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 02/07/2018 04:11 PM, setuid wrote: > That router has a firewall script on it that says: > == > #!/bin/sh > PROXY_IP=192.168.2.25 Yes, this is a typo here in email but is correct in the router's firewall script. This should be either 192.168.2.20 or 192.168.1.25; both are

[squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5, 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, ipf, ipfilter) does not work at all, when configured as a transparent proxy. Full stop. I went through hundreds of posts on dozens of forums, blogs and

Re: [squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

OK this may be irrelevant to the "host_verify_strict" setting, its just when I looked at the messages like "2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL: sqs.us-west-2.amazonaws.com:443" in the cache.log it led me to believe this was a feature of "RFC 2616 section 14.23" and that the default

Re: [squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

This irrelevant to host_verify_strict. This is effect of server side CDN IP changes. Squid threats it as security alert. 08.02.2018 00:03, steveno пишет: > I was using squid 3.5.20 I encountered an issue running out of File > Descriptors on Centos7, the scebario was that sockets would be

[squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25

I was using squid 3.5.20 I encountered an issue running out of File Descriptors on Centos7, the scebario was that sockets would be abandoned in a "CLOSE_WAIT" state forever until the server ran out of FD's. Searching I found the following BUG. https://bugs.squid-cache.org/show_bug.cgi?id=4508

Re: [squid-users] Time acl not working

I'm thinking of adding a routine to cron to restart squid as soon as lunch break ends. Is there any other less invasive way to reset an ssl connection and force another CONNECT to squid? Em qua, 7 de fev de 2018 às 12:22, Amos Jeffries escreveu: > On 08/02/18 02:50, Danilo

Re: [squid-users] Time acl not working

On 08/02/18 02:50, Danilo V wrote: > I'm not using SSL intercept configuration. Now i see is required, even > for explicit mode. Only because you want *Squid* to be the process controlling HTTPS things. If you did the controls at the network traffic level (eg iptables, pf) instead then you would

Re: [squid-users] Time acl not working

I'm not using SSL intercept configuration. Now i see is required, even for explicit mode. Thank you for explanation. Danilo Em qua, 7 de fev de 2018 às 11:00, Amos Jeffries escreveu: > > On 08/02/18 01:37, Danilo V wrote: > > - Squid.conf: > > > > /http_port 3128 > > /

Re: [squid-users] Time acl not working

On 08/02/18 01:37, Danilo V wrote: > - Squid.conf: > > /http_port 3128 > / > /acl social dstdomain -i .facebook.com .fbcdn.net > .twitter.com > / > /acl LUNCH time 12:00-13:00/ > /http_access allow social LUNCH/ > /http_access deny

Re: [squid-users] Time acl not working

- Squid.conf: *http_port 3128* *acl social dstdomain -i .facebook.com .fbcdn.net .twitter.com * *acl LUNCH time 12:00-13:00* *http_access allow social LUNCH* *http_access deny social* 1. Adjust time in acl to your local test time. 2.

Re: [squid-users] 3.5.20 run out of my memory.

On 07/02/18 19:34, minh hưng đỗ hoàng wrote: > Dear all, i use squid 3.5.20 on ubuntu14 in TPROXY mode. > With basic config in squid.conf, but squid is run out of my server's memory. > Here is my configure option : ... > > https_port 3130 tproxy ssl-bump generate-host-certificates=on >

Re: [squid-users] 4.0.23 release in Debian

I’ve already raised a Debian bug regarding startup script issues with it. Maybe that will receive some attention. > On 7 Feb 2018, at 9:25 pm, L.P.H. van Belle wrote: > > Hi, > > If you want a squid 3.5.27 for debian stretch. (amd64 only builded) > Have a look here :

Re: [squid-users] Time acl not working

On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote: > Hello all, time acl is not working for dynamic HTTPS pages such as social > networks. > > I set it to release any content during lunch time. In this period > everything works, but when the interval expires, the already open network >

[squid-users] Time acl not working

Hello all, time acl is not working for dynamic HTTPS pages such as social networks. I set it to release any content during lunch time. In this period everything works, but when the interval expires, the already open network media pages continue to receive updates and are not blocked as expected.

Re: [squid-users] 4.0.23 release in Debian

Hi, If you want a squid 3.5.27 for debian stretch. (amd64 only builded) Have a look here : http://downloads.van-belle.nl/squid/ The tar.gz contains, build log, sources used and debs. My changelog. squid3 (3.5.27-0.1) stretch; urgency=medium * Non-maintainer upload. * Builded from

Re: [squid-users] 4.0.23 release in Debian

FYI: There is already progress on Squid 4.0.23 over here: https://packages.debian.org/source/experimental/squid BTW: Hope I may get a response this time from anybody over there, then I would package 3.5.27.. Am 2018-02-05 10:21, schrieb Flashdown: Well, I've forwarded my old mail just now

Re: [squid-users] 3.5.20 run out of my memory.

I cron those for memory, try it. 0 */1 * * * root /usr/sbin/sysctl -w vm.drop_caches=3 0 */1 * * * root /bin/sync && /bin/echo 3 |