.
FWIW, most of the basics are covered at
https://wiki.squid-cache.org/Features/SslPeekAndSplice
That page was written for a feature introduced in v3.5, but it is not
specific to that Squid version.
HTH,
Alex.
> On May 23, 2024, at 08:49, Alex Rousskov wrote:
>
> On 2
On 2024-05-22 03:49, Robin Wood wrote:
I'm trying to work out how to add an extra header to a TLS connection.
I assume that you want to add a header field to an HTTP request or
response that is being transmitted inside a TLS connection between a TLS
client (e.g., a user browser) and an
On 2024-05-21 14:47, Bobby Matznick wrote:
To add and maybe clarify what my confusion is, the log entries below
(hidden internal/external IP’s, domain and username) don’t seem to show
what I expected, a line marked “referrer”. Am I misunderstanding how
that should show up in the log?
Kind
On 2024-05-21 13:50, Bobby Matznick wrote:
I have been trying to use a combined log format for squid. The below
line in the squid config is my current attempt.
logformat combined %>a %[ui %[un [%tl "%rm %ru HTTP/%rv" %>Hs %"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
Please do not redefine
on my production servers.
On 17/05/2024 14:42, Alex Rousskov wrote:
On 2024-05-16 19:12, Jonathan Lee wrote:
What about using COSS file system?
Squid does not support COSS cache_dirs since v3.5. If Squid in
question does disk caching, then rock cache_dirs may be the best bet.
Alex.
On May
On 2024-05-20 03:35, Zhijian Li (Fujitsu) wrote:
In SMP mode, is it possible that cache_mem can be share among
multiple squid instances with the same service_name?
Short answer: "Do not run multiple SMP Squid instances with the same
service_name".
SMP Squid cache[1] is not supposed to be
performance and also speed up NTLM/Kerberos authentication, I will
re-enable again on my production servers.
Best Regards
On 16/05/2024 21:34, Alex Rousskov wrote:
On 17/05/24 02:23, Bolinhas André wrote:
Has I explain, by default I set those directives to off to avoid
high cpu consumption
sly failed to get
that message across since essentially the same question is still being
asked.
Alex.
On 16/05/2024 21:34, Alex Rousskov wrote:
On 17/05/24 02:23, Bolinhas André wrote:
Has I explain, by default I set those directives to off to avoid
high cpu consumption.
Just FYI: In th
On 17/05/24 02:23, Bolinhas André wrote:
Has I explain, by default I set those directives to off to avoid high
cpu consumption.
Just FYI: In this context, when you say "default", folks will tend to
think that you are talking about default Squid configuration setting
(i.e. something
On 2024-05-15 19:02, Andre Bolinhas wrote:
To handle this amount of traffic should I enable
client_persistent_connections and server_persistent_connections or is it
better to keep it disable?
As Jonathan has already mentioned, the question is misleading because
these directives default to
On 2024-05-15 14:08, Andre Bolinhas wrote:
I'm not using pipeline_prefetch, because pipeline_prefetch breaks the
NTLM/Kerberos authentication.
Enabling pipeline_prefetch introduces other problems as well. There
might be some very special use cases that benefit from pipeline_prefetch
today,
nt
custom virus scanning of the response.
I got the book /Squid: The Definitive Guide /and going over for more
understanding. Saw your name mentioned by the author. I am very proud to
work with great people like you.
On Thursday, May 2, 2024 at 04:18:45 PM EDT, Alex Rousskov
wrote:
On 202
on this thread) supports and
details the "HTTP body instead of an ICAP response header" theory I
suggested further below (before you shared that log file).
[1]:
https://lists.squid-cache.org/pipermail/squid-users/2024-May/026634.html
Alex.
On Friday, March 22, 2024 at 11:02:51 PM EDT, Alex Rous
On 2024-04-29 13:06, Arun Kumar wrote:
Configured python based icap server (pyicap) and getting 500 Internal
Server error during respmod.
AFAICT, this ICAP RESPMOD service is buggy: It sends what looks like an
HTTP response body chunk after sending an ICAP 100 Continue control
message.
ex.
On 2024-04-15 19:49, Andre Bolinhas wrote:
Hi Alex,
Thnks for your reply.
Logs uploaded again, you can find it here.
https://we.tl/t-QiSKMgclOb
Best regards
On 15/04/2024 14:12, Alex Rousskov wrote:
On 2024-04-14 17:23, Andre Bolinhas wrote:
Any tip on this matter? I want to upgrade to
ave matched for the test transaction), but I would _start_
by checking that Squid is sending the certificate(s) you think it is
sending.
HTH,
Alex.
*Von:*squid-users *Im
Auftrag von *Alex Rousskov
*Gesendet:* Mittwoch, 17. April 2024 19:53
*An:* squid-users@lists.squid-cache.org
*Betreff:*
On 2024-04-17 09:07, Rauch, Mario wrote:
We are receiving following errors when clients
want to connect to specific website using ssl bump feature and self
signed certificate:
2024/04/17 14:55:15 kid1| ERROR: failure while accepting a TLS
connection on conn275 local=185.229.91.169:3128
On 2024-04-16 03:20, FredB wrote:
I'm trying to use rock store with 6.9, there is a limitation about the
size of cache ?
If my calculations are correct, all cache_dirs share the same byte-size
limit: A single cache_dir cannot store more than ~2048 terabytes (i.e.
2^51 bytes).
However, all
uration files / folder are the same, the server is the same,
the only thing that changes is the Squid version
On 29/03/2024 17:40, Alex Rousskov wrote:
On 2024-03-25 15:13, Bolinhas André wrote:
Yes, the configuration is the same for both versions.
The logs archive you shared previously has expired
On 2024-04-10 17:48, Jonathan Lee wrote:
It works in 5.8 with no errors however in 6.6 I can see indexing and
other information that I have never seen before
Unfortunately, I am unable to make progress with this email thread
because there are just too many different problems being introduced
uration _error_.
AFAICT, Squid code should be adjusted to _quit_ (i.e. reject bad
configuration) after discovering this error instead of continuing as if
nothing bad happened.
I recommend addressing the underlying cause, even if this message is
unrelated to SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417.
On 2024-04-10 10:50, Jonathan Lee wrote:
I am getting the following error in 6.6 after a upgrade from 5.8 does anyone
know what this is caused by?
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000417+TLS_IO_ERR
$ openssl errstr A000417
error:0A000417:SSL routines::sslv3 alert illegal parameter
On 2024-04-06 01:40, Jonathan Lee wrote:
Can you please help I moved from 5.8 to 6.6 I am getting access denied for mgr
info.
Http manager is built in now right?
Yes, it is and it was. No changes there.
I can access it from the loopback
Currently, you may need to figure out what
On 2024-04-04 03:01, David Komanek wrote:
I do not observe this problem accessing sites running only
on port 80 (no 443 at all), but my configuration is simple:
squid 6.6 as FreeBSD binary package
not much about ssl in the config file though, just passing it through,
no ssl juggling
Your
pletely separate issue. If you are suspecting that
Squid should get certain intermediate certificates but does not, check
Bugzilla, and, if there is no corresponding bug report, file a new one.
HTH,
Alex.
Dne 03.04.2024 v 17:05 Alex Rousskov napsal(a):
On 2024-04-03 02:14, Loučanský Lu
On 2024-04-01 23:03, r...@ohmuro.net wrote:
after an upgrade from squid 5.4.1 to squid 5.9, unable to parse HTTP
chunked response containing whitespace after chunk size.
I could be wrong, but Can you please advise me know if there is a way or
patch to fix this issue.
The sender of these
On 2024-04-03 02:14, Loučanský Lukáš wrote:
this has recently started me up more then let it go. For a while
chrome is upgrading in-page links to https.
Just to add two more pieces of related information to this thread:
Some Squid admins report that their v6-based code does not suffer from
9 13:31:05| Processing: http_access deny all
HTH,
Alex.
----
*De:* Alex Rousskov
*Enviado:* segunda-feira, 25 de março de 2024 19:12
*Para:* squid-users@lists.squid-cache.org
*Assunto* Re: [squid-users] ACL / http_access rules stop work using Squid 6+
On 2024-03-22 09:38, Andre
On 2024-03-22 09:38, Andre Bolinhas wrote:
In previous versions of squid, from 3 to 5.9, I use this kind of deny
rules and they work like charm
acl AnnotateRule28 annotate_transaction accessrule=Rule28
http_access deny HTTP Group38 AnnotateRule28
This allows me to deny objects without bump /
rpreting the snippets.
If you want a more reliable diagnosis, then my earlier recommendation
regarding sharing (privately if needed) the following information still
stands:
* compressed ALL,9 cache.log and
* the problematic ICAP response in a raw packet capture format.
HTH,
Alex.
On Monday, Ma
On 2024-03-18 18:46, Arun Kumar wrote:
Any idea, the reason for error in ModXact.cc parsePart fuction.
Happening during parsing the response from ICAP
parsePart: have 144 head bytes to parse; state: 0
parsePart: head parsing result: 0 detail: 600
AFAICT, Squid considers received ICAP
On 2024-03-11 11:31, Dieter Bloms wrote:
Hello,
after an upgrade from squid6.6 to squid6.8 on a debian bookworm we have a lot
of messages from type:
ICAP_ERR_GONE/000
ICAP_ERR_OTHER/200
ICAP_ERR_OTHER/408
ICAP_ERR_OTHER/204
and some of our users claim about bad performance and some get "empty
On 2024-03-14 08:21, Miha Miha wrote:
Hello Squid team,
I get following error while compiling v6.8
...
In file included from basic_nis_auth.cc:15:
../../../../src/auth/basic/NIS/nis_support.h:8: error: unterminated #ifndef
#ifndef SQUID_SRC_AUTH_BASIC_NIS_NIS_SUPPORT_H
basic_nis_auth.cc: In
On 2024-03-06 09:48, Jason Marshall wrote:
We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a
simple pass-through proxy without issue for the past month or so.
Recently our security team implemented an IPS product that intercepts
domain names known to be associated with
On 2024-03-04 14:03, Dragos Pacher wrote:
POC running well on 3 servers but on the 4th I get no IPv6
sockets:
ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp
tcp 0 0 10.10.0.16:3128 0.0.0.0:*
LISTEN 2891391/(squid-1)
Are there any other
delay_access 1 deny all*
br,
Szilard
Alex Rousskov 02/20/2024, 04:52 PM >>>
On 2024-02-20 03:14, Francesco Chemolli wrote:
> acl users ext_user foo bar gazonk
> http_access allow users all # always allow
The above does not always allow. What you meant it probably this:
# This
On 2024-02-28 08:52, Francesco Chemolli wrote:
just replace
squidclient mgr:objects
with
curl --silent --user squid_cachemgr_user:squd_cachemgr_password
http://squid.host.name:3128/squid-internal-mgr/objects
Neither is required for basic cases, but it is better, IMHO, to use
On 2024-02-27 10:36, Andrea Venturoli wrote:
I'm having trouble accessing cachemgr with squidclient.
You are suffering from one or several known problems[1,2] related to
cache manager changes in v6+ code. Without going into complicated
details, I recommend that you replace deprecated
On 2024-02-12 06:46, Stephen Borrill wrote:
On 16/01/2024 14:37, Alex Rousskov wrote:
On 2024-01-16 06:01, Stephen Borrill wrote:
The problem is no different with 6.6. Is there any more debugging I
can provide, Alex?
Yes, but I need to give you a patch that adds that (temporary)
debugging
On 2024-02-12 17:40, speed...@chez.com wrote:
I'm using Squid 3.5.24 (indluded in Synology DSM 6) and I've an issue
with time acl. All works fine except some websites like myhordes.de.
Once the user connected to this kind of website, the time acl has no
effect while the web page is not
On 2024-02-20 03:14, Francesco Chemolli wrote:
acl users ext_user foo bar gazonk
http_access allow users all # always allow
The above does not always allow. What you meant it probably this:
# This rule never matches. It is used for its side effect:
# The rule evaluates users ACL, caching
he fix for the underlying Squid bug was officially accepted
and should become a part of v6.8 release (at least).
Thank you,
Alex.
On Fri, 9 Feb 2024 at 14:31, Alex Rousskov wrote:
On 2024-02-09 08:53, Robin Carlisle wrote:
> I am trying the config workaround approach.
Pleas
in case
max_stale 525600 minutes
refresh_pattern . 0 20% 4320 max-stale=525600
Thanks again for your help
Robin
On Thu, 8 Feb 2024 at 17:42, Alex Rousskov
<mailto:rouss...@measurement-factory.com>> wrote:
Hi Robin,
AFAICT from the logs you have privately shared
On Thu, 1 Feb 2024 at 18:27, Alex Rousskov
mailto:rouss...@measurement-factory.com>> wrote:
On 2024-02-01 12:03, Robin Carlisle wrote:
> Hi, I am having trouble with stale-if-error response.
If I am interpreting Squid code correctly, in primary use ca
ch for your help again,
Robin
On Thu, 1 Feb 2024 at 18:27, Alex Rousskov wrote:
On 2024-02-01 12:03, Robin Carlisle wrote:
> Hi, I am having trouble with stale-if-error response.
If I am interpreting Squid code correctly, in primary use cases:
On 2024-02-06 10:16, Rob van der Putten wrote:
On 05/02/2024 18:32, Antony Stone wrote:
On Monday 05 February 2024 at 17:32:51, Rob van der Putten wrote:
On 05/02/2024 17:16, Dieter Bloms wrote:
On Mon, Feb 05, Rob van der Putten wrote:
After upgrading Squid from 3 to 5 the percentage of
On 2024-02-05 11:32, Rob van der Putten wrote:
On 05/02/2024 17:16, Dieter Bloms wrote:
On Mon, Feb 05, Rob van der Putten wrote:
After upgrading Squid from 3 to 5 the percentage of IPv6 reduced from
61% to less then 1%. Any ideas?
yes, since squid5 the happy eyeball algorithm as described
ithout any
encapsulated HTTP body. That encapsulation matches the ICAP Encapsulated
header.
HTH,
Alex.
-Message d'origine-
De : Alex Rousskov
Envoyé : vendredi 2 février 2024 18:45
À : Yvain PAYEN ; squid-users@lists.squid-cache.org
Objet : Re: [squid-users] external icap issue wi
d'imprimer cet e-mail.
-Message d'origine-
De : squid-users De la part de Alex
Rousskov
Envoyé : vendredi 2 février 2024 17:19
À : squid-users@lists.squid-cache.org
Objet : Re: [squid-users] external icap issue with squid 5 and higher
⚠ FR : Ce message provient de l'extérieur de l'or
On 2024-02-02 11:00, Yvain PAYEN wrote:
Hi Squid users,
I have an issue with an external icap service I have to use (from
Forcepoint).
This service is working great with squid v3 and v4.
Starting v5 (v6 also tested) the service only work with plain text http
requests, all requests for
much from the
squid-cache.org contents.
On Friday, January 12, 2024 at 02:10:40 PM EST, Alex Rousskov
wrote:
On 2024-01-12 09:21, Arun Kumar wrote:
> On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov wrote:
>
>
> On 2024-01-10 09:21, Arun Kumar wrote:
> &g
On 2024-02-01 12:03, Robin Carlisle wrote:
Hi, I am having trouble with stale-if-error response.
If I am interpreting Squid code correctly, in primary use cases:
* without a Cache-Control:stale-if-error=X in the original response,
Squid sends a stale object if revalidation results in a 5xx
On 2024-02-01 07:15, Dieter Bloms wrote:
Is it possible to send the cache.logs to the syslog socket /dev/log ?
cache_log does not have access_log's concept of logging modules.
* To send level-0/1 cache.log messages to syslog, use "squid -s ..." or
"squid -l... ...". By default, syslog is
On 2024-01-29 07:09, Andre Bolinhas wrote:
I'm getting this error in cache.log
2024/01/29 14:33:03 kid5| ERROR: Collapsed forwarding queue overflow for
kid1 at 1024 items
current master transaction: master2163155
This leads Squid stops filtering or check any of the ACL rules, allowing
On 2024-01-31 09:23, David Touzeau wrote:
Hi %note is used by our external_acls and for log other tokens
And we use also Group as token.
it can disabled by direcly removing source kerberos code before
compiling but i would like to know if there is another way
In most cases, one does not have
On 2024-01-22 16:28, Alex Coomans wrote:
I'd like to be able to set headers on the response sent to a CONNECT
request, but the documentation notes reply_header_add does not work for
that - is there another option or a way to achieve this without needing
to MITM the TLS?
AFAICT, Squid does
On 2024-01-18 09:53, Robin Carlisle wrote:
My expectation/hope is that squid would return the cached object on
any network failure in between ubuntu-pc and the AWS endpoint - and
continue to return this cached object forever. Is this something
squid can do? It would seem that offline_mode
IED
2024/01/16 15:40:06.409 kid1| 44,2| peer_select.cc(1182) handlePath:
timedout = 0
2024/01/16 15:40:06.409 kid1| 14,7| ipcache.cc(236) finalCallback:
0x189fb5e38 lookup_err=No DNS records
On 10/01/2024 12:40, Stephen Borrill wrote:
On 09/01/2024 15:42, Alex Rousskov wrote:
On 2024-
(unless somebody else steps in). Unfortunately, I do not have
any free time for any of that right now. If you do not hear from me
sooner, please ping me again on or after February 8, 2024.
Thank you,
Alex.
On 10/01/2024 12:40, Stephen Borrill wrote:
On 09/01/2024 15:42, Alex Rousskov wrote
On 2024-01-12 09:21, Arun Kumar wrote:
On Wednesday, January 10, 2024 at 11:09:48 AM EST, Alex Rousskov wrote:
On 2024-01-10 09:21, Arun Kumar wrote:
>> i) Retry seems to fetch one chunk of the response and not the complete.
>> ii) Enabling sslbump and turning ICAP off, not help
On 2024-01-10 16:48, Dave Dykstra wrote:
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5.
... is another workaround to disable TRACE requests ...?
AFAICT, denying TRACE requests will not allow TRACE transactions to
reach the problematic code related to that
/
On Tuesday, January 9, 2024 at 02:18:14 PM EST, Alex Rousskov wrote:
On 2024-01-09 11:51, Zhang, Jinshu wrote:
> Client got below response headers and body. Masked few details.
Thank you.
> Retry seems to fetch data remaining.
I would expect a successful retry to fetch the entire re
On 2024-01-09 19:32, John Zhu wrote:
We have the same “suspension” issue when “too many failure”.
To clarify, you have a "failure" issue. Suspension after
icap_service_failure_limit is normal/expected.
https://www.mail-archive.com/squid-users@lists.squid-cache.org/msg22187.html
FWIW,
-
FIRSTUP_PARENT/10.x.y.z -
1704815208.438 6896 x.y.0.2 TCP_MISS/200 138967930 POST https://a.b.com/xyz -
FIRSTUP_PARENT/10.x.y.z application/download
Jinshu Zhang
Fannie Mae Confidential
-Original Message-
From: squid-users On Behalf Of Alex
Rousskov
Sent: Tuesday, January 9, 2024 9:53 AM
T
On 2024-01-09 05:56, Stephen Borrill wrote:
On 09/01/2024 09:51, Stephen Borrill wrote:
On 09/01/2024 03:41, Alex Rousskov wrote:
On 2024-01-08 08:31, Stephen Borrill wrote:
I'm trying to determine why squid 6.x (seen with 6.5) connected via
IPv4-only periodically fails to connect
On 2024-01-09 09:13, Arun Kumar wrote:
I have compiled/installed squid v5.8 in Amazon Linux and configured it
with sslbump option. Squid is used as proxy to get response from https
site. When the https site sends chunked response, it appears that the
first response comes but it get stuck and
On 2024-01-08 08:31, Stephen Borrill wrote:
I'm trying to determine why squid 6.x (seen with 6.5) connected via
IPv4-only periodically fails to connect to the destination and then
requires a restart to fix it (reload is not sufficient).
The problem appears to be that a host that has one
On 2023-12-18 22:29, Amish wrote:
On 19/12/23 01:14, Alex Rousskov wrote:
On 2023-12-18 09:35, Amish wrote:
I use Arch Linux and today I updated squid from squid 5.7 to squid 6.6.
> Dec 18 13:01:24 mumbai squid[604]: kick abandoning conn199
I do not know whether the above prob
On 2023-12-18 09:35, Amish wrote:
I use Arch Linux and today I updated squid from squid 5.7 to squid 6.6.
> Dec 18 13:01:24 mumbai squid[604]: kick abandoning conn199
I do not know whether the above problem is the primary problem in your
setup, but it is a red flag. Transactions on the same
an RPM? I'm really
hoping there's a way to do that without compiling.
-Original Message-
From: Alex Rousskov
Sent: Wednesday, December 13, 2023 8:31 AM
To: HENDERSON, GAVEN L RTX ;
squid-users@lists.squid-cache.org
Subject: Re: [External] Re: [squid-users] Cache_peer breaks Squid 5.5
On 2
was released. However, I do not even
know which version you were running before updating to v5.5. Please note
that v5 is not officially supported by the Squid Project.
My recommendation is to update to v6.6 or later.
HTH,
Alex.
-Original Message-
From: squid-users On Behalf O
On 2023-12-12 11:25, HENDERSON, GAVEN L RTX wrote:
Sorry if this has already been answered. I couldn't find anything online
regarding the problem I am experiencing. I have a Squid server acting as a
proxy relay. It listens on two ports and, depending on which port a request
comes in, the
On 2023-12-06 08:08, Brendan Kearney wrote:
i am running squid 6.5
You are suffering from Bug 5318:
https://bugs.squid-cache.org/show_bug.cgi?id=5318
That bug has been fixed in v6. Recent daily snapshots contain that fix,
and it will be a part of the upcoming v6.6 release.
Alex.
on
On 2023-11-29 09:38, Ziert, Norman wrote:
in the very recent past I stumbled over that a "squid -k reconfigure"
drops in memory caches for external_acl_type helpers, wich in my case
leads to a massive query burst against local winbind
(ext_wbinfo_group_acl) and infact the active directory
On 2023-11-28 05:29, Mario Theodoridis wrote:
Hello everyone,
i'm trying to use squid as a TLS virtual hosting proxy on a system with
a public IP in front of several internal systems running TLS web servers.
I would like to proxy the incoming connections to the appropriate
backend servers
-users mailing list is not meant for
code reviews.
Alex.
чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov:
On 2023-11-16 07:48, Andrey K wrote:
> I have slightly patched the negotiate_kerberos_pac.cc to
> implement ResourceGropIds-block parsing.
Please consider posting
On 2023-11-21 08:38, Stephen Borrill wrote:
On 15/11/2023 21:55, Alex Rousskov wrote:
On 2023-11-10 05:46, Stephen Borrill wrote:
With 6.x (currently 6.5) there are very frequent (every 10 seconds or
so) messages like:
2023/11/10 10:25:43 kid1| ERROR: Connection to 127.0.0.1:8123 failed
On 2023-11-16 07:48, Andrey K wrote:
I have slightly patched the negotiate_kerberos_pac.cc to
implement ResourceGropIds-block parsing.
Please consider posting tested changes as a GitHub Pull Request:
https://wiki.squid-cache.org/MergeProcedure#pull-request
Thank you,
Alex.
Maybe it will
On 2023-11-10 05:46, Stephen Borrill wrote:
With 6.x (currently 6.5) there are very frequent (every 10 seconds or
so) messages like:
2023/11/10 10:25:43 kid1| ERROR: Connection to 127.0.0.1:8123 failed
> why is this logged as a connection failure
The current error wording is too assuming
On 2023-10-30 13:08, ma...@web.de wrote:
Am 27.10.23 um 16:22 schrieb Alex Rousskov:
1. Enhance Squid to resolve transaction destination address once (on
first use/need). Remember/reuse resolved IP addresses. Log them via some
new %resolved_dst and %dst_resolution_detail codes
On 2023-10-27 07:14, ma...@web.de wrote:
Am 26.10.23 um 21:11 schrieb Alex Rousskov:
On 2023-10-26 08:37, ma...@web.de wrote:
TL;DR: is there a way to get/log the resolved ip of a denied request?
TLDR: Bugs notwithstanding, use %
%
Sorry, my first response was wrong: As you have correctly
On 2023-10-26 08:37, ma...@web.de wrote:
TL;DR: is there a way to get/log the resolved ip of a denied request?
TLDR: Bugs notwithstanding, use %
We have a rather large ip based malware blacklist (dst acl) and
sometimes a destination is blocked inadvertantly because of a false
positive entry
On 2023-10-16 16:24, Julian Taylor wrote:
On 15.10.23 05:42, Alex Rousskov wrote:
On 2023-10-14 12:04, Julian Taylor wrote:
On 14.10.23 17:40, Alex Rousskov wrote:
On 2023-10-13 16:01, Julian Taylor wrote:
The reproducer uses as single request, the same very thing can be
observed
On 2023-10-14 12:04, Julian Taylor wrote:
On 14.10.23 17:40, Alex Rousskov wrote:
On 2023-10-13 16:01, Julian Taylor wrote:
When using squid for caching using the rock cache_dir setting the
performance is pretty poor with multiple workers.
The reason for this is due to the very high number
On 2023-10-13 16:01, Julian Taylor wrote:
When using squid for caching using the rock cache_dir setting the
performance is pretty poor with multiple workers.
The reason for this is due to the very high number of systemcalls
involved in the IPC between the disker and workers.
Please allow me
Hello,
Francesco and I would like to remove squidclient tool from Squid so
that we can divert resources to more important areas[1]. As far as we
can tell, all essential squidclient functionality can be obtained via
well-known command-line clients like curl, wget, nc, s_client, etc. For
Since Squid 6.x we have this strange behavior on acl dst
Many warnings is generated
2023/10/02 20:18:50| WARNING: You should probably remove '64.34.72.226' from
the ACL named 'GlobalWhitelistDSTNet'
2023/10/02 20:18:50| WARNING: (B) '64.34.72.226' is a subnetwork of (A)
'64.34.72.226'
ndo
On Fri, Sep 29, 2023 at 12:53 PM Alex Rousskov
<mailto:rouss...@measurement-factory.com>> wrote:
On 2023-09-29 10:55, Fernando Giorgetti wrote:
> Do you control the client application? If yes, then perhaps
it can be
> adjusted to support HTTP prox
n interception scenario, please do. If you have,
please share your interception configuration, Squid configuration, and
any relevant error/problem information.
HTH,
Alex.
On Fri, Sep 29, 2023 at 11:35 AM Alex Rousskov wrote:
On 2023-09-29 09:17, Fernando Giorgetti wrote:
> Act
to a given destination.
That is why I was considering a reverse-proxy, but I had no luck with it
(actually
I was able to proxy HTTP/HTTPS, but not non-http).
Thank you again,
Fernando
On Thu, Sep 28, 2023 at 11:39 PM Alex Rousskov
<mailto:rouss...@measurement-factory.com>> wrote:
I by peeking at TLS ClientHello,
without terminating TLS. Bugs notwithstanding, none of the
configuration
sketches I shared previously will do that though.
HTH,
Alex.
> On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
>
> On 2023-09-28 11:
notwithstanding, none of the configuration
sketches I shared previously will do that though.
HTH,
Alex.
On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov wrote:
On 2023-09-28 11:31, Fernando Giorgetti wrote:
> And what should I do to let Squid use the SNI defined by the TLS
cli
On 2023-09-28 11:31, Fernando Giorgetti wrote:
And what should I do to let Squid use the SNI defined by the TLS client?
What do you want Squid to use that SNI for?
Alex.
On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
On 2023-09-28 09:06, Fernando Giorgetti wrote:
>
On 2023-09-28 00:52, Bud Miljkovic wrote:
# Intercept tranparent HTTPS traffic
https_port 3129 intercept ssl-bump ssl_bump splice all
This should be refactored into two lines:
https_port 3129 intercept ssl-bump ...
ssl_bump splice all
After that, replace "..." above with cert=...
On 2023-09-28 09:06, Fernando Giorgetti wrote:
Hi Matus, do you mean something like a DNAT (iptables) rule?
If so, I would say, it should work as well.
But this is an environment I do not control, and I have been told to try
using an existing squid installation to proxy non-http/TLS data
On 2023-09-27 16:49, Ralf Hildebrandt wrote:
* Ralf Hildebrandt :
We're relying on
/usr/bin/squidclient -h 127.0.0.1 -p 8080 cache_object://127.0.0.1/counters
for monitoring purposes and 6.3 reports an error when accessing that
resource:
2023/09/27 22:42:57| ERROR: Squid BUG: assurance
On 2023-09-27 15:43, Dmitry Katsubo wrote:
On 2023-09-27 19:15, Alex Rousskov wrote:
On 2023-09-27 11:08, Dmitry Katsubo wrote:
After upgrading Squid from v4.13-10+deb11u2 (bullseye) to v5.7-2
(bookworm) I started to get about 5 core dumps per day like below, provided .
How can I find out
On 2023-09-27 08:22, nikhil deshpande wrote:
[Question]: Are you trying to bump TLS client connections when and only when
the TLS
client is offering to use one of those ciphers in its ClientHello
message? Or do you want Squid to use one of those ciphers when bumping
all TLS client connections?
On 2023-09-27 09:30, Marko Cupać wrote:
169568.912 69973 10.X.X.X TCP_TUNNEL/500 8503669 CONNECT
ipv4-c002-beg001-oriontelekom-isp.1.oca.nflxvideo.net:443 some.gal
HIER_DIRECT/93.93.192.146 -
1695679277.395 876830 10.X.X.X TCP_TUNNEL/500 105991027 CONNECT
rostov1.nebula.to:443 some.guy
On 2023-09-27 11:08, Dmitry Katsubo wrote:
After upgrading Squid from v4.13-10+deb11u2 (bullseye) to v5.7-2
(bookworm) I started to get about 5 core dumps per day like below.
How can I find out the root of the problem and eliminate it?
Your Squid is most likely suffering (among other v5
1 - 100 of 1911 matches
Mail list logo
